I am new to worklight. In IBM information or knowledge center all the API are discussed but not about their attributes.I need to know about the list of api and its attributes and option.Please give me some link.
This is explained very well in the documentation.
For example, you asked about WL.JSONStore.init, so for JSONStore.init:
{string} options.username Optional - Name of the file that is created to store data for the collections, must be an alphanumeric string ([a-z, A-Z, 0-9]) and start with a letter. The default one is 'jsonstore'.
{string} options.password Optional - Password that is used to secure the contents of the store, by default there is no data encryption.
{boolean} options.clear Optional - Clears accessors without removing its contents from the store.
{boolean} options.localKeyGen Optional - Flag that determines if key generation uses a local (false) or remote (true) random number generator.
Collection is not an API... read the Overview section.
Related
What is the meaning of third line. I got this message when I run my openldap server while binding a user.
entry_decode(cn=user,dc=example,dc=com)
5a3fd996 => bdb_search
5a3fd996 bdb_dn2entry("cn=kerberoskdc,cn=config,dc=example,dc=com")
This is slapd requesting its backend to load data corresponding to the distinguished name "cn=kerberoskdc,cn=config,dc=example,dc=com". This happens a lot under the hood when performing ldap opertions, the dn is used as a primary key for fast lookups.
bdb_dn2entry is an internal function used by slapd's backend, it is invoked when ldap operations are performed (you should be able to see which operation triggers the call in the log file where this line appears).
Openldap uses a backend for a normal slapd database. Backends do the
actual work of storing or retrieving data in response to LDAP
requests. Backends may be compiled statically into slapd, or when
module support is enabled, they may be dynamically loaded.
OpenLDAP's bdb abd hdb backends use the Oracle Berkeley DB (BDB)
package to store data.
bdb_dn2entry is a function that actually retrieve data from the database. It is shared with other ldap's backend (not only for bdb/hdb) as it is defined as a function prototype in the header file proto-bdb.h in the source code :
/**
* dn2entry.c
*/
#define bdb_dn2entry BDB_SYMBOL(dn2entry)
int bdb_dn2entry LDAP_P(( Operation *op, DB_TXN *tid,
struct berval *dn, EntryInfo **e, int matched,
DB_LOCK *lock ));
The real action takes place in dn2entry.c :
dn2entry looks up the dn in the cache/indexes and returns the corresponding entry. If the requested DN is not found and matched is TRUE, it returns info for the closest ancestor of the DN. Otherwise EntryInfo e is NULL.
When I create a share link in the UI with the "Anyone with this link can view this item" option, I get a URL that looks like https://onedrive.live.com/redir?resid=XXX!YYYY&authkey=!ZZZZZ&ithint=<contentType>. What I can't figure out is how to use this URL from code to download the content of the file. Hitting the link gives HTML for a page to show the file.
How can I construct a call to download the file? Also, is there a way to construct a call to get some (XML/JSON) metadata about the file, and maybe even a preview or something? I want to be able to do this all without prompting a user for credentials, and all the API docs are about how to make authenticated calls. I want to make anonymous calls to get publicly-shared files.
Have a read over https://dev.onedrive.com - it documents how you can make a query to our service to get the metadata for an item, along with URLs that can be used to directly download the content.
Update with more details
Sorry, the documentation you need for your specific scenario is still in process (along with the associated SDK changes) so I'll give you an overview of how to do it.
There's a sibling to the /drives path called /shares which accepts a sharing URL (such as the one you have above) in an encoded format and allows you to get metadata for the item it represents. This does not require authentication provided the sharing URL has a valid authkey.
The encoding scheme for the id is u!<UrlSafeBase64EncodedUrl>, where <UrlSafeBase64EncodedUrl> follows the guidelines outlined here (trim the = characters from the end).
Here's a snippet that should give you an idea of the whole process:
string originalUrl = "https://onedrive.live.com/redir?resid=XXX!YYYY&authkey=!foo";
byte[] urlAsUtf8Bytes = Encoding.UTF8.GetBytes(originalUrl);
string utf8BytesAsBase64String = Convert.ToBase64String(urlAsUtf8Bytes);
string encodedUrl = "u!" + utf8BytesAsBase64String.TrimEnd('=').Replace('/', '_').Replace('+', '-');
string metadataUrl = "https://api.onedrive.com/v1.0/shares/" + encodedUrl + "/root";
From there you can append /content if you want to get the contents of the file, or you can start navigating through if the URL represents a folder (e.g. /children/childfile.txt)
I am using revel to build my webapplication and trying to write authentication module.
