Some bapi's don't require bapi_transaction_commit
Some bapi's don't require bapi_transaction_commit
Related
I have a Blazor client (i.e. wasm) app that uses resource-based authorization. I connect to a DB to authorize authenticated users. It is easy to implement the API-side authorization (e.g. via an authorization service). It is not easy to implement client-side authorization checks in the UI, because they require communication with the server.
Microsoft suggests using an authorization service imperatively. I have two questions about this usage:
What am I allowed/supposed to put in the authorization handlers behind this example? I can't use the same handlers I use for API authorization (e.g. I can't connect to a DB) because it's the client app. Is this example only for authorization that doesn't require talking with the server?
Since this solution is imperative rather than declarative, is it incompatible with AuthorizeView?
I want to prevent my application from XSS and CSRF attacks, I want to make some global check to prevent these.
I have used below code in statup file in ConfigureServices function, it prevents CSRF attacks but I am not sure is it enough to prevent both the attacks or do I need to write some code to prevent XSS separately.
services.AddMvc(options =>
options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute()));
One more doubt: will it work for an API application?
XSS and CSRF are completely different kinds of attacks which have to be defended against in completely different ways.
XSS requires that user input be appropriately escaped for the very specific context in which it is inserted. There is no panacea for it. You cannot solve it globally. (There are various techniques which look for suspicious content in requests which might be XSS but they are rather prone to throwing false positives).
Implicit flow is considered to be insecure. I'm aware of two problems:
Confused deputy. But to overcome it you just need to check whether access_token was given to your application. Not a big deal.
XSS attack. So if our access_token was stolen via XSS attack, it can be used to make requests (that are part of the scope we originally requested). It sucks but it's hard to steal access_token as most likely we had it only on our login page and didn't store in app state as it's short-living (I guess that's why Implicit workflow does not support refresh tokens).
It doesn't look too bad. Are there any other security vulnerabilities that I'm not aware of?
The correct statement should be
implicit flow is insecure relatively to the code flow.
If an attacker wants to steal user access tokens from an app using code flow, then the attacker has to break into the server network and either uncover the app secret or eavesdrop the network traffic from server to Google (which is HTTPS) to get an hold to the access token.
In the implict flow the access token resides in the browser. In this case there are many other possibilities for an attacker to steal tokens without having to compromise a network.
XSS (as you already explained)
Confused deputy problem (as you already explained)
Session fixation issues (using user A's token in user B's session. https://www.facebook.com/FacebookforDevelopers/videos/10152795636318553/ )
redirect_url parameter manipulation
(possible) token leakage with referrer header
Various phishing and social engineering possibilities to trick the users to leak their access token (easier than asking for their password)
But as you said, it is straightforward to mitigate all those errors if you are a security aware developer. But still there is a chance for these vulnerabilities if you implement the implicit flow. Therefore it might be a good idea if you don't deliver the token to browser and handle the token in a server side component (code flow).
Can we have more than one authentication (anonymous, windows, forms, basic, etc) enabled in IIS at a time?
If two or more authentiation are enabled, what is the order by which authentications are handled?
And, if there is an order, how to change it?
Negative.
If you had Basic + Anonymous enabled, Basic would take priority, and Anonymous would never be used if they failed Basic... understand?
"An important restriction that you should be aware of when enabling different authentication methods is that you can’t enable both a challenge-based and a logon redirection–based authentication method at the same time. In other words, you can’t enable forms authentication (which is redirection-based) while basic, digest, or Windows authentication (which are challenge-based) is also enabled."
http://windowsitpro.com/systems-management/understanding-iis-70-authentication <-- Good read
http://www.iis.net/configreference/system.webserver/security/authentication#005
I've implemented the BetterAuthorizationSample for the hope that the user would not be bombarded with the authentication dialog box for privilege operations. The implementation mostly works, however it does require the user to authenticate once. I want to disable authentication all together. Is this possible with the BetterAuthorizationSample?
Any suggestions?
Thanks.
No.
This completely defeats the purpose of authorization. If there was any way for applications to perform privileged operations without the user's express consent, then malicious programs would be free to do whatever they wish.