Retrieve anonymous credentials
Background A registration process to acquire an anonymous, verified account goes like this: Registrant provides proof of individuality to a Registrar. Registrar verifies proof, ensures no prior...
View ArticleClik here to view.
workbench failed to connect — ssh
What are the connection parameters? How do I confirm each value? Workbench error: Lost connection to MySQL server at ‘reading initial communication packet’, system error: 0 I can easily connect from...
View ArticleLimit access to pages based on role
I’m looking for recommendations on how to limit page access by role on the front end. No plugins please, i’m looking for most robust code approach. I’m considering using a page meta field to store the...
View ArticleSPGroup.ContainsCurrentUser intermittently returning false for indirect...
I have a WCF REST service running in SP2013 that is used to determine which SP groups a given user is in (this is called by provider hosted apps, who can’t get the relevant info from the CSOM). The SP...
View ArticleShould I store my user claims in the JWT token?
I am using JWT tokens in HTTP headers to authenticate requests to a resource server. The resource server and auth server are two separate worker roles on Azure. I cannot makeup my mind as to whether I...
View ArticleClik here to view.
Set a password on Damn Small Linux
I’m running Damn Small Linux. When you open the command prompt, you are automatically logged in as the default user called dsl and granted root privileges (with sudo). How can I set a password for the...
View ArticleCentralized authorization with distributed service providers
I’m thinking about implementing a single sign on service with a centralized permissions management for a distributed network of service providers (so authentication as well as authorization). The part...
View ArticleCan Google's administrators be trusted with Google Authenticator? [duplicate]
This question already has an answer here: How does Google Authenticator work? 3 answers
View ArticleOAuth/OAuth2 RFC question
This question is about a line from the OAuth2 rfc – https://tools.ietf.org/html/rfc6749 In Section 2.3, there is this line The client MUST NOT use more than one authentication method in each request....
View Articleunable to download content from login page
I am using apache tomcat on linux platform to host website. I put apk link on login page so users/guest can download mobile app but they are unable to download that app. When registered user login to...
View Articleencryption vs access control comparison
I have a very basic and simple question about two security concepts. Both encryption and access control are used for privacy and to prevent unauthorized users from accessing some object (eg. files,...
View ArticleClik here to view.
Decide to REST API Security
I’ve developed an API. I got confused and I’ve been reading articles for days. Actually my question is close to these but not exact (maybe a combination of them); Securing REST API that will accessed...
View ArticleToken based authentication and multiple sessions
I’ve a token based authentication system (REST) that I inherited for an iOS app (can’t change), and I’ve to re-use the same authentication web api system (that I can change to adapt for the web...
View ArticlePassword Protected Page + Showing Different Page If Not Authenticated/Authorized
I have a few pages of custom posts that I would like to password protect via the following business rules: I can create a number of passwords to access the page An expiration date can be set for each...
View ArticleCreate Public Key using OpenSSL instead of PuTTYgen for PKCS#8
I’m trying to create a public key pair for ssh-rsa authentication. If I’m using puttygen.exe, the “OpenSSH authorized_keys file” string looks like this: “ssh-rsa AAAAB3 … 6yIK9Nbw== rsa-key-20150709″...
View ArticleHow to protect a Wifi network from Microsoft WiFi Sense
Microsoft is deploying a new feature, WiFi Sense, which provides users a way to easily share passwords to wireless networks with all of their contacts. This introduces a new security failure mode: a...
View ArticleUser authorization with microservices
Should microservices be responsible for handling their own authorization or you think it’s better to have a separate authorization service that is shared across all or a subset (within the same...
View ArticleAuth options for distributed systems
I am in the process of designing 3 components that will work in symphony with one another: A RESTful web service which requires BasicAuth over HTTPS on all calls, and which is what actually does all...
View ArticleClik here to view.
OAuthv2 for distributed applications
Please note: Months ago I asked this question that received a truly amazing answer and introduction to OAuthv2. I’m now knee deep in the implementation of such a system and have similar (but notably...
View ArticleOAuthv2 access tokens and resource servers
In the OAuthv2 authorization grant, a “client app” authenticates itself against an “auth server”, and receives an “access token” for accessing resources living on a “resource server”. My concerns: How...
View Article
