XACML answer to what can I access? [closed] - xacml

Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
I want to answer questions like what am I allowed to access ?, by using XACML, is their a workaround other than Axiomatics ARQ?

I guess you want to ask the question (what are the resources that bob can access?) from XACML PDP rather than just hoping for aboolean type (permit, deny) result. According to the XACML core spec, There is no mention about this type of queries. But You can implement it. One way is to use multiple decision profile. PEP can send all resources in the system, actions and user (bob) in to the PDP, Then PDP would response with multiple XACML results and PEP can filter out the permitted resources. Also, Like Axiomatics, There are be some xACML implementations that support this feature with their own ways. WSO2 Identity Server, which is an open source XACML engine also supports this feature. You can find more details from here. Identity Server has introduced a search API, that would search in all policies and evaluate them to return accessible resources for given user. Also As mentioned above, sometime, you may implement same behavior using multiple decision profile and hierarchical resource profile. But It depends on your use case. I guess this would help you.

Related

Multiple API variations or 1 is enough? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 year ago.
Improve this question
So my friend needed to develop new API for creating item, so he developed:
POST /new/item
POST /item/new
PUT /new/item
PUT /item/new
All of them call the same underlying function and accept same parameters.
I recommended that he uses only 1 instead of 4, but he says that there is no down side and he's giving the option for anyone who wants to integrate with this API to use whatever personal variation they like.
Question: Is it really that there is no down side by doing this in the long run?
There is no downside in regards to functionality, but an API with redundant endpoints will probably be
Harder to maintain. If a change to the endpoint is needed, it may have to be made four times depending on the setup
Confusing for users of the API. While I imagine it's the intention behind this setup to catch typos in URLs and still allow the API to work, documentation on the endpoints will be bloated and harder to read
Lacking consistent naming. Ideally, there is a logic behind how endpoints are named, allowing users to infer what an endpoint does by its name and verb (GET, POST etc). Having multiple naming schemes makes it harder to understand the naming.
There is no meaningful upside to making redundant endpoints, and I would recommended to use POST /item for creating a new item.

How do I access Blackboard API with my username and password? [closed]

Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
trying to develop an application that takes data from a user's respective Blackboard account and display that information in a different way. I have been reading the blackboard API documentation and I guess I have to go to an administrator with an App ID in order for me to obtain this kind of access. What type of information should I provide the admin being as I don't even know what an App ID is, let alone provide it. I'm just a student trying to make my life easier by consolidating information that's already available to me on blackboard. I appreciate any guidance on the development process.
The documentation you'll likely want to start with is at https://docs.blackboard.com/ - of particular note is the REST / Getting Started section. See also the swagger docs for the API, which detail the needed entitlements for each API call.

Sharing API Gateway URL with GET variables to testers [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
I created an AWS Lambda function that fetches data from an RDS (Postgres) and returns it as json via an API Gateway (url). The url accepts 3 GET parameters which are used to filter the data based on the user needs.
My question is, how safe is (in terms of attacks like SQL Injection etc.) to share the URL to developers who want to see my data? The idea is to use this infrastructure as a temporary API alternative, to gather up usage feedback.
My question is, how safe is (in terms of attacks like SQL Injection etc.) to share the URL to developers who want to see my data? The idea is to use this infrastructure as a temporary API alternative, to gather up usage feedback.
If you're trying to mitigate SQL injection specifically, you just need to ensure that your code makes use of parameterized queries. If you're concatenating strings to build a SQL query, you're likely vulnerable to SQL injection. Even with character filtering and escaping you can often still wind up vulnerable to SQL injection, so you should make sure to use a library that supports parameterized queries out of the box.
Based off your history, it seems you use PHP. For Postgres PHP has pg_prepare which is safe from SQL injection: https://www.php.net/manual/en/function.pg-prepare.php

Multi-site authentification "google like" [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I want to create multiple services, which support an SSO (Single Sign-On) service.
To simplify, a google like services. With a single account you can use all services (and you log in once).
I found many ideas, but I want to have some opinions on how to design these services, and which technologies are the most adequate:
many or one database ??
creating an auth api ??
sharing session ?
using nosql databse or not ?
duplicate user information foreach database ?
separate users tables on a single database ?
node js vs php !!
...
Update
I know this is opinion based (I ask for your opinions), I wish to have different proposition of design patterns.
It's purely theorique, so I can understand how it can be done.
This is totally opinion based, and will likely be closed. But...
Don't write your own auth service. There are many good packages out there, and very few people are really qualified to write authentication and authorization platforms. If you really don't want to use a pre-packaged solution, at least use one of them as a template.
Here is a good list of SSO solutions, pick one or two and give them a try. Many are free and open-source. I have had luck with OpenAM, but many others are also very good.

Documentation on how to use REST WebAPI like a boss [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 years ago.
Improve this question
I've exposed a few methods and, while crystal clear on how they're supposed to be used, I'm sure that with time, the memory will fade and I'll be standing there like an idiot wonder why on Earth I haven't provided any help.
When we use WCF, there's the WSDL file. But I'm not aware of any corresponding functionality for WebAPI. Usually I add a Ping so that I can type in the URL window of my browser .../Service.svc/Ping, just to see that I a date back.
What would be an intuitive and (hopefully fairly) canonical approach? I'm thinking .../Help. Is there a better way?
Just pushing out help will only produce a huge string (XML or JSON formatted), which isn't very like-a-boss'y. Anonymous types can't be well handled without serialization. pushing out object typed entity breaks the connection.
I wish to have a built-in documentation on how to use the calls. The names themselves, of course, but also what values are treated (I had a case where the .../Donkey?scope={scope} pattern could be null or all and we though it was any, which took a while to figure out.)
You might checkout Swashbuckle which would allow you to generate Swagger documentation for your ASP.NET Web API controllers.
Anonymous types can't be well handled without serialization. pushing
out object typed entity breaks the connection
Are you really exposing anything like the above mentioned in your Web API contracts. I hope you don't.