We have used Erlang/Cowboy to develop a simple chatting service based on WebSockets. Right now, We are using localhost:8080 to connect server.
I want to do user authentication, that will be done based on the URL parameter, and it will return user id or none for the connection.
How to do that?
Before the websocket exchange, you can ask a token to your application and use it with your websocket client.
Related
I consider building a web application and I want to use OAuth2 protocol for the authentication and authorization of users.
I know that Client Server redirects user to Authorization Server to enter username and password. Thus, user can see the URL of login page on browser. I do not want to show what is written on url actually to user due to security reasons. I do not want to expose my Authorization Server with an host name and port to public.
As a solution, I decided Client Server act on behalf of user(browser). That means, client server will send get login page request and return the response (html) coming from Authorization Server. This is simple and I am able to serve login page on Client Server, but I do not know how can I make a request model (client-id, client-secret, redirect-uri, username, password) and where I will send request to (for example "/oauth2/authorize" and then "/oauth2/token") manually. I should apply all the steps in the right order. Can you suggest me this approach? or do you have any idea to achieve hiding the Authorization Server from public? or that is not so important?
I am a developing an Rest API in spring boot and it has to be consumed by an IOS Application.I have implemented JWT token with Oaut 2.0 as security and my web server is having SSL.So the call will be made by
https://server:port//dataurl
with the header as the token. My question is since My web Server is having SSL so the connection channel will be secured (because the token should be passed in a secure channel ) or do the client side (IOS App) should also have to implement SSL Certificate. I am a having a little confusion about how the SSL channel communication. Any help is appreciated.
This link has a nice graph about how SSL works.
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.1.0/com.ibm.mq.doc/sy10660_.htm
You can have a look of AFNetworking, no matter you want to use it or not.
In particular, have a look of AFSecurityPolicy.h and how it is used in AFURLSessionManager.m. That could be a good start point.
Does the Paho Java client has any callback function called when a new client connection is established? Within that function I want to validate user and if failed refuse connection.
When a new client connect from javascript or any client I should be able to allow or refuse new client.
This is not possible to do from a client, the MQTT protocol has no support for anything other than passing authentication information from a single client to the broker, not the other way round.
You have to do it from within the broker. Different brokers all implement authentication differently so it will depend entirely on which broker you are using.
Mosquitto has an API to write authentication plugins. e.g. https://github.com/jpmens/mosquitto-auth-plug
HiveMQ Also has an API http://www.hivemq.com/blog/mqtt-security-fundamentals-advanced-authentication-mechanisms
Mosca - https://github.com/mcollina/mosca/wiki/Authentication-&-Authorization
I have installed Ejabberd in our AWS Server
We are developing an iOS messenger app and we don't want other clients to access our messaging server other than our iOS app.
All the ejabberd services should be accessible only by our iOS app,
To register
To login
To send message and use any other service.
What are all the configurations and settings should I have to do to secure our server?
There is no 100% way to disable other clients from mimicking your own client. You may use different protocol, or one more layer of encryption or special marks that allow your server use to make sure that client is yours. But if someone will have desire to write his own client, he'll use your own client to understand what should be sent on the wire.
XMPP is build on the top of TCP so there is no good way of restricting access to the server socket. If you want to be compliant with XMPP you need to use encryption, otherwise use your own custom protocol (like Skype).
Working on a data collection application using mobile sms.
when a customer send a sms lets say
SMS content
Demo CET 100-50030-2320-1000
when the sms reach the mobile serive provider it send a GET request on my server
http://domainname.com/demo.aspx?mno=9828958745&sms=CET+100-50030-2320-1000
Now the problem is some hackers are sending GET request from there PC browser and all the data is getting missed and server is getting overload
I want to know which request is from a computer(mobile server) and which are from browser.
thanks in advance
Regards
Check if the request for a page is coming from a server not a browser.
If your service is not meant to be accessible publicly you have to protect it instead of publishing it on the internet. Some wasy to protect it:
HTTP Authentication
IP restrictions in firewall.
IP restrictions in the service.
Virtual Private Network.