authorization interview questions
Top authorization frequently asked interview questions
In very simple terms, can someone explain the difference between OAuth 2 and OAuth 1?
Is OAuth 1 obsolete now? Should be implementing OAuth 2? I don't see many implementations of OAuth 2; most are still using OAuth 1, which makes me doubt OAuth 2 is ready to use. Is it?
Source: (StackOverflow)
What's the difference in web application? In short, please.
P.S. I see abbreviation "auth" a lot. Does it stands for auth-entication or for auth-orization? Or both?
Source: (StackOverflow)
When designing a REST API or service are there any established best practices for dealing with security (Authentication, Authorization, Identity Management) ?
When building a SOAP API you have WS-Security as a guide and much literature exists on the topic. I have found less information about securing REST endpoints.
While I understand REST intentionally does not have specifications analogous to WS-* I am hoping best practices or recommended patterns have emerged.
Any discussion or links to relevant documents would be very much appreciated.
If it matters, we would be using WCF with POX/JSON serialized messages for our REST API's/Services built using v3.5 of the .NET Framework.
Source: (StackOverflow)
In ASP.NET MVC, you can mark up a controller method with AuthorizeAttribute, like this:
[Authorize(Roles = "CanDeleteTags")]
public void Delete(string tagName)
{
// ...
}
This means that, if the currently logged-in user is not in the "CanDeleteTags" role, the controller method will never be called.
Unfortunately, for failures, AuthorizeAttribute returns HttpUnauthorizedResult, which always returns HTTP status code 401. This causes a redirection to the login page.
If the user isn't logged in, this makes perfect sense. However, if the user is already logged in, but isn't in the required role, it's confusing to send them back to the login page.
It seems that AuthorizeAttribute conflates authentication and authorization.
This seems like a bit of an oversight in ASP.NET MVC, or am I missing something?
I've had to cook up a DemandRoleAttribute that separates the two. When the user isn't authenticated, it returns HTTP 401, sending them to the login page. When the user is logged in, but isn't in the required role, it creates a NotAuthorizedResult instead. Currently this redirects to an error page.
Surely I didn't have to do this?
Source: (StackOverflow)
I am writing a JACC provider.
Along the way, this means implementing a PolicyConfiguration.
The PolicyConfiguration is responsible for accepting configuration information from the application server, such as which permissions accrue to which roles. This is so that a Policy later on can make authorization decisions when handed information about the current user and what he's trying to do.
However, it is not part of the PolicyConfiguration's (atrocious) contract to maintain a mapping between roles and their permissions, and Principals that are assigned to those roles.
Typically--always, really--an application server houses this mapping. For example, on Glassfish, you affect this mapping by supplying things like sun-web.xml and sun-ejb-jar.xml and so on with your Java EE modules. (These vendor-specific files are responsible for saying, e.g., superusers is a group that is to be assigned the application role of admins.)
I would like to reuse the functionality these files supply, and I would like to do so for as wide an array of application servers as possible.
Here is--totally arbitrarily--IBM's take on the matter, which appears to confirm my suspicion that what I want to do is essentially impossible. (More ammunition for my case that this particular Java EE contract is not worth the paper it's printed on.)
My question: how do I get at this principal-to-role-mapping information in--for starters--Glassfish and JBoss from within a PolicyConfiguration? If there's a standard way to do it that I'm unaware of, I'm all ears.
Source: (StackOverflow)
I have a Nexus 4 with Android 4.3 and I am trying to connect the device to a computer with Windows 7 64bit.
I installed the latest drivers and the latest adb version. I think I tried almost everything and I still get the following message:
C:\Program Files (x86)\Android\sdk\platform-tools>adb devices
List of devices attached
007667324ccb229b unauthorized
What can be the reason for this error?
Source: (StackOverflow)
I was wondering if it's acceptable to put custom data in an HTTP authorization header. We're designing a RESTful API and we may need a way to specify a custom method of authorization. As an example, let's call it FIRE-TOKEN authentication.
Would something like this be valid and allowed according to the spec: Authorization: FIRE-TOKEN 0PN5J17HBGZHT7JJ3X82:frJIUN8DYpKDtOLCwo//yllqDzg=
The first part of the second string (before the ':') is the API key, the second part is a hash of query string.
Source: (StackOverflow)
I'm trying to avoid the use of the Role Provider and Membership Provider since its way too clumsy in my opinion, and therefore I'm trying to making my own "version" which is less clumsy and more manageable/flexible. Now is my question.. is there an alternative to the Role Provider which is decent? (I know that I can do custom Role provier, membership provider etc.)
By more manageable/flexible I mean that I'm limited to use the Roles static class and not implement directly into my service layer which interact with the database context, instead I'm bound to use the Roles static class which has its own database context etc, also the table names is awful..
Thanks in advance.
Source: (StackOverflow)
The ? wildcard represents unauthenticated users while * represents all users, authenticated and unauthenticated. My book shows the following example of URL authorization:
<authorization>
<deny users="?" />
<allow users="dan,matthew" />
<deny users="*" />
</authorization>
But doesn’t the above code have the same effect as :
<authorization>
<allow users="dan,matthew" />
<deny users="*" />
</authorization>
or did the author also include <deny users="?" /> rule for a reason?
