Lets say an application is written purely using JavaScript with node.js that connects directly to the MongoDB backend.
In this scenario is it possible to have a secure application where users login and have privilege separation like administrative/user/guest. If so how does this work? What would it require?
Node.js has some modules for various authentication methods, connect-auth looks like a good place to start. You could then map your authenticated node.js credentials to a MongoDB database user when connecting to the database.
Security in MongoDB is currently fairly basic, user permissions restrict access per database and can be either read/write or read-only, so you might use a database per user.
CouchDB has a concept of users and authentication.
Take a look at the _users database documentation
I have some code that talks to _users
Related
Apologies in advance for sounding naive but I am new to this and stuck since days to no good.
I have set up LDAP on apache web server using below link and it is working good.
https://httpd.apache.org/docs/2.4/mod/mod_ldap.html
I am able to login to the application using a valid account in the directory. Now I want to create a non-ldap user (common user for API access) that can be allowed access through the web server? Is it possible? How?
I would strongly advise to create API accounts in your Active Directory. (in the company I work for, we use that and call them service accounts)
Centralizing access is the best practice, if you start mixing authentication methods in your application/website it can quickly become a nightmare of spaghetti code to maintain.
Centralizing access also improves security by allowing you to manage access in a single place.
If you do not want to go this way, you have the possibility to create a secondary authentication method through local users that would be stored in a database.
If you go this way, please do not store passwords in a non-encrypted way. Look for the following functions: password_hash and password_verify. When using SQL to transact with your database, make sure you do not end up with SQL injection, it can be disastrous to have SQL Injection in your login script.
Our tool is a Node.js server / React client running on a network with no external web access.
We would like to add robust user management including:
User definition (name, password, access level)
Password change
Login/Logout
Is there any open source libraries out there that can supply these capabilities?
Passport js library provides a lot of strategies for authentication and authorization without requiring you to reinvent the wheel. You can use any of the databases to store the user's on the backend like MongoDB, Mysql, etc.
It can also talk to inhouse LDAP or auth server API if you decide to do so. All in all, this sounds like a perfect library for you.
Here is a tutorial https://scotch.io/tutorials/easy-node-authentication-setup-and-local
We would like to hide the Database Schema Passwords from WebLogic administrators because the database contains high secured data.
I am trying to find an official Oracle way how to define a Connection Pool where the password is read from an external Password Server but I have not found anything on the internet.
Can Weblogic communicate with Password Servers (eg. Pleasant) in order to read passwords of DB connections from external "secret" store?
UPDATE 1
Of course, we can write Java code which reads passwords from an external secret store and creates Connection Pool on a programmatic way but this seems for me as a big hack.
UPDATE 2
I also checked JPA and Hibernate documentation. I cannot see any official way to configure a JPA data source this way.
The solution is to create and use a Wallet as described in this documentation.
Enjoy !
I'm starting up a new project using Couch DB and a react native front end. I was wondering what is the recommended way of doing user authentication. weather it is setting up users in Couch DB or going through, for example, a node server to process user credentials and get a token for them and whatnot. or if there are any other ideas, I'd greatly appreciate that.
CouchDB authentication system is a bit limited:
You can't revoke sessions
It somehow hard to integrate third party authentication (facebook, google+)
Password recovery/reset is not available by default
Since you're building a client application, you can't implement password recovery on the client side. You'll need a backend service that handle this.
It all depends on your need. You can easily start with CouchDB's auth system and add a auth service on top of CouchDB later.
How to create a login page and check data's in a database using Rest API in angular 5.I am using Node js and Mysql as my database
There are many moving parts to creating an authentication system, and there are simply too many ways to get it wrong: storing plain-text passwords, not salting hashes, not rate-limiting queries, not having a properly configured TLS certificate, et cetera...
As you are not very familiar with these important concepts, it is highly advisable to use a 3rd-party OAuth2 provider in order to provide user authentication.
I repeat: I highly discourage implementing your own login page/fields and authentication methods for limiting database access.
As an example, take a look at this following option of using Google as an OAuth2 provider in your NodeJS application.