I am creating a new Silverlight 4 business application using RIA services. This will be using a SQL-Server 2005 DB. There is no AD setup so I am required to use SQL Server Authentication. The details that the user uses to login to the system will be used to hit the SQL Server.
E.g., if username="TestUser" and password="Password" is entered in the login screen of the application, these will be the credentials that will be used to access the DB.
I am wondering what the best way to do this will be? At this point the method of accessing the DB is undecided (EF or 'traditional' ADO.NET using stored procs).
I think current applications take the username and password entered into the login screen, use them to build a connection string and see if they can hit the DB using this, if it works they're in, if not they're declined.
I ended up going with EF and changing the AuthenticationServices Login() method to attempt to hit the database with the required username and password.
I wrote a blog post about how I Dynamically changed connection string for EF
Related
I'm using IdentityServer4 and EF Core in my Blazor WASM project with ASP.NET Core hosted option and in that project I use multiple databases.(dynamic string connection - duplicates of databases)
In the login page you choose what database to use and I store the database name in the cookies.
The system should work like that when you login using one database you can't use the other databases.
Every thing is working fine except that that I can change the database name in the cookies and then use the other databases.
My question is how can I modify the IdentityServer4 authroize so when you login using one database you can't access the another databases(return 403 error code when send http request if you changed database name in cookies) - database depended.
I thought maybe I could check each request if token is stored in AspNetUserTokens table ,but I noticed that the table is empty even after logged in successfully.
It sounds like the current database value should be set as a Claim on the user's identity, rather than in a raw cookie. Adding custom claims to the identity will protect them in an encrypted token.
Here's some documentation around this scenario, in particular look at implementing an IProfileService that adds your claim.
Can you please let me know the differences between Form and Adapter Based Authentication. I've gone through the pdf provided by IBM but was not able to find actual difference.
Certain queries comes into my mind is:
How validation occurs? and comparison of username and password from server with entered j_username and j_password.
Right now for example it's accepting any combination of username and password.
Since they are using requrl = /j_security_check
How to validate username and password with server?
The main difference between Form and Adapter Based Authentication is that Form Based Authentication is using MobileFirst internal classes and methods, and When using Adapter Based Authentication you are responsible for the authentication procedures (which should be located inside an adapter) - you only declare in the securityTest what procedures to use for login and logout.
If you want to use Form-Based Authentication with username and password you can use Single Identity login module.
More information about Single Identity login module can be found here:
https://www-01.ibm.com/support/knowledgecenter/SSHS8R_7.0.0/com.ibm.worklight.dev.doc/devref/r_single_identity_login_module.html
I have a web application with a SQL database backend. The database has a [UserAccounts] table that stores [Username], [PasswordHash], and [PasswordSalt]. The web application creates the hash and salt (and authenticates). That all works as it should. No problem.
I would like to integrate a 2nd, desktop application with the database. This application would run more like a service or a scheduled task. What I need to be able to do, is authenticate a Username and Password every time this application executes. Since it will be running as a scheduled task (without user intervention) I need to be able to store a Username and Password locally (in a XML or INI file perhaps) that can be authenticated with the Username and PasswordHash in the database.
What is the best way to securely store a Password so that it is not in plain text? Or is there another/better way to accomplish what I need to do?
The desktop application is written in VB.NET.
Thanks in advance!
I need that in a Intranet application that is made with Play Framework 2, the credentials that the users have for authentication can also be used to authenticate to the database and that every statement sent to it also uses this credentials.
In other words, to each user of the application corresponds a database user and password.
Thanks in advance.
This means you won't be able to use the connection pool, and instead you will create a connection-per-request sort of, right? No built in support in play for this, but probably not very hard to do yourself.
The exact solution depends on how you will access your database (Slick, ANORM, something else?) but basically you will have to create some abstraction that takes auth and creates a database session that your database interacting code will use.
Background research:
User Signup in Couchapp/CouchDB through jquery.couch.js or Otherwise
http://blog.couchbase.com/what%E2%80%99s-new-couchdb-10-%E2%80%94-part-4-security%E2%80%99n-stuff-users-authentication-authorisation-and-permissions
https://issues.apache.org/jira/browse/COUCHDB-1175 - specifically "Ari Najarian" 's posts
Question:
To paraphrase the SO question I posted above:
"Essentially I want to have a signup form for registering an account in couchdb for a couchapp. This would entail creation of a new user in the couchdb _users database, and the creation of a new database, with the new user assigned the role of database admin. All that requires server admin credentials."
The answer to the previous question involved using an external separate server that was logged in to couchdb as admin to monitor couchdb and modify couchdb as desired in response to certain data events coming from a client.
My question is - is that the only way? Doesn't that defeat the whole purpose of couchdb's 2-tier web stack? Is there some way to modify a couchdb database from within a validation function which checks for "type == user" document while "internally"/separately logged in as an admin maybe?
I apologize if there is some straightforward way to do this and I just didn't find the right documentation.
Extra Problem Clarification:
There is the couchdb instance sitting at an internet address.
This couch database serves to a random client an html page and embedded javascript script that contains a signup/login form.
The client enters signup info (name, password) and submits
The JS script uses the XMLHttpRequest object to open a connection to the couchdb instance and sends...PROBLEM!
Problem #1 - If the credentials are stored in the code (to be sent as verification for new user database), then anyone could "view html source" and take over the database.
-OR-
Problem #2 - If credentials are not supplied and the request is sent anonymously, then a new user will be created in the _users database and a success reply message will be sent. But no new database was created for the user (and can't be without admin credentials) which the user can interact with for application-specific purposes (e.g. add/delete data). And - from the above couchbase blog link - if you have secured your database with roles/names against anonymous readers and validation functions to prevent anonymous writes, then an anonymous-made user account (e.g. a client who wants to register database space to use the app) can not do anything because an anonymous user cannot, for obvious security reasons, specify whatever roles they wish to have. Which means that the only way to have -functional- users is to create user accounts + associated databases as admin beforehand and then hand out these user credentials - so like a private invite system, yes?
To reiterate, is there any way, using ONLY couchdb and some combination of couchdb's authentication handlers, design document functions, client-side ajax, etc. for a connecting client to register and get a personal database (and ONLY that database obviously) they have access to and can interact with?
This isn't a PURE couch solution, but it's couch + node, and solves your problem:
Hi I haven't been around in awhile and didn't realize this was edited / link removed (plus policy of links not being answers! sorry...). I have been using couchdb on a project very similar to what you are trying to do, and unfortunately there is no way to do what you want to accomplish without tacking on another service to handle the admin-level access and creation of user database. Syncpoint-API can be used to facilitate this, but it is actually a nodejs service handling the signup/login and dedicated database setup.
So far though, Syncpoint has proven to not be 100% reliable and it does appear to be an abandoned project, due to CouchBase sucking all the r+d resources away from CouchDB dev.
I'm now moving to nodejs + socket.io as a transport layer, using node to handshake and assign a DB, and then further watching the couch _changes api on the server (via yet another node process) to then forward _changes through socket.io to the client. Also I have some "pure" couchapps running that serve public data mixed in with the private data.
My conclusion? CouchDB is a great product and has some great features, but for the more complex login/authorization schemes and other general application needs required in real-world dev, it's just not ready yet.