I have a certain page my Jekyll site that I only want to make available to people from my organization's domain (call it example.com).
Am I correct in my understanding that it's not possible to restrict access to certain pages because — as is the nature of a static site — everything has already been served at once?
I'm aware of the jekyll-auth plugin to authenticate users against GitHub, but my situation would require that authentication through Google sign-in.
Jekyll is just a static site generator, so anything related to authentication will depend on what you have available on the webserver that is hosting the site.
Take a look at the Jekyll Google Auth plugin for example:
https://github.com/apcj/jekyll-google-auth
It's basically a trick... Anytime a request comes in for a page, they run it through Sinatra (using the _site folder as the static file folder, just as public would be normally), and authenticate it using apcj/sinatra-google-auth.
So in this case, you know that your webserver must have Sinatra for this authentication method to work.
One alternative would be to password protect your Jekyll site with HTTP basic auth. Aerobatic provides such a feature for static sites hosted with Bitbucket. And yes, you can protect only certain directories of the site.
https://www.aerobatic.com/blog/password-protect-a-jekyll-site
Disclaimer: I'm one of the founders of Aerobatic
You can use Netlify to add authentication to any static site not just jekyll. Deploy your site for free on netlify and use their identity widget..
Related
I have a secondary application that drops new folders into my Laravel application on a daily basis. The contents of the folder need to be publicly accessible because they're flash files with a number of assets placed in each day's folder, alongside static .html pages, .jpgs, and .swfs. These links are part of the secondary application's vendor-coded framework.
Moving the files from a non-web accessible folder using php doesn't seem like a good option. I've tried using readfile() and considered .htaccess, but I don't want a secondary login for my users.
Only users who have logins with my Laravel application should have access to these files. Is there some way I can protect access to any request inside this folder with Laravel's Auth system, not basic auth? With the understanding that the page requests inside that folder vary?
From extensive searching, I've found that Laravel cannot handle the protection of public folders with static assets. This is a web server configuration issue.
One solution would be to set a cookie that gets read by the web server and bounces the user if the cookie value does not match a predetermined value. But Laravel encrypts cookies and disposes of cookies not encrypted on each load. So that solution would only work if you use App::filter to process the cookie using php setcookie().
I'm trying to do a Symfony2 centric application and re-use all the Bundles for the web front app. The application will be divided in three API, FrontEnd, BackEnd, so that we can code the API like a Service Bundle and use it across the hole application and also will provide an API for our application. The FrontEnd will use the API as a Service and it will have all the front for user use. And the BackEnd will also use the API but providing a different url to admin the app.
This is the structure I'm using:
/app_api
/app_frontend
/app_backend
/bin
/src
/vendor
/web_api
/web_frontend
/web_backend
This will be traduced to:
api.domain.com (app_api, web_api)
www.domain.com (app_frontend, web_frontend)
backend.domain.com (app_backend, web_backend)
What do you think?
Is this posible?
What about performance, even if we are using APC?
If you have another solution let me know.
Thanks & Regards to everyone
Currently, I have decided to use Drupal as the primary login area where users can do stuff. Problem is, I want to automatically allow for the logging in of users using their cpanel, whm or whmcs login details. Anyone?
I really don't suggest you to do this.
You will only introduce more risks to all your systems, even if Drupal is a very secure system.
There are sometimes authentication security issues, with cPanel drupal and whmcs. Now, imagine those security issues + the ones of drupal, + the ones on whmcs...
...with all these insecurity layers combined, it's a real security bomb, and not something that will help your customers that much you are going to create. ...plus your modules for this will probably experience someday security issues also.
I suggest to take a look at other web hosts : if they don't do this, and if even whmcs do not bridge with vbulletin on their own website, there is a reason for this! ;-)
There seems to be no module for this.
Also Drupal seems not to provide a direct way to connect 3rd party login systems.
Having a look at the LDAP integration (file ldapauth.module) in the package, you can use the hook hook_form_alter. The check whether the form is using user_login_authenticate_validate in the validate entry and replace it with their own authentication function.
Basically you can use the ldapauth.module file as a basis and start with the ldapauth_login_authenticate_validate function.
In this function you have to add code that uses $form_values['name']; and $form_values['pass'] and verify them against your cPanel database.
A completly different approach would be to write a cPanel module to create Drupal users and update the accounts. To get started you can have a look at writing cPanel modules.
I am trying to add OAuth athentication with to access YouTube, but how do I add localhost as domain?
For example on domain registration page here, I want to use localhost, since I am developing this application locally.
Please help me or suggest me alternative ways
Thank you
P.S. I also added this question on https://webapps.stackexchange.com/, but not sure about community activity there so please ignore
Obviously you can't register 'localhost' for authentication since it is merely an alias. If you want to use OAuth with any Google service, you'll have to have a domain. If you're developing a desktop app, there is a workaround (this may actually work for all but I didn't try):
You can actually sign your OAuth requests without registering your domain with Google by creating a signature using HMAC-SHA1, a consumer key of "anonymous" and a consumer secret of "anonymous". Just make sure you have the appropriate signature base string for your requests.
http://code.google.com/apis/accounts/docs/OAuth_ref.html#SigningOAuth
On the page in Google's APIs console where you provide redirect URIs for your app, you can use localhost. Or you can give another name to localhost in your /etc/hosts file like this:
127.0.0.1 localhost myname.madeupdomain.net
Here is how our Tomcat webserver is currently setup. We are using jsp for the webpages.
/webserverpath/main (all public pages and the login page)
/webserverpath/secure1 (private pages)
/webserverpath/secure2 (private pages)
/webserverpath/secure3 (private pages)
I recently discovered that the authentication is very minimal. For instance once a user is logged in they can bookmark any private page, close the browser, open the browser back up and go to the bookmark and is never asked to sign in again (which turns out to be bad since we recently started disabling users). All of this was setup before I arrived. I'm wondering what can I do to add the proper security? Should I have all the folders under one main folder (ie /webserverpath/main/secure1, etc.) or just leave it alone?
Let me add that I'm newish to the whole website authentication stuff, having multiple websites in different folders like this and JSP itself.
You might start here: Declarative Web Application Security with Servlets and JSP
Generally, you probably want some session-based authentication that kicks people out of the private parts of the site if they aren't authenticated.