I have developed a Google Site application, there are some pages in this Google Site application. Some pages user A has authority to read, user B doesn't have. And some pages user B has authority to read, A doesn't have. How could I set the authority on Google Site's page?
Thanks!
Under share, enable page level permissions
Related
I have multiple .NET projects that allow authenticated users to browse html files on another domain via iframe.
I'm struggling with securing these files so that no user can take the link from the iframe and share that link.
The projects are hosted on iis, and users are authenticated with a JWT token.
Any help is appreciated.
I'm afraid it is unavailable to prevent user from getting link from your iframe because they are always able to view the link via developer tool.
But you could create a URL rewrite rule to strict the src link can only be accessed from your website by checking HTTP_REFERR header.
If the referrer domain incorrect or null, then your rule will block it.
Recently I received a mail with the link: http://googledrive.com/host/0B0uWu3qbasSeVjNCY1Nkekx5UkU
When I opened it, it showed a phishing page to grab my user name and password but surprisingly the certificate the website provided is a legitimate google certificate. How can a phishing site provide a valid server authentication certificate from google?
OK, now I understand it. It is a hosted web page on google drive. Please see the following link for more details: https://support.google.com/drive/answer/2881970?hl=en
So the attackers hosted a page which looks exactly like google login page and the browsers could not find it because the certificate is a valid google drive certificate.
I want to create a web page, that will serve to authenticate users based on credentials I give them (user1, pswd1 etc).
Only after a user authenticated, he should have access to a few other web sites,
on different folders of the web server, but which have no server side code(otherwise it would be simple.)
The user should be allowed access to the other sites, e.g. based on his IP,
for 24 hours or another period, or while he has the authentication site open on his browser.
The purpose if that the user will not have to enter credentials on each site,
and will enter his credentials only once, or once a day.
Restrictions:
I don't want to modify the target web site javascript code at all, e.g. to query a web service.
The user should be granted access using any browser,
so I assume I cannot use cookies.
If I would develop such a mechanism on Apache,I could, for example, have the authentication site PHP code add a line "Allow from ip" to the htaccess file of each target web folder, whenever a user authenticated successfully.
The issue is that I don't want to develop it as I am sure a solution already exists, and also I need a similar mechanism for both Apache and node.js (although i can live with two different solutions)
What information does the user have to identify themselves? How do you guarantee the user is who they say they are?
The whole point of authentication is to establish the user is who they say they are and that may create a session so that users need not reauthenticate.
If you want the user to authenticate in a single location and then reuse that "session" or set of credentials elsewhere, what you are looking for is single-sign-on / identity federation.
For instance, take airbnb.com. I do not need to authenticate there. All I have to do is authenticate with a third-party e.g. Google or Facebook. As a matter of fact, SO works in the same way.
One of the standards behind this technique is called Open ID Connect. Look into that. If you are willing to dish out money, you can look into commercial solutions e.g. Ping Identity. There is an open source implementation provided by Mitre / the MIT. It's available here.
In fact it occurs to me I can use simple routing.
In the top level folder have php code that does the authentication.
If the user is authenticated, route/redirect to the requested target site,
based on the requested url.
The url should be for example http://mysite/site1, where the authentication code is in the folder mysite, and site1 is not directly accessible.
Perhaps I can use something like php-express to reuse the same php code on node.js.
I am working in a company and I am improving their web site. Their site is made with WordPress and I have the admin user and the admin password to enter the web as admin and change some files. But I want to change the wp-config.php and this file is not among the files I can change as admin in Word Press. How can I get access FTP accsess to my web site?
First of all, you need to know the URL for accessing your web provider's FTP server. In case you know that, here are the steps:
Open up your browser and enter your userid and FTP server name as follows:
ftp://userid#ftp.yourwebsite.com
When prompted, enter your password
A list of all the files on your web site will display after a few moments.
anybody know is possible to use Persona for SSO purposes for cross site login which are sub domains of the single domain ? I do no find this useful feature in documentation.
thanks.
If all of the services are within a single domain (e.g. service1.example.com, service2.example.com, etc.), you could set a cookie on the top-level domain directly (example.com) and then all services could use the same session since they would all have access to that session cookie.
So one way to do this would be to redirect users to login.example.com when they click the login button on any of the other sites (service*.example.com). That login service would use Persona to ask the user to login and then it would set a cookie on example.com.
This strategy is of course not specific to Persona, it's a common way to get SSO between internal services within a company for example.