Hi i have 3 Yii based systems, something like:
sys1.domain.com
sys2.domain.com
sys3.domain.com
now, this 3 systems share the same database, same users, and other entities... and of course the 3 yii auth tables.
now my question is, when configuring auth, how do i separate auth rules for each system?
i'm using Yii extension "rights" to manage roles, if this is of any help.
As you have single DB for three systems sys1, sys2 and sys3 and you would like only auth table diffent, you can add three auth tables auth_sys3, auth_sys2, auth_sys1 and in config file of each system write configuration or at global place write php logic to make alias of auth_sys1,auth_sys2,auth_sys3 as auth so you dont requrie to make any changes in internal code to call auth.
Related
Sorry for may be simple question. I not experienced with server-based apps developing.
I study Azure recently and create simple mobile application that connect to azure database. Its make some trivial operations on tables like add items and make SQL select queries. Now I want add authorisation to app and restrict some operations with tables in db based on it. What is best way to do it? I think it's a good idea to write backend on azure server with authorisation-based rules but I don't find out about it from Azure documentation. For example what I want to achieve:
Not authorisation mobile app user restricted to make any modifying operations and can select only predefined columns.
Authorisation user can make add/update operations on some tables based on user info(uid/login etc...).
If I create database rules on frontend(mobile app) side its not difficult to write another app that have possibility to make anything with database in bypass of my app. Isn't it?
If I create database rules on frontend(mobile app) side its not difficult to write another app that have possibility to make anything with database in bypass of my app. Isn't it?
This is very true; security shouldn't be (just) in the frontend. Make sure your backend is set up in such a way it checks the access rules each time someone tries to do something in the backend.
Now, as far as your question goes: please implement an API that connects to your database. With each and every client directly connecting to your database, you will lose all control. If you implement an API in front, you can do stuff like caching and asynchronous processing if you need to.
When implementing the API, you can have the GET methods be unsecured, while POST, PUT and DELETE use a (for instance) JWT token retrieved from Azure Active Directory. This repo and the presentation it links to might give you some reference.
I am working on a project that allows a user to create a user to create app keys or secrets so that specific services can be used by external clients. A user can create multiple secrets that they can choose to use across multiple clients.
For this I am planning to create a decoupled auth server that will use identityserver4.
What really holding me back is that I am not sure whether or not I should create an API layer at the auth server. The reason I am considering API at auth server is so that I can create sort of an admin portal client that will give the users a front-end for creating, renewing, and accessing their app keys/secrets. Even the admin portal is going to be a de-coupled angular application.
There are two things that are holding me back at the moment:
I am not sure if it's a good or safe idea to serve this data via
an api layer. From what I understand, identityserver will not be able to provide functionality that allows me to access a list of a user's clients through an endpoint but please correct me if I'm wrong and there's a better way to approach this.
I know we can easily create new clients and persist it into the database with identityserver4 and I am planning to use ClientCredentials grant types for user clients, but is there a link at the database and identity level between a user and a client? Or will I need to create that functionality by myself?
So far I've looked but I have not bee able to find examples that are similar to my situation with identityserver4
Sorry for the noob question, I am just getting into identityserver and web security in general so many of these concepts are still very new to me.
For number 1, I would say yes you can create an API layer to server data. If you check the IdenttiyServer4 AdminUI, Rock Solid has also use the admin API behind the UI. But you must consider encryption, TLS and other security mechanism to keep this safe.
AFIK for number 2, there are no links at identity level between a user and a client. You have to create that by yourselves.
Basically, you need a system that supports Multitenancy. I have achieved that by adding a TenantId field in the AspNetIdentity user table. And also added the tenant Id to claim list.
Please do not hesitate to correct me if i am wrong.
I have an existing MVC project (purpose built customer portal) that I am integrating into Orchard CMS as a module.
The customer portal module has its own database containing user information, which I need to use for customer authentication.
However, I also want to retain Orchards user authentication for admin authentication to Orchard.
So essentially, I require two authentication schemes with two different login pages for this. One for customers and one for admins.
How could I implement this?
One solution might be to cancel the idea of having 2 differnt login pages and moving your users to Orchards user table.
Then link these users to a specific role named like My existing MVC users and grant permissions to this role accordingly.
If you take this route some of the benefits would be
bound to Orchards user database and therefore existing authentication handling
existing permission stuff can be used / extended out of the box
user management in one place
extensible by using own parts (e.g. AddressPart, ContactPart, ...)
Another solution would be to replace the existing authentication by implementing IAuthenticationService. But this seems rather complex.
I am using MVC 4 Razor engine and selected the project template as Intranet. So it uses Windows Authentication. Currently I have designed a Database with Tables to maintain the users and the role that they belong to. I would like to show specific screens alone to specific users bases on the roles.
For Example: Add User, Create Role Screens to Admins alone. And the rest of the screens to Users of Non Admin Role & Admin Role.
Basically, I would like to Authorize the users based on the Roles as per the Database Table. How can I achieve this? Please let me know if there are any articles for this.
Thanks in Advance.
You talk in the title about Windows Authentication, which implies an Active Directory, and then you say you want to authenticate users against a database (forms authentication), please, correct your question.
Here is a full tutorial about forms authentication in mvc 4
https://msdn.microsoft.com/en-us/library/ff398049%28v=vs.100%29.aspx
I'm working on a project where I've multiple ressources and multiple users, what I need to do is to associate different access rignts to every user depending on the ressource he wants to access to
The problem is that a simple LDAP server can't implement this kind of situation,
An idea is to use multiple LDAP servers, one for each ressource, then how could I manage them all?
Or is there another authentication process I can use in this case?
Spring Security has a special ACL module to handle such situations. The basic idea is that each domain object / ressource may have separate access control list. You need to fill this list with appropriate permissions and add corresponding checks in your code. You can have parent -> child relations between the objects to reduce number of permissions. Check it out.
If you have logic behind the access to the resources, you may want to use a rules authorization language such as XACML.
If the assignment of resources to users is arbitrary then the use of ACLs with Spring Security's ACL module is good enough.
The problem is that a simple LDAP server can't implement this kind of situation
Mine does. You use LDAP to define the roles associated with each user, then you use web.xml to associate the resources with the roles that are required to access them, then you configure/write your login module such that it looks up the roles of each user when you login. Container-managed security can do all that.