I finished with sign up part and now heading to write sign in part.
I read about security part on The definitive guide to form-based website authentication and will use this recommendation.
What I am really do not know is, how sign in works. I am imaging that the process works like this:
User write username and password into the html form and press sign in
Server receive request and the controller will check, if user information match with data on database.
If yes, how continue.
The third point is where I am staying. But I have some idea how could works and not sure, if is the right way.
So when sign in information match with the database, I would set in session object(hash datatype) key value pair signed_in: true. Everytime when the user make a request to the webapplication, that need to be authenticated, I would look in the session object, if signed_in is true or not.
This is the way I would do, but as I mentioned above, I do not know if it is the right way.
Yes like #twotwotwo mentioned, give it the user id and also a role.
So server side rendered flow: Step 1
user sends username (or other identifier) and secret.
using scrypt or bcrypt the secret is checked against the stored salted hash in the database
if it matches you create a struct or a map
serialize struct or map into string (json, msgpack, gob)
encrypt the string with AES https://github.com/gomango/utility/blob/master/crypto.go (for instance). Set a global AES key.
create a unique cookie (or session) identifier (key)
store identifier and raw struct or map in database
send encrypted cookie out (id = encrypted_struct_or_map aka the encrypted string)
On a protected resource (or page): Step 2
read identifier from cookie
check if id exists in db
decode cookie value using AES key
compare values from cookie with stored values
if user.role == "allowed_to_access_this_resource" render page
otherwise http.ResponseWriter.WriteHeader(403) or redirect to login page
Now if you wanted you could also have an application-wide rsa key and before encrypting the cookie value sign the string with the rsa private key (in Step 1). In Step 2 decode with AES key, check if signature valid, then compare content to db stored content.
On any changes you have to update the cookie values (struct/map) and the info in the database.
I have configured 2 users on a SNMP v3 server (a Cisco router):
A user that uses DES as the privacy method (desuser)
A user that uses AES 128 as the privacy method (aesuser)
The privacy password and the authentication password for both the users were set to the same: 12345678 for testing purposes.
Using the code in the link below (at end of question), I was able to perform SNMP v3 queries using DES as the privacy method. For this I used the following command line args:
-v=3 -l=authPriv -a=MD5 -A=12345678 -x=DES -X=12345678 -u=desuser 10.10.10.1 1.3.6.1.2.1.2.2.1.7.1
The above worked without any issue.
I then tried to use AES 128 as the privacy method by changing the privacy method and the user on the command line args as below:
-v=3 -l=authPriv -a=MD5 -A=12345678 -x=AES -X=12345678 -u=aesuser 10.10.10.1 1.3.6.1.2.1.2.2.1.7.1
This resulted in a TimeoutException:
I am able to use both these users (aesuser and desuser) on other SNMP agents without any issue.
Please let me know:
What needs to be specified in the command line arg -x when using AES 128? Should it be just AES or AES128?
When I reviewed the code for snmpget (in the link at the end), I noticed that the value assigned to the command line arg -x is assigned to a variable called privacy. However, this variable is never used later in the code when setting the IPrivacyProvider object. The only two code paths available when setting the this object is DESPrivacyProvider and DefaultPrivacyProvider. (see code extract below) Shouldn't these be something like AESPrivacyProvider that would enable the AES privacy method on the code?
Code extract from the snmpget project's Program.vb:
Dim priv As IPrivacyProvider
If ((level And Levels.Privacy) = Levels.Privacy) Then
priv = New AESPrivacyProvider(New OctetString(privPhrase), auth)
Else
priv = New DefaultPrivacyProvider(auth)
End If
https://github.com/lextm/sharpsnmplib/blob/master/Samples/VB.NET/snmpget/
http://help.sharpsnmp.com/html/T_Lextm_SharpSnmpLib_Security_AESPrivacyProvider.htm
As the documentation states, AES support is experimental.
You can write your own privacy provider to handle such algorithms, and it is purely a cryptography challenge and does not fall in #SNMP's scope (which only covers core SNMP features).
I faced with one issue, which I can't understand in Freeradius users file.
My goal is just authenticate external user "shad" with password "test".
I added line in /etc/raddb/users the following line:
shad Cleartext-Password == "test"
Result was Reject. If I change "==" operator to ":=" Authentication is successful.
