I am using with WebAPI with Windows Authentification.
However, for a very specific case (a Flash Client... no comment), I need one of my controller to accept a non-authenticated client. Is there a way to achieve this?
Thank you!
Try AllowAnonymous attribute in your controllor or methods
Related
I am using a axis camera which is served by apache2, the authentication mechanism is apache basic auth. Ssl is configured for the domain. The problem is that I cannot call an api for streaming using the embedded url for example:-
https://user:pass#sub.domain.com/axis-cgi/mjpg/video.cgi
This is no longer supported by google as per this post and blocked by chrome.
https://www.chromestatus.com/feature/5669008342777856
I tried by passing the credentials along with the url and it is also not working.
https://sub.domain.com/axis-cgi/mjpg/video.cgi?user=user&pwd=pass
This camera is running in a linux customer OS, is it possible to setup an alternative authentication which supports my needs. Furthermore is it possible to by any other means?
Thanks
you may try
https://user:pass#sub.domain.com/axis-cgi/mjpg/video.cgi
good luck
this is to add enough flesh to this post.
so I'm working on an API for user authentication. I want the functions to only be called by another server. I was thinking of checking the origin in the headers but it's not the ideal solution as tools like Postman can compromise that.
Would a solution be to have a secret key inside the header that is checked for in each request? Thanks in advance!
I'd like to understand how to make sure that only intended clients are connecting to API server?
For example there is an end point: http://example.com/v1/api/getallcustomers
Users will be authenticated
Token will be issued
Authentication will be done on every request
But I'd like to make sure only my Web and Mobile apps are connecting to this API. I would like to block/deny all other incoming connections even you know the end point. Please help. Thank you.
Cheers,
I'd like to make sure only my Web and Mobile apps are connecting to this API. I would like to block/deny all other incoming connections even you know the end point.
That is impossible since anyone who knows how the API works and has access to a valid authentication token can make a request (using Node.js, for example). You have no way of distinguishing a request made from your app from one made from some other program.
I'm trying to develop a native OS X app that uses the Nest API. Unfortunately, their client registration only accepts "https://" URIs for the redirect-URL. Since there's no server involved in this (other than Nest's server), I need to redirect to my app. To do that, I need to be able to redirect to an arbitrary URI.
I tried to send this feedback to Nest directly, but they don't seem to have a support contact or bug reporting available.
Am I missing some other authentication approach for this type of use? It's a similar problem on iOS.
Thanks!
Nest can only assure in the normal browser world that HTTPS is secure. Yes, there are other application protocols that are secure, but the standards are not well defined. As such the return URIs are limited to HTTPS and HTTP://localhost (It is assumed that is someone has control of your machine, they can also intercept HTTPS calls)
Mac OS and iOS have a relatively simple workaround for this that is demonstrated in Nest's iOS NestDK sample code. The key parts are:
In line 30 of constants.m you will see that RedirectURL is defined (when running this sample code, you might want to change this to your preferred URL, likely something your company already controls for further security)
And in line 126 of NestWebViewAuthController.m where the app is checking if the WebView is trying to load our dummy redirect URI. If so, it captures the parameters and tries to get a token that can be used with the Nest API.
Im using GWT, GAE to make a web app.
I looked at a bunch of tutorials regarding implementing a login system but most of those tutorials implement it so it's mandatory to login to access the web app. How would I go about making it so that anyone can access the app but if they want to use account specific functionality, they they have the option of signing up for an account.
There are two parts to it.
First, in your client code you check if a user is logged in. If so, you allow access to the "closed" parts of the app. If not, you show a link/button to login and hide tabs/views that are accessible to authorized users.
Second, in your server code you specify which requests do not require authentication and which do require it. This is necessary if a user somehow figures out how to send a request without using your client code.
For example, in my code some requests have checkSession() called at the very beginning. If no authentication object is found for this user in session, this method throws LoginException to the client. If the authentication object is present, the request continues to execute normally and returns requested data to the client.
Further to Andrei's answer, if you want a framework to manage the sessions for you, you can use GWT-Platform, which has an excellent Gatekeeper feature.
I use it for mine and I have a LoggedInGatekeeper class. Simply add #UseGatekeeper(LoggedInGatekeeper.class) to the constructor of each presenter proxy and it checks if the user is logged in. If you want anyone to be able to access that page simply annotate with #NoGatekeeper. Easy!
It takes a bit of setting up but it's a great MVP framework. There are maven archetypes and samples etc.
Hope this helps.