Source: (StackOverflow)
I need to exclude one Url (or even better one prefix) from normal htaccess Basic Auth protection. Something like /callbacks/myBank or /callbacks/.*
Do you have any hints how to do it?
What I'm not looking for is how to exclude a file.
This has to be url (as this is solution based on PHP framework, and all urls are redirected with mod_rewrite to index.php). So there is no file under this url. Nothing.
Some of those urls are just callbacks from other services (No IP is not known so I cannot exclude based on IP) and they cannot prompt for User / Password.
Current definition is as simple as:
AuthName "Please login."
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /xxx/.htpasswd
require valid-user
Source: (StackOverflow)
I'm trying to add simple Authentication and Authorization to an ASP.NET MVC application.
I'm just trying to tack on some added functionality to the basic Forms Authentication (due to simplicity and custom database structure)
Assuming this is my database structure:
User:
username
password
role (ideally some enum. Strings if need be. Currently, user only has ONE role, but this might change)
High Level Problem:
Given the above database structure, I would like to be able to do the following:
- Simple Login using Forms Authentication
- Decorate my actions with:
[Authorize(Roles={ MyRoles.Admin, MyRoles.Member})]
- Use roles in my Views (to determine links to display in some partials)
Currently, all I'm really sure of is how to Authenticate. After that I'm lost. I'm not sure at which point do I grab the user role (login, every authorization?). Since my roles may not be strings, I'm not sure how they will fit in with the User.IsInRole().
Now, I'm asking here because I haven't found a "simple" accomplish what I need. I have seen multiple examples.
For Authentication:
- We have simple user validation that checks the database and "SetAuthCookie"
- Or we override the Membership provider and do this inside of ValidateUser
In either of these, I'm not sure how to tack on my simple user Roles, so that they work with the:
HttpContext.Current.User.IsInRole("Administrator")
Furthermore, I'm not sure how to modify this to work with my enum values.
For Authorization, I've seen:
- Deriving AuthorizeAttribute and implementing AuthorizeCore OR OnAuthorization to handle roles?
- Implementing IPrincipal?
Any assistance would be greatly appreciated. However, I fear I may need a lot of detail, because none of what I've Googled seems to fit with what I need to do.
Source: (StackOverflow)
I've managed to extend TokenAuthentication and I have a working model when using the request session to store my tokens, however when I attempt to pass Authorization as a header parameter as described here, I noticed that my Responses come back without the META variable HTTP_AUTHORIZATION. I also noticed that if I pass "Authorization2" as a header parameter that it is visible in the request:
{
'_content_type': '',
'accepted_media_type': 'application/json',
'_request': <WSGIRequest
path:/api/test_auth/,
GET:<QueryDict: {}>,
POST:<QueryDict: {}>,
COOKIES:{
'MOD_AUTH_CAS_S': 'ba90237b5b6a15017f8ca1d5ef0b95c1',
'csrftoken': 'VswgfoOGHQmbWpCXksGUycj94XlwBwMh',
'sessionid': 'de1f3a8eee48730dd34f6b4d41caa210'
},
META:{
'DOCUMENT_ROOT': '/etc/apache2/htdocs',
'GATEWAY_INTERFACE': 'CGI/1.1',
'HTTPS': '1',
'HTTP_ACCEPT': '*/*',
'HTTP_ACCEPT_CHARSET': 'ISO-8859-1,utf-8;q=0.7,*;q=0.3',
'HTTP_ACCEPT_ENCODING': 'gzip,deflate,sdch',
'HTTP_ACCEPT_LANGUAGE': 'en-US,en;q=0.8',
'HTTP_AUTHORIZATION2': 'Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4c',
...
My first guess is that the authorization header is being removed by apache, and I have read a few S/O questions that state that apache will throw out the value if it does not match basic authorization and authenticate, but I have no idea how to allow the Authorization header to 'pass through' to Django and the WSGIRequest. Does anyone know how to solve this problem?
I also use mod_auth_cas and mod_proxy, if that changes anything..
Source: (StackOverflow)
In my ASP.NET MVC app, I have most controllers decorated with
[Authorize(Roles="SomeGroup")]
When a user is not authorized to access something, they are sent to "~/Login" which is the Login action on my Account controller.
How can I determine that a user has reached the login page because of not being authorized so that I can show an appropriate error?
Source: (StackOverflow)
I have written a REST web service in netbean IDE using jersey framework and java. For every request the user needs to provide username and password, I know that this authentication is not good (using a curl command like: curl -u username:password -X PUT http://localhsot:8080/user).
Now I want to call a REST web service from an android class. What should I write? I am new to android. I have an android class which uses DefaultHttpClient and CredentialUsernameAndPassword. But when I run in eclipse, sometimes I get a runtime exception or sdk exception.
Do anyone give me sample code and suggestion?
Source: (StackOverflow)
Am I correct in thinking that the goodness of Cloud Endpoints comes with the following limitations:
- The REST Api cannot be deployed to a custom domain (it'll remain on appspot.com).
- The only authentication supported is OAuth against Google accounts.
- Corollary: it isn't currently possible to create a user login/session-tracking mechanism that is Google-accounts-agnostic (e.g., with email as username and a password).
Is there any plan to do away with these limitations and if so, what is the ETA?
Source: (StackOverflow)