So my question is the following:
Why I can't use "==" operator while FreeRadius documentation tells:
"Attribute == Value
As a check item, it matches if the named attribute is present in the request, AND has the given value."
And one more question.
In some resourses I faced with such lines:
shad Auth-Type := Local, User-Password == "test"
I tried and it doesn't work. Responce is Reject with log:
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
How the users file works
For the answer below, pairs is referring to Attribute Value Pairs (AVPs), that is, a tuple consisting of an attribute an operator and a value.
There are three lists of attribute(s) (pairs) that are accessible from the users file. These are bound to the request the server is currently processing, and they don't persist across multiple request/response rounds.
request - Contains all the pairs from the original request received from the NAS (Network Access Server) via the network.
control - Initially contains no pairs, but is populated with pairs that control how modules process the current request. This is done from the users file or unlang (the FreeRADIUS policy language used in virtual servers).
reply - Contains pairs you want to send back to the NAS via the network.
The users file module determines the list it's going to use for inserting/searching, by where the pair is listed in the entry, and the operator.
The first line of the entry contains check pairs that must match in order for the entry to be used. The first line also contains control pairs, those you want to be inserted into the control list if all the check pairs match.
Note: It doesn't matter which order the pairs are listed in. control pairs will not be inserted unless all the check pairs evaluate to true.
check and control pairs are distinguished by the operator used. If an assignment operator is used i.e. ':=' or '=' then the pair will be treated as a control pair. If an equality operator such as '>', '<', '==', '>=', '<=', '=~' is used, the pair will be treated as a check pair.
Subsequent lines in the same entry contain only reply pairs. If all check pairs match, reply pairs will be inserted into the reply list.
Cleartext-Password
Cleartext-Password is strictly a control pair. It should not be present in any of the other lists.
Cleartext-Password is one of a set of attributes, which should contain the 'reference' (or 'known good') password, that is, the local copy of the users password. An example of another pair in this set is SSHA-Password - this contains a salted SHA hash of the users password.
The reference password pairs are searched for (in the control list) by modules capable of with authenticating users using the 'User-Password' pair. In this case that module is 'rlm_pap'.
User-Password
User-Password is strictly a request pair. It should not be present in any of the other lists.
User-Password is included in the request from the NAS. It contains the plaintext version of the password the user provided to the NAS. In order to authenticate a user, a module needs to compare the contents of User-Password with a control pair like Cleartext-Password.
In a users file entry when setting reference passwords you'll see entries like:
my_username Cleartext-Password := "known_good_password"
That is, if the username matches the value on the left (my_username), then insert the control pair Cleartext-Password with the value "known_good_password".
To answer the first question the reason why:
shad Cleartext-Password == "test"
Does not work, it is because you are telling the files module to search in the request list, for a pair which does not exist in the request list, and should never exist in the request list.
You might now be thinking oh, i'll use User-Password == "test" instead, and it'll work. Unfortunately it won't. If the password matches then the entry will match, but the user will still be rejected, see below for why.
Auth-Type
Auth-Type is strictly a control pair. It should not be present in any of the other lists.
There are three main sections in the server for dealing with requests 'authorize', 'authenticate', 'post-auth'.
authorize is the information gathering section. This is where database lookups are done to authorise the user, and to retrieve reference passwords. It's also where Auth-Type is determined, that is, the type of authentication we want to perform for the user.
Authenticate is where a specific module is called to perform authentication. The module is determined by Auth-Type.
Post-Auth is mainly for logging, and applying further policies, the modules run in Post-Auth are determined by the response returned from the module run in Authenticate.
The modules in authorize examine the request, and if they think they can authenticate the user, and Auth-Type is not set, they set it to themselves. For example the rlm_pap module will set Auth-Type = 'pap' if it finds the User-Password in the request.
If no Auth-Type is set the request will be rejected.
So to answer your second question, you're forcing pap authentication, which is wrong, you should let rlm_pap set the Auth-Type by listing pap after the files module in the authorize section.
When rlm_pap runs in authenticate, it looks for a member of the set of 'reference' passwords described above, and if it can't find one, it rejects the request, this is what's happening above.
There's also a 'magic' Auth-Type, 'Accept', which skips the authenticate section completely and just accepts the user. If you want the used to do cleartext password comparison without rlm_pap, you can use:
shad Auth-Type := Accept, User-Password == "test"