I want users, when they are in the workplace (e.g. on the LAN), to authenticate themselves with their regular username and password. Auto-login is disabled.
However - logging in from outside the LAN should trigger a 2-level authentication (like SMS, mail or similar). How can we get information about the users network when they try to log in to the application from outside the LAN?
NB - it does not matter if you have AD user and pwd. If you are on the outside you have to trigger the 2 level auth.
NB2 - we do not want any client-side scripts running, so this must be something coming with the initial request
Technology: IIS 7, ISA 2006, .Net 4, MS Sql 2008 server.
Question also asked here: https://serverfault.com/questions/354183/what-2-level-authentication-mechanism-is-available-that-can-differentiate-if-the
Information why ISA server remove the information I need: http://www.redline-software.com/eng/support/articles/isaserver/security/x-forwarded-isa-track.php
If it's reasonable, don't expose your web server to anything outside of your LAN -- require VPN access.
If that isn't reasonable, you should be able to use the REMOTE_ADDR variable to determine the source of the request. Whitelist your LAN as single-factor and require everything else to be multi-factor. Depending on the scenario, the server variables will be similar to either
Context.Request.ServerVariables ["REMOTE_ADDR"]
or
Request.UserHostAddress()
If you have a proxy in the way, make the proxy tag the originating IP source in the headers and read the request headers to determine the external IP.
Related
I would like to implement a web application for a company in China. I need to use WeChat mini-APP to make the sign-up/login straight-forward.
Please correct my assumptions if I am wrong:
To implement the login of the website from WeChat, I need to use the OAuth2 protocol
I also need to create a WeChat developer account under a real name (need ID card or business registration stuff) if I want to diffuse the application
I also need to register a domain name to WeChat so that they can allow OAuth2 authentication to this domain name
Question: can I still use my localhost virtual machine to develop my server?
(I didn't try but I assume WeChat will reject to create an OAuth2 token for localhost 127.0.0.1)
Or do I need to have a development domain name with a development server available from the Internet so that I can debug the OAuth2 authentication?
EDIT 1: I tried to send a HTTPS POST request https://127.0.0.1:8080 and I got an error linking to this URL
https://developers.weixin.qq.com/miniprogram/dev/framework/ability/network.html
EDIT 2: I tried to send a HTTPS POST request https://192.168.1.148:8080 which correspond to my dev computer and I got the error VM17415:1 Cannot send network request to localhost. (My test phone and computer both connected to network 192.168.1.x trough WiFi)
The documentation is available in English on the official WebSite [1]. It is written: network APIs allow communication with LAN IP addresses. So basically, if the phone is connected to the same network as the virtual machine (i.e. WiFi), one should be able to send any kind of HTTP/HTTPS request properly.
Note that the development environment WeChat DevTools block this feature by default. In order to enable it, the user should open the Project Settings and check the box 'Does not verify valid domain names, web-view (business domain names), TLS versions and HTTPS certificates.'.
[1] https://developers.weixin.qq.com/miniprogram/en/dev/framework/ability/network.html
I find myself in a bit of a dilemma. I am preparing to push code out to a test server (out in the wilds of the Internet) which handles user registration and authentication (using Express + Passport) for acceptance testing.
However, I would like to be able to restrict access to the test server to those users who will be performing testing. I know node does not support an .htpasswd file mechanism but looking for another way to restrict users from accessing the server even before the application authentication process begins.
All thoughts welcome!
You can restrict via IP address in your application, or the server's firewall. If you have a reverse proxy like nginx in front of node, then you can set it up to require basic authentication via an htpasswd-like file.
I have a public facing web service that has a token based security system. Log in is accomplished by providing a username & password and a unique token is returned that is used going forward whenever the service is called.
My question is this: Is there a secure way to differentiate between a call coming from outside our internal network and a call coming from within? I would like to provide elevated privileges to clients that are calling the service from within our internal network. Specifically we have a website running on the same network as our webservices and I would like to give the website elevated privileges when calling our service.
Is there a secure way to do this when the web service is public facing? What I don't want to happen is that someone from outside our internal network to somehow get access to elevated privileges.
The services were implemented using Java and the CXF framework.
Definitely possible, here's how I would suggest doing it.
Have an reverse proxy that sits between your application and the external clients. This reverse proxy would authenticate the token and the set required privileges in the request header.
Elevating privileges for internal clients can be done by following approaches
Set an authenticate header in the requests on the reverse proxy. IF this header is set to true, it signals that the call is from an external client. The app can decide if needs to authorize based on this header. Internal clients can call this service without having to go through any authentication/authorization. Note that this would complete eliminate any auth for internal clients.
Have rules on the RP that can set additional headers containing elevated privileges based on the IP of callers. Internal clients IP can be made into a list for which this applies.
Have two endpoints for internal and external clients with revers proxies on both of them. The internal would set elevated privileges in the request headers.
You have options, I can think of at least 2 approaches immediately.
1) Also require an API key to access your webservices, and special-case the access provided to the website based on its key.
2) Elevate privs based on IP address of the requestor (website, or internal network).
I want to build a node js internet gateway/captive portal. So I can have a user 'authorize' his mac address or ip address if the mac address is not possible like used for wifi hotspots
So what I have in mind is node can have a dhcp server and it gives its ip address as the gateway. So if the user loads a page on the web browser it gives them an authentication screen and they can then log in and the gateway can then route its packets correctly.
How can I do the authorization step with node.js so if they're not logged in it presents a log in page & if they are to route the packets correctly?
You need couple of pieces to put this together.
#1: http proxy - If you can run a DHCP server and assign IP addresses, then you can run and http-proxy to capture all internet traffic.
#2: You'll then need to add authentication logic to this proxy which can check for a cookie, magic packet, token or something that verifies access and lets them through or redirects to login page.
node-http-proxy is a very popular and flexible node http proxy server that you can easily add your own logic to.
node-http-auth-proxy is another such project with an example of how to handle authentication built in.
Having a proxy also allows you to whitelist/blacklist sites/IPs, something you may wanna do based on your target audience.
How can i restrict access to the admin/ section of my website? I can't limit it by IP address because we need to sometimes access the admin/ section from remote client locations (when giving a demo, etc).
there is of course, an admin username/password - but what else can i do?
Most applications just use a username/password for access control, and that's generally sufficient. Some that require extra security use two-factor authentication, which might mean using a token that you carry with you (e.g. a device that generates a token that's kept in sync with a server) or a token that is sent to you (e.g. the system sends a text message to your phone with a token that you have to type in in addition to your password).
An easier option is to authenticate using a client certificate; you can carry the cert around with you on a thumb drive in case you're at a remote location (just remember to remove the certificate from the remote machine when you're done).
Here's a nice write-up on client certificate authentication.
Another option is to only allow connections from your local network, and then use VPN to join a remote machine to a local network.
if the admin interface is in an seperate folder, you can use .htaccess and http auth. the same can be done using e.g. rails to restrict access to certain routes (controllers).