Eran Hammer-Lahav has done an excellent job in explaining the majority of the differences in his article Introducing OAuth 2.0. To summarize, here are the key differences: More OAuth Flows to allow better support for non-browser based applications. This is a main criticism against OAuth from client applications that were not browser based. For example, … Read more
When you are talking about roles and permissions then you are talking about authorization. Claims are typically not for authorization. (Identity)Claims are there to model the identity of the user: who is the user? The claims on itself do not tell anything about authorization. A user can have a role claim, but this doesn’t tell … Read more
When it was first developed, System.Web.Mvc.AuthorizeAttribute was doing the right thing – older revisions of the HTTP specification used status code 401 for both “unauthorized” and “unauthenticated”. From the original specification: If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. In fact, you can … Read more
There are several options. Which to choose is fully up to you. Just objectively weigh the concrete advantages and disadvantages conform your own situation. 1. Use Java EE provided container managed authentication Just declare a <security-constraint> in web.xml which refers a security realm which is configured in servletcontainer. You can for your webapp specify URL … Read more
Your concrete problem is most likely caused because your JSF command link/button is actually sending an ajax request which in turn expects a special XML response. If you’re sending a redirect as response to an ajax request, then it would just re-send the ajax request to that URL. This in turn fails without feedback because … Read more
I could do this with a custom attribute as follows. [AuthorizeUser(AccessLevel = “Create”)] public ActionResult CreateNewInvoice() { //… return View(); } Custom Attribute class as follows. public class AuthorizeUserAttribute : AuthorizeAttribute { // Custom property public string AccessLevel { get; set; } protected override bool AuthorizeCore(HttpContextBase httpContext) { var isAuthorized = base.AuthorizeCore(httpContext); if (!isAuthorized) { … Read more
Authentication is the process of ascertaining that somebody really is who they claim to be. Authorization refers to rules that determine who is allowed to do what. E.g. Adam may be authorized to create and delete databases, while Usama is only authorised to read. The two concepts are completely orthogonal and independent, but both are … Read more
You need to implement the javax.servlet.Filter class, do the desired job in doFilter() method and map it on an URL pattern covering the restricted pages, /user/* maybe? Inside the doFilter() you should check the presence of the logged-in user in the session somehow. Further you also need to take JSF ajax and resource requests into … Read more
As tweakt said, Amazon S3 is a good model to work with. Their request signatures do have some features (such as incorporating a timestamp) that help guard against both accidental and malicious request replaying. The nice thing about HTTP Basic is that virtually all HTTP libraries support it. You will, of course, need to require … Read more
The approach recommended by the ASP.Net Core team is to use the new policy design which is fully documented here. The basic idea behind the new approach is to use the new [Authorize] attribute to designate a “policy” (e.g. [Authorize( Policy = “YouNeedToBe18ToDoThis”)] where the policy is registered in the application’s Startup.cs to execute some … Read more