is it possible to disable Apache LDAP Auth for API resources, so it is still needed for the browser but not for any kind of REST API requests?
Or maybe bypassing it when requests come from specific networks?
Thanks
The only way I found to work around this is by whitelisting the network in the Apache LDAP Auth from which the API requests are done.
Related
I am building a private API which provides some data, I have already set CORS to only allow requests from my website, and that works, but there is a problem: a user can make the request with the chrome console from my website to the API and that request will succeed since the API has no real way to tell if the request comes from the code i have written.
So my question is: is there any way to tell that? is there any way to prevent users from making that request from my website to call the API and bypass the CORS?
You need to update your request model so that requests to the API come from the web server itself, rather than from a users client.
That way you can add authentication to the API and only allow requests that come directly from your web server. Then web server can then display those results to your users.
CORS is not a method for checking/enforcing authentication or authorisation. It is purely an additional security control to protect against browser-based security vulnerabilities (XSS etc).
Here is what I'm trying to achieve:
Right now, the Desktop App, Auth server and API are working correctly, I can get my JWT and use it to call the API.
Both web apps are already in use, subdomain1.domain.com use NGINX auth_request, cookie and sessions on an old auth server to get access.
Web app in subdomain2.domain.com use session, and connect to the API with an app token.
And, all these servers are part of the same domain.
So, is it possible to share the JWT from my Desktop app with browsers? We generally use Chrome.
The desktop app use Python 3, and most of the user will be using Windows.
If I can't, and I'm pretty too stupid to do this working, my other concern is, can my browser use that JWT on all web app once it connected get it from auth server? All servers shares the same main domain.
Our web server can be using Apache2, Nginx, Nodejs or Flask (python), which is kind of annoying when trying to make things like that works.
I could use cookie for .domain.com, and store the jwt inside, am I right?
If yes, is this really the best idea?
The idea behind it is:
User log in the app or browser
JWT is generated
JWT is shared between app and browser (not sure about this one)
JWT is used on all subdomain by the browser
What is your advice on this?
I think you can use a cookie in that case with no regrets. Just configure it correctly that every domains you need to have an access to this token.
I have JIRA, Confluence and Bitbucket deployed on my server behind Apache reverse proxy. Each of them is connected with others using Application links. Now, I want to add additional layer of protection by implementing HTTP Basic Authentication in front of this. When I do this, I lose connection between apps. How to configure Apache properly in order to have HTTP Basic Authentication in front of whole stack AND connection between apps?
Where did you configure basic authentication?
Normally Atlassian applications handle authentication themselves, so you should not have to configure anything in apache.
Application links use OAuth to handle authentication between applications and there are 2 flavors:
if both applications have the same set of users, you can use plain OAuth
if both applications have a different set of users, you can use OAuth with impersonation
More info is available in the Application Links documentation here.
Per https://www.rabbitmq.com/access-control.html, RabbitMQ has the ability to use authentication (who is the user) and authorization (what can the user do?)
I'm using a rather obscure plugin for authorization already. I was wondering if there was a way to use the HTTP backend ONLY for authentication, because it would gel extremely well with the Django server that this project is using (users on the Django server may be allowed onto the Rabbit server).
Thanks
Never used before, but this plugin should solve:
https://github.com/rabbitmq/rabbitmq-auth-backend-http
This plugin provides the ability for your RabbitMQ server to perform
authentication (determining who can log in) and authorisation
(determining what permissions they have) by making requests to an HTTP
server.
I've read some about authentication and authorization inside of asp.net web api and I've understood that i basically must use ssl in order for not letting people get hold of the authentication tokens. And if i'm not misstaken theese authenticantokens are sent inside of the header? and SSL hides theese headers for the public not to to catch up if they use some tools for internet listening? If thats the case i guess i could create a "custom" authentication by not allowing the api to run unless a specific header is sent with the api call? Which people shouldn't be able to catch up if i use ssl?
I realized I've used alot of questionmarks but it is just to illustrate where my unclear thoughts are, any help or input is highly appreciated, thanks!
Authentication, Authorization and securing the connection over SSL are 3 different parts of a web application.
Authentication
Basically authentication handles who you are. For example with a login you provide a user and a password. The application knows now, who you are.
Authorization
Authorization manages the access rights for the user. It says, on what you have access. For example if you've provided the correct credentials, you are authenticated, but maybe not authorized for everything.
SSL
SSL is securing the connection like you said. You can't sniff (with WireShark or Fiddler) the network traffic if it's over HTTPS. This is a setting on your IIS on which the web api application is running. You don't need to create a "custom" authentication.
I hope this helps.