authorization

问题 Hi I am trying to implement Azure Groups based authorization in my .net core app. I have more groups like 100 to 200. I have added policies to add authorization. services.AddAuthorization(options => { options.AddPolicy("GroupsCheck", policy => { policy.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme); policy.RequireAuthenticatedUser(); policy.Requirements.Add(new GroupsCheckRequirement("11b250bf-76c0-4efe-99f2-2d781bae43bb")); //currently hard coded but want to include all

问题 I'm creating an API, which does not use MVC , but rather generic middleware(s). It should be possible to be authenticated against both Basic and (Jwt) Bearer scheme (I'm aware of the security flaws of Basic Auth) I can easily register both schemes in the services, but app.UseAuthentication middleware will only attempt to authenticate against the default scheme (this is intentional and described in the documentation). Allowing multiple scheme for the same endpoint can be done in MVC by

问题 I have implemented multiple authentication scheme under my .net core application. services.AddAuthentication( sharedOptions => { sharedOptions.DefaultScheme = Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationDefaults.AuthenticationScheme; sharedOptions.DefaultSignInScheme = Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationDefaults.AuthenticationScheme; }) .AddCookie() .AddWsFederation("AuthenticationScheme1", options => { options.Wtrealm = tenantList.Find(m => m

问题 Project Overview: Working in dashboard Views on back-end of project. I have a Permission driven Menu. Menu gets populated when User logs in and views dashboard. Currently the User sees all the buttons IE: delete, edit, details, create. I would like to hide those buttons from the view. Currently they can select it and it will redirect to a UnAuthorized page if they do not have access. I have a Menu / MenuPermissions tables that bits are set if the user has access or not. I am looking for

问题 I'm setting up a Resource Server with Spring Boot and to secure the endpoints I'm using OAuth2 provided by Spring Security. So I'm using the Spring Boot 2.1.8.RELEASE which for instance uses Spring Security 5.1.6.RELEASE . As Authorization Server I'm using Keycloak. All processes between authentication, issuing access tokens and validation of the tokens in the Resource Server are working correctly. Here is an example of an issued and decoded token (with some parts are cut): { "jti": "5df54cac

问题 I'm setting up a Resource Server with Spring Boot and to secure the endpoints I'm using OAuth2 provided by Spring Security. So I'm using the Spring Boot 2.1.8.RELEASE which for instance uses Spring Security 5.1.6.RELEASE . As Authorization Server I'm using Keycloak. All processes between authentication, issuing access tokens and validation of the tokens in the Resource Server are working correctly. Here is an example of an issued and decoded token (with some parts are cut): { "jti": "5df54cac

问题 I am novice to XACML policies. Can you specify me how to implement XACML policies. I have tried different API's. But for my project I need to implement XACML evaluation engine. So, can you help me providing the implementation details. Which language will be best suitable for implementing the evaluation engine . Thanks in Advance. 回答1: I guess, Implementing a XACML evaluation engine is not an easy task. You need to go through XACML specification at https://www.oasis-open.org/committees/xacml/

问题 I am looking for the proper way to specify an Authorization header with a custom type like ApiKey in openAPI 3. The custom Authorization header should look like Authorization: ApiKey myAPIKeyHere All my attempts to specify the securitySchemes entry with type apiKey seems to produce other results... The closest I got is something like: securitySchemes: ApiKeyAuth: type: apiKey in: header name: ApiKey ... but then, the key is not in the Authorization header. How can such a requirement be

问题 I am implementing single sign-in with OAuth2 and OpenID Connect for a distributed web application. The Authorization Server is running on its own. I've implemented the access token endpoint and currently trying to implement the authorization endpoint (for Authorization Code flow). This is my understanding of what should happen GET http://authserver/authorize?client_id=1& state=BB& _________ scope=read_user& ____________ | | redirect_uri=myapp/callback | | | |----------------------------------

问题 I am implementing single sign-in with OAuth2 and OpenID Connect for a distributed web application. The Authorization Server is running on its own. I've implemented the access token endpoint and currently trying to implement the authorization endpoint (for Authorization Code flow). This is my understanding of what should happen GET http://authserver/authorize?client_id=1& state=BB& _________ scope=read_user& ____________ | | redirect_uri=myapp/callback | | | |----------------------------------