I am using a axis camera which is served by apache2, the authentication mechanism is apache basic auth. Ssl is configured for the domain. The problem is that I cannot call an api for streaming using the embedded url for example:-
https://user:pass#sub.domain.com/axis-cgi/mjpg/video.cgi
This is no longer supported by google as per this post and blocked by chrome.
https://www.chromestatus.com/feature/5669008342777856
I tried by passing the credentials along with the url and it is also not working.
https://sub.domain.com/axis-cgi/mjpg/video.cgi?user=user&pwd=pass
This camera is running in a linux customer OS, is it possible to setup an alternative authentication which supports my needs. Furthermore is it possible to by any other means?
Thanks
you may try
https://user:pass#sub.domain.com/axis-cgi/mjpg/video.cgi
good luck
this is to add enough flesh to this post.
Related
I'm developing both server and client side of a web application and it is almost finish. Now, it is time to secure it.
I read lots of articles and Q-A sites to understand the principles of the concept. But there are still question marks on my mind.
There is a similar question here:
How do I secure REST API calls?
They suggested to use token-based security system, which is very common and practical way. Also services like Firebase, Auth0 are providing this security system.
And this is about "how and where to store token": https://auth0.com/docs/security/store-tokens
If so, how can token protect server from fake-calls while we are storing it in the browsers local storage?
Explaining it with an example in order to be clear:
My client-side code has a form with options. One of the option can be selected via drop down option and there are only "1,2,3,4" in those options. So that, client can never send a form with "5" value to the server. But what if someone use a API tool (for example postman) to send a form with a value of 5? Attacker still can add a token to that request. First login to system as normal user. Than open the developer console of the browser, copy your token and paste to the header of your fake-request.
Not allowing the cross origin calls may solve the problem. But I am not sure if this means server and client should run on the same domain (or host)?
Bonus from stackoverflow: Stackoverflow's use of localstorage for Authorization seems unsafe. Is this correct else how do we strengthen it?
They are also discussing the similar question from another aspect. (Not for the server security but for the user's security.)
Not related but in case of need: front-end is developed with Angular 5, server is developed with Java and Spring Framework.
I'm trying to develop a native OS X app that uses the Nest API. Unfortunately, their client registration only accepts "https://" URIs for the redirect-URL. Since there's no server involved in this (other than Nest's server), I need to redirect to my app. To do that, I need to be able to redirect to an arbitrary URI.
I tried to send this feedback to Nest directly, but they don't seem to have a support contact or bug reporting available.
Am I missing some other authentication approach for this type of use? It's a similar problem on iOS.
Thanks!
Nest can only assure in the normal browser world that HTTPS is secure. Yes, there are other application protocols that are secure, but the standards are not well defined. As such the return URIs are limited to HTTPS and HTTP://localhost (It is assumed that is someone has control of your machine, they can also intercept HTTPS calls)
Mac OS and iOS have a relatively simple workaround for this that is demonstrated in Nest's iOS NestDK sample code. The key parts are:
In line 30 of constants.m you will see that RedirectURL is defined (when running this sample code, you might want to change this to your preferred URL, likely something your company already controls for further security)
And in line 126 of NestWebViewAuthController.m where the app is checking if the WebView is trying to load our dummy redirect URI. If so, it captures the parameters and tries to get a token that can be used with the Nest API.
I want to write a http server with node.js that supports NTLMv2 authentication.
Evertything works fine with the handshak (type1, type2, type3 messages) and I get my type3-message from the client (Chrome Browser). In this message that is being sent to the server there is a ntlmv2 response that I can read within my node.js server. How I can authenticate if this reponse is valid?
According to [1] I have understood the type3 message and I was able to create my own node.js-routine to generate these hashes. So when I have the password I can create a hash that is equal to the one I get from the browser. But how can I authenticate this hash/response without knowing the password? How can I authenticate this against a DomainController/ActiveDirectory in my network?
If you have look at [2], there is a picture that describes my question perfectly. How can I execute the steps "4" and "5" of this picture?
Thanks,
Laryllan
[1] http://davenport.sourceforge.net/ntlm.html#theType3Message
[2] http://msdn.microsoft.com/en-us/library/cc239685.aspx
A quick web search affirms that everyone seems to get stuck at about the same point.
The best response to this topic I've seen so far is here:
Windows Authentication Headers without .NET. Possible?
To valid NTLMv2 credentials you would need to perform SecureChannel encrypted RPCs with the NETLOGON service of an Active Directory domain controller. Which is to say, this is a difficult thing to do. If your server supports Java Servlet Filters there's Jespa.
Otherwise, there are modules that can do the auth at the webserver level like an Apache module or by turning on IWA in IIS. But of course these type of solutions are somewhat limited in a number of ways.
From Tim Heuer:
In Silverlight 3 we’ve introduced the Client HTTP stack as an option
as well. You must opt-in to use the client HTTP handling. This gives
you the ability to go more than just GET/POST (i.e., more REST-ful
verbs), using response status codes/headers, etc. You can opt-in to
use the client HTTP stack on all requests, requests for a specific
domain, or on a per-request basis like this:
HttpWebRequest request = (HttpWebRequest)WebRequestCreator.ClientHttp.Create(new Uri(
http://api.search.live.net/qson.aspx?query=Silverlight));
My understanding is that the reason Silverlight couldn't directly access Azure Storage is that it was unable to sign the HTTP headers with authentication data. Would this bridge the gap and allow direct access to Azure Storage or Mesh? If so, how is that accomplished?
I'm not sure but you don't want to do this as your secret key would be on the client. Anyone loading your Silverlight code could crack open the binary and find your keys and then manipulate the data as if they were you.
One way to fix this is to proxy your requests through a server you control.
Before you ask, we are aware of this issue but don't have anything to announce now.
I checked and I'm afraid you cannot do this in Silverlight 3. Sorry :-(.
I posted a variation of this question to the CouchDB user list and haven't received a response yet.
I'm curious to know if anyone else has built a so-called "CouchApp"; a pure HTML/JavaScript application hosted directly within CouchDB. If so, how did you handle user authentication? I'd like to be able to create a typical login form (username, password) and then use those credentials either against a view or some other mechanism before passing the user along to the application (while storing their (encrypted) user ID in a cookie, presumably).
I'm used to simply proxying through something like couchdb-python and a normal web server, but would like to know any best practices with respect to authenticating users in these kinds of CouchApps.
Edit: A year later, and this is now built into CouchDB. This video is a great demonstration. (Thanks Daniel!)
CouchDB has released a simple authentication api but has no in built authentication mechanisms as of yet. The simplest and easiest way to do this is to use an http proxy for authentication. However this has limitations on how much you can restrict access on a per document basis. When CouchDB gets some more support for built-in authentication modules then it should be easier.
If you want to try your hand at coding an authentication module then you can check out the source for the javascript security_validation tests in this file:
http://svn.apache.org/repos/asf/couchdb/trunk/share/www/script/couch_tests.js
and the default_authentication_handler in this file here:
http://svn.apache.org/repos/asf/couchdb/trunk/src/couchdb/couch_httpd.erl
that would get you started anyway.
This question has been around for a while (1.5 years!) and things have matured quite a bit since it was answered. Watch the video above, but it doesn't explain how to build it into your app. It looks like most of the answers are now found here: Security Features Overview and at the end of this document: CouchDB Security.