authorization

问题 I'm using Spring, Spring Security, BlazeDS, Flex and spring-flex. I know that I can call channelSet.login() and channelSet.logout() to hook into Spring Security for authentication. channelSet.authenticated apparently only knows about the current Flex session, as it always starts off as false , until you call channelSet.login() . What I want to do: Check from Flex to know if a user is already in a session. If so, I want their username and roles. UPDATE I just thought I'd add details of the

问题 I'm using Spring, Spring Security, BlazeDS, Flex and spring-flex. I know that I can call channelSet.login() and channelSet.logout() to hook into Spring Security for authentication. channelSet.authenticated apparently only knows about the current Flex session, as it always starts off as false , until you call channelSet.login() . What I want to do: Check from Flex to know if a user is already in a session. If so, I want their username and roles. UPDATE I just thought I'd add details of the

问题 For my actions that are going to interact with the User's account, I would like to create a "TheUser" object in addition to adding that object to "ViewData["TheUser"]" as soon as any action on my controller is called. If the User is logged in, it will grab the User's info from the database, if not, "TheUser" object will just be null. I tried accessing "User.Identity.Name" in the controller constructor, but it isn't created prior to any action being called. I was looking at custom

问题 I understood how to write Running OAuth 2.0 code for the client side. Using existing Authorization Server, like Google, seems to be not too complicated. Question is: How to implement my own Authorization Server? Since many companies have their own User/Privilege system, LDAP based (e.g. Active Directory), etc. - they must have their own Authorization Server. Is there a framework, libraries, etc. for that? Or do I have to write the code from scratch? 回答1: The best reference is the OAuth 2.0

问题 I'm trying to authorize a users character to delete/update post. I was using policies to do so, but I could only pass one parameter to the policy function. If I pass more than the user and another variable, the variable isn't passed into the function. Models: User has many characters, a character can post multiple posts. So for authorization purposes, I would have to compare the post's character_id with the current character's id...- Per the docs, you can pass more multiples to the Gate

问题 I am developing an ASP.Net MVC 4 web application. Previously my MVC applications have been developed using MVC 3 and with this new MVC 4 application I have just copied/ reused my authentication and authorisation code from previous applications. When a user logs into my site I do the following Account Controller public ActionResult Login(LoginModel model, string returnUrl) { if (ModelState.IsValid) { User user = _userService.GetUser(model.Email.Trim()); //Create Pipe Delimited string to store

问题 I've created a new ASP.NET Web API and things are working well. I'm at the point now where I want to secure the API. I put the [Authorize] attribute above my base controller and it's working properly if I want to make API calls within the ASP.NET application itself. However, I'm wondering, what's the best practice for an external client that wants to make API calls and get past the authorization? Also, keeping in mind I have custom authentication logic. How should the client send over

问题 I am trying to implement a role authorization mechanism which checks the roles of the current logged in user, if the user is in the right role, he/she is allowed, else display error view. The problem is that when the user tries to access the below method in the controller, he does get into the RoleAuthorizationAttribute class and gets verfied but then the method in the controller is not executed. Note : the user has the Client role Controller method [RoleAuthorization(Roles = "Client,

问题 I'm implementing authorization in my gwt app, and at the moment it's done in the following fashion: The user signs up by putting his credentials in a form, and I send them in clear text to the server. The server code hashes the received password using BCrypt and puts the hash in a database. When the user logs in, his password is sent in the clear to the server, that checks it against the stored hash. Now. The thing that's bothering me about this is the fact that I'm sending the password to

问题 I started reading on OAuth this morning; need suggestions(links et al.) that will help answer the following questions: 1. How to implement 3 legged Authentication using OAuth on Android devices? Is there a library that assists in the aforementioned? 2. What does it mean when someone says: "Site/Service ABC supports OAuth"? Thanks! 回答1: To address your first question, you should be able to use any Java OAuth library on an Android, here's a link to a tutorial that uses the Java OAuth project