I am a rails noob. I am having a problem conceptualizing how assets work in an authenticated system.
All of the tutorials I've seen so far talk about putting your swfs in the public folder and embedding them in your view. However, the swf I'm using is a flex gui that should only be used by users logged-in through restful-authentication. I imagine that putting the gui into the public folder would be defeating the whole purpose of having an authentication system.
So what is everybody doing to restrict access to this kind static content?
You want to be a bit careful here. If your system is properly secured, an unauthenticated user who has the Flex GUI can't use it, right? He would also have to be logged in. So, is there any reason not to let any user download the SWF file?
If having the SWF file alone is enough "authentication" to use the site, you have a security hole. Consider
a) A user could give a copy of the downloaded SWF file to someone else, who could then use it, even if he were unable to download it from your site.
b) The Flex GUI uses HTTP to communicate with your site, to retrieve data and send commands. Anybody can write a program or use other means to send the same HTTP requests, without using the Flex GUI.
Related
I'm planning an app for work and venturing into potential features which I've not used before.
Essentially I need to be able to access files on a network share, read, write and delete files as well as amend the file names. As a pretty closed platform I'm not sure whether iOS is capable of such a thing and if it is, what features should I look for to begin researching?
My Google-Fu hasn't come up with anything thus far so hopefully looking for someone to point me in the right direction.
Thanks.
I know this isn't very secure, but I'd personally create an ASP.NET app on your target Windows Server, or a different Server on the domain. Create web services exposed, and make an iOS app with UIWebView. You can do RPC calls from the web service that do WMI/ADSI/File System manipulation. You can prompt for domain credentials, and do remote calls essentially is the gist.
You could expose the web app so that your app can access it from local network, or URL. If you were to access it from outside I'd suggest using some secure credentials in Windows/IIS.
Some years ago I created a "mobile-friendly" web app that allowed me to manage servers, perform RPC, and do basic Active Directory queries. Also allowed file listing and deletion/moving/copying with some creative scripting. It was essentially a ASP.NET/C# web app that loaded in a iPhone app. UIWebView in iOS was a able to load it, used AJAX and some other client side scripting that looked decent. You'd essentially have to make sure that your web app renders properly in Safari/UIWebView (which is bastardized safari).
Here's a link to a demo of what I created:
https://www.youtube.com/watch?v=czXmubijHwQ&t=12s
I ran it in a browser, but it'd run from my PSP, Android test devices, iPod Touch, Blackberry, etc.
So I am currently evaluating Dart's use as a potential language to re-write a campus organization's website. One critical aspect of this website is it's access control policies. It seems that anything written within the Dart web apps could potentially be compromised, and thus led me to asking the following question.
Is it possible to securely implement access-control to pages in Dart, using either just a web app or a combination of a web app and a dart-implemented server? Could it also be possible to implement that same concept using Apache with a proxy-passthrough to dart?
I don't understand what you actually want to achieve with a proxy-passthrough.
When you create a single page app in Dart all client code is loaded to the client. This is normally no security concern. When a view is shown it usually loads data from a server. Here you enforce security.
You can require the user to authenticate and decide in the server code if or which data you serve for this user or what update command you allow the user to execute. You can just return an error when the user invokes a function that he is not allowed to use.
I am putting my first rails app on the internet, I have read the rails guide on security and have implemented the points listed in there but was interested to hear of anything else ?
Also I currently store my uploads in public/documents is this ok ? I noticed there is no htaccess files protecting the directory.
Storing your uploads in a predictable location is a bad idea if you want to keep them a secret. If you don't care about people accessing it then it doesn't matter. Using .htaccess to password protect the directory is a good solution.
You should test your application for vulnerablites using Acunetx($$) or Wapiti (open source).
You should also read: What should a developer know before building a public web site?
If your site allows anyone to upload, it is a bad idea to store your uploads in a place that non-logged-in users can get to them. This is because then your site can be used by unscrupulous people as a place to store things that you might not want stored, such as malware.
I would need to share data (not necessarily a large amount) between a native iPhone app, and a safari/webkit javascript app... Do you know how this could be done ?
I considered sqlite.. But it seems an application can only read/write inside its own bundle (so, not in the webkit databases directory), and the other way, i guess javascript can't access an application directory.. right?
Could there be a shared folder that both could access? Not necessarily with sqlite..
I thought also of pasteboards, but they don't seem to be interoperable; and moreover, another app could overwrite the pasteboard in between...
Do you have some other ideas?
You really can't. You can get some data from the JS app to a native app by having the JS app use a custom URL that the native app has registered to invoke, but aside from that you won't have much luck.
You can, of course, share the data through a server somewhere else.
The simple answer that you probably already thought of but decided against would be to have the iPhone and web application both download information from an external source (say, the web site that you're hosting the webapp on). Of course this means that your data is external to the phone which is probably why you're asking this question.
Another approach might be to register your native application as a protocol handler. Not sure how that would work as I've not played with that functionality.
I'm a bit confused about all this OAuth bruhaha in the