asp.net web api - Hot Towel/Durandal/Breeze.js: how to vertically secure data calls? -

-

i'm new whole client-side spa world. i'm using above technologies, seem quite promising. however, 1 huge snag can't on lack of built-in security. had manually roll out user authorization, imho should part of framework.

now have sorted, i'm getting major headaches vertical security: 1 user logged in can access other users' info changing few parameters in browser console. pass userid every call , compare 1 on server, hoping there overarching solution doesn't pollute breeze data calls user ids.

for example, let's there's call data service this: 

function getitems(){                  var query = breeze.entityquery.from('items').expand("person");          return manager.executequery(query); }

this items, not good. let's limit userid:

function getitems(userid){                  var query = breeze.entityquery.from('items').where("userid", "==", authentication.userid).expand("person");          return manager.executequery(query); }

in second example, userid authentication service, stored userid when user logged in. however, malicious user can go browser console , change value.

of course, pass userid using withparameters(...) , compare current 1 on server, i'd have every call, doesn't seem right. there better way secure calls trusted user id?

@ali - understand pain , concern. right fear form of so-called security relies on information passed in url. fortunately there excellent answers concerns , breeze apps work them.

for example, have studied asp.net breeze/knockout template? uses forms auth authentication , guards web api controller [authorize] attribute. logged-in users can access of controller methods.

that authentication sets iprincipal web api controller makes available through user property. you'll see user passed constructor of todorepository. in repository you'll find guard logic restrict query , saves todo information belonging requesting user.

look @ network traffic. won't find user identifying information in url or request/response bodies. see encrypted authentication cookie in header.

an obvious flaw in example client/server traffic takes place in clear. must add transport level security (https) before go production. demo after all.


Comments

Post a Comment

Popular posts from this blog

c++ - Function signature as a function template parameter -

-
i'd use function signature template argument. works great classes, when try same trick function templates, msvc throws error: error c2768: 'func' : illegal use of explicit template arguments here's code: template <typename signature> void func(); template <typename r, typename a1> void func<r(a1)>(); what should make work? you cannot partially specialize function template, not supported language. can create partially specialized class template static member function, , possibly trampoline function instantiate class template , invoke static function. something this: namespace detail { template<typename signature> struct helper; template<typename r, typename a1> struct helper<r(a1)> { static void call() { // stuff r , a1... } }; } template<typename signature> void func() { detail::helper<signature>::call(); }
Read more

algorithm - What are some ways to combine a number of (potentially incompatible) sorted sub-sets of a total set into a (partial) ordering of the total set? -

-
i have sorting problem i'm pretty sure doesn't have canonical "answer" - has number of different approaches, each pros/cons. i'm interested in hearing different approaches. suppose bunch of people {p_i | i=1,...,m} ranking favorite ice cream flavors. in total there n different flavors, single person p_i ranks n_i << n flavors or familiar with. i'm interested in combining these sub-rankings plausible overall ranking of n flavors. for concrete situation: m , n both 1000 (by coincidence), , each n_i 20 . can assume there's enough overlap in flavors people rank such no flavor "isolated". again, i'm interested in hearing different ways approach this, if there isn't single clear answer. thanks! one way approach problem construct directed cyclic graph representing of constraints on ordering of elements. nodes in graph represent different elements compared , have edge first node second node if had ranked first e...
Read more

How to call a javascript function after the page loads with a chrome extension? -

-
there's function on page want call after loads. not own page, can't insert html it. can please provide specific examples how chrome extension or greasemonkey? (function submitaction() ). both chrome extensions , greasemonkey offer ways specify when script inject if executed. in chrome extension, you set in manifest : "content_scripts": [ { "run_at" : "document_idle", in greasemonkey compatible userscripts, set in metadata // @run-at document-end in both cases, have add script if want ensure resources loaded when function executed : document.addeventlistener('load', submitaction);
Read more