Specifically, how does the data from a web server get routed to the correct session when it is sent back to the terminal server.
Is the session ID sent as part of the HTTP headers?
There's a very good reason I need to know, but it's fairly complicated and not particularly relevant to the question.
Answered by Erik Philips in comments above.
Related
I'm completing a python grpc server function-wise and being ready for deployment. Thusfar I have unsecure communication (pretty much the helloworld example when it comes to security). I thought I could put in place an authentication mechanism for my server in a reasonable amount of time after I observed that there was some documentation on this very topic provided by google. Closer investigation let me to believe otherwise.
The case is simple: Users (fellow colleagues of mine) login to their company mail (gmail) and use the resulting token (JWT, OAuth, OAuth2, I don't care) to gain access to the grpc server I wrote. No one else gets in.
Since googling grpc+authentication has been fruitless so far I believe I'm on the wrong track on how I should approach this kind of problem. So therefore the questions:
Given this use case, should my grpc server have any concern with authentication? If so, are there examples? Or should this be handled by a different system? If so, what system?
I noticed a lot of articles mentioning Envoy+gRPC. Can Envoy help me out here? Is it designed to deal with this?
The gRPC authentication can follow the same approach of a normal HTTP, the only thing you need to have in mind is that the authentication check would be placed in an gRPC interceptor and you will be looking at the metadata to get the creadentials. Unfortunately, I don't have an example to do it with Python but you can search in "how to add gRPC Server interceptors in Python" and then "how to work with gRPC metadata in Python"
Here an example in Golang, maybe it can give you the idea
I have a Spring-boot web application that uses Apache Shiro for security management. The web application also uses the Atmosphere framework for socket communication.
Whilst working with it I have a requirement to authenticate a user who is currently logged in when I receive /socket request to atmosphere. However, when trying to access the Shiro Subject I get the following error:
No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an invalid application configuration.
I also have a filter added to my SecurityManager for /socket. Regardless, I continue to get the above error when I try to authenticate the user with atmosphere for socket connections.
I have searched up quite a lot on the web and haven't found an answer that explains what's happening thoroughly. I found many posts that mentioned something about the thread pool used by atmosphere is different from that which is allocated to servlet requests. Thus, async requests that reach atmosphere have no context of the original user. I also read a workaround here, which is quite old. I tried some of the things mentioned in the comments too.
Note: I am a newbie to the Spring, Shiro and Atmosphere frameworks. I understand things in a more systems-level perspective.
I would highly appreciate if I can get some explanation (or some link that might help) as to what is happening with each of these things and why it is producing the error above. Most of the online material I have read regarding this seems to be very vague and does not cover as an exclusive answer.
If I am not mistaken when the Spring application launches it also loads the Shiro and Atmosphere, related classes. The requests arrive at the Apache server and are delegated to a class based on annotations. Spring/Apache stores per request info (some cookie or session token) and subsequent requests are mapped according to this. However, the information stored between requests that hit the Atmosphere related (ex: onRequest) endpoints and the rest are not shared, hence I cannot use the same subject info.
I have sincerely searched a lot trying to understand and would like an elaborate explanation. I hope this question is not regarded unsuitable to the forum.
Thank you
Shabir
Take a look at the doc for Thread Association in Shiro
Your assumption seems correct (guessing as I've never used Atmosphere). The thread pools are different. There are generally two ways to deal with this. Some frameworks allow you to add data to a "context" and you can pull that data out from your running thread (much like a Servlet or Spring context). The other option (assuming you have access to manage the Atmosphere threads), you can wrap them in:
Subject.execute(...)
I have a question with regards to the comet implementation. I know that it is used to handle asynchronous requests similar to what now can be achieved through Servlet 3.0 async functionality. Yet what i do not understand is how the push is done to the calling client.
In web sockets we open the connection by providing the ip and port. With comet, how do you connect with the server in order to receive call backs when the server pushes data?
The Wikipedia page on Comet (programming) is a pretty good resource for this question (sorry it's so obvious).
Comet is an umbrella term for using HTTP to simulate a bi-directional connection between a client and server. Ultimately you make an HTTP request to the server and attempt to hold it open (long polling and streaming). With long-polling that connection closes after a given interval or when data is returned. With streaming the connection is help open as long as possible and new data is sent over the existing connection.
How these are achieved differ between web browsers - that why Comet is classed as a hack. Again, the wikipedia page should provide almost all the information you need.
I wrote an article covering the history of realtime web communication (with a focus on client) and why WebSockets are a game-changer.
I read the article in this site related to WCF Channel Listeners. I suppose that (correct me if I'm wrong), after a service opened a channel, it is possible to detect a request of connection made by a client. In practice I would like to detect when the client calls the Open method.
Could you tell me how can I do that please?
Thanks in advance.
For everyone interested in this question, I had an answer in this post.
I have been tasked to implement a WCF service that makes use of NetMsmqBinding. I wrote the service and it works fine. The problem is that in the last minute they told me that there will be no Active Directory integration. So I don't know how to configure the security of the service. There is a VPN tunnel between the service's and the client's machines but they do not use the same active directory. Please advice. Any kind of help or tutorials would be appreciated.
The problem is that the service is not always online. That is why using WCF over MSMQ is preferred for this scenario. So I am sending one way messages through MSMQ - which works fine. My only problem is that I am new to WCF and am not familiar with WCF security. I would like to be able to sign and encrypt the messages since the information to be sent to the service is confidential. I would like to make sure that only authorized clients call the service. Any suggestions?
I'm not sure I understand your question so correct me, if I'm wrong. I have recently been woring on a WCF service that was hosted on a computer with no Active Directory available. We secured it using certificates. Is it an option for you? It's pretty painless (if you get past the 'put the certificate in the store and give the correct user access to it' part).
You should be able to take advantage of network transparency.
Use webservices to communicate from one system to the other. You might have to deal with extra latency, but it should still be usable.
Well first, you can use WCF's security, the WS-* stuff. Some info here:
http://blogs.msdn.com/motleyqueue/archive/2007/10/06/complementing-msmq-security-with-wcf.aspx
Second, you might find this blog to be helpful:
http://blogs.msdn.com/johnbreakwell/default.aspx
One of the articles there about cross-domain sending mentions this article (Cross-Enterprise Support):
http://msdn.microsoft.com/en-us/library/ms705127(VS.85).aspx
Which might help you configure it in general.
Thank you, Michael, but this information wasn't helpful...
I found this: http://www.codeplex.com/WCFSecurityGuide/Release/ProjectReleases.aspx?ReleaseId=14070 - a book from "Microsoft Pattern & Practices" which describes in detail the security in WCF - a must-read for every WCF developer.