authorization

问题 In .NET WebAPI, I've created a way to have all of the authorization rules in a central location, rather than scattered throughout controllers. I'm curious why this centralization isn't done more often; are there repercussions/security concerns? My current approach is to create a Dictionary during App_Start that contains all of my Authorization data then using a DelegatingHandler to apply the restrictions (code below). The dictionary key is a Tuple of the Controller and Action, and the value

问题 I have a Web API 2 app using windows auth. I have multiple controllers and this in my web.config for authorization: <system.web> <compilation debug="true" targetFramework="4.5" /> <httpRuntime targetFramework="4.5" /> <authentication mode="Windows" /> <authorization> <allow users="AllowedUsersAndGroups" /> <deny users="?" /> </authorization> <sessionState mode="Off" /> </system.web> This "blanket" authorization works great, but I have 2 specific controllers that I need to lock down

问题 I'm making a simple website that lists files from a certain folder. If the user has admin rights, the user can delete files by clicking the "Delete" button. In my .aspx file, I have the following code: <asp:Button runat="server" Text="Delete" OnCommand="FileList_Delete" CommandArgument='<%#Eval("FilePath")%>' Visible='<%CurrentUserIsAdmin()%>' /> So the button will not be rendered if CurrentUserIsAdmin() returns false . The button is rendered like this: <input type="submit" name="ctl00$ctl00

问题 This question already has an answer here : What's wrong with this YesodAuth instance? (1 answer) Closed last year . I'm trying to add instance YesodAuthEmail App to the Yesod-Postgres scaffolding (yesod version 1.6) and getting stuck on a compile error. The relevant code is: instance YesodAuth App where type AuthId App = UserId .... authPlugins :: App -> [AuthPlugin App] authPlugins app = [authOpenId Claimed []] ++ extraAuthPlugins where extraAuthPlugins = [ authEmail ] instance

问题 for a few users (maybe not that few, considering the number of related mails I'm receiving) the access token associated with an OAUTH authorization seems to be immediately invalidated. The user is guided through the usual authorization process, he accepts the permissions, he is redirected to the right page which includes the access token, but as soon as my application tries to use the access token to get the user ID, an error is received instead: {"error":{"message":"Error validating access

问题 for a few users (maybe not that few, considering the number of related mails I'm receiving) the access token associated with an OAUTH authorization seems to be immediately invalidated. The user is guided through the usual authorization process, he accepts the permissions, he is redirected to the right page which includes the access token, but as soon as my application tries to use the access token to get the user ID, an error is received instead: {"error":{"message":"Error validating access

问题 I am using forms authentication in my ASP.NET MVC application. I want to the signup page from the authorization process. I know I can add a location tag in my main web.config file or create a new web.config inside the specific folder. But I just to exclude one specific action in the User controller. How do I do it? 回答1: Do not use Web.config <location> authorization in an MVC application. Doing so will lead to security vulnerabilities in your web site. Instead, use the [Authorize] attribute

问题 In my asp.net mvc3 application, I have a custom Authorization Attribute as seen below. public class CustomAuthorize : AuthorizeAttribute { public IAccountRepository AccountRepository { get; set; } public CustomAuthorize() { this.AccountRepository = new UserModel(); } protected override bool AuthorizeCore(HttpContextBase httpContext) { base.AuthorizeCore(httpContext); return AccountRepository.isEnabled(HttpContext.Current.User.Identity.Name); } protected override void HandleUnauthorizedRequest

问题 I'm writing a web application with some ACL requirements: a user can make changes to some items, some items may be editable by several users, administrator can edit anything and a manager can edit everything within her organization etc. I'm using the Play! framework, and by the looks of the Secure module, it seems that the place to put authorization concerns is in the Controllers. However, it seems to me that the authorization issues are part of the business logic, and therefore should be in

问题 We currently use the following authorize url: https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Foutlook.office365.com We want to also use the Graph API, so I added the following: https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Foutlook.office365.com%2F%26https%3A%2F%2Fgraph.microsoft.com I've tried different delimiters between the two resources, but couldn't get it to work. Each one resource works separately. I hope that more than