asp.net web api - Hot Towel/Durandal/Breeze.js: how to vertically secure data calls? -

-

i'm new whole client-side spa world. i'm using above technologies, seem quite promising. however, 1 huge snag can't on lack of built-in security. had manually roll out user authorization, imho should part of framework.

now have sorted, i'm getting major headaches vertical security: 1 user logged in can access other users' info changing few parameters in browser console. pass userid every call , compare 1 on server, hoping there overarching solution doesn't pollute breeze data calls user ids.

for example, let's there's call data service this: 

function getitems(){                  var query = breeze.entityquery.from('items').expand("person");          return manager.executequery(query); }

this items, not good. let's limit userid:

function getitems(userid){                  var query = breeze.entityquery.from('items').where("userid", "==", authentication.userid).expand("person");          return manager.executequery(query); }

in second example, userid authentication service, stored userid when user logged in. however, malicious user can go browser console , change value.

of course, pass userid using withparameters(...) , compare current 1 on server, i'd have every call, doesn't seem right. there better way secure calls trusted user id?

@ali - understand pain , concern. right fear form of so-called security relies on information passed in url. fortunately there excellent answers concerns , breeze apps work them.

for example, have studied asp.net breeze/knockout template? uses forms auth authentication , guards web api controller [authorize] attribute. logged-in users can access of controller methods.

that authentication sets iprincipal web api controller makes available through user property. you'll see user passed constructor of todorepository. in repository you'll find guard logic restrict query , saves todo information belonging requesting user.

look @ network traffic. won't find user identifying information in url or request/response bodies. see encrypted authentication cookie in header.

an obvious flaw in example client/server traffic takes place in clear. must add transport level security (https) before go production. demo after all.


Comments

Post a Comment

Popular posts from this blog

Perl - how to grep a block of text from a file -

-
it can in xml or text format. how in general grep block of text in perl? <track type="ws"> <range> <rangestart>0</rangestart> <rangeend>146.912</rangeend> <locationindex>0</locationindex> <propertyindex>0</propertyindex> </range> </track> <track type="ps" id="1"> <range> <rangestart>0</rangestart> <rangeend>146.912</rangeend> <locationindex>1</locationindex> <propertyindex>1</propertyindex> </range> </track> i want grep type="ps" , till </range> . one solution open file, read line line , match block. open(fh, "file.txt"); foreach $line (<fh>) { if ($line =~ m/type="cc"(.*?)<\/range>/) { print $1; } } but there more optimal solution without reading file line l
Read more

delphi - How to remove all the grips on a coolbar if I have several coolbands? -

-
Image
if set mycoolbar.fixedorder true,only grip on first band hidden. well,if use delphi 7 create vcl forms application,then put coolbar on , create 3 coolbans hold other controls,only grip , top coolbands can hidden setting mycoolbar.fixedorder:=true. i've uploaded picture make things clear. you got fixedorder property wrong. fixed property not allow bands rearranged if set true . setting property of coolbar true keep user changing bands order @ runtime, user can still move , resize bands. can give advice can do, actual solution problem, well, have wait answer. my advice use 3 coolbars in row , setting "fixedorder" property true , bandborderstyle bsnone . way grip hidden on of them. about property, it's not bug of ide, actual preference of property.
Read more

javascript - Animating array of divs; only the final element is modified -

-
this baffling me @ moment. i'm experienced programmer looking throw bit of surprise fiancee on countdown page our wedding. desired effect simulated confetti falling behind main page. setup follows: i have array of divs in javascript. each div absolutely positioned on page. have interval set updates every 50 or milliseconds. on each tick, run loop on array of divs, , calculations , update positions. problem problem having, however, though can see divs created, stored array, , modified (in case, each has slight randomized rotation) during initialization phase, once tick update position starts, div stored in whatever last slot of array gets position updated. tried hard-coding each div index testing purposes, strictly last element update position. upon printing current "left" , "top" style values each div before , after calculations shows value has been changed, no visible change noticeable. here's basic code: javascript var container;
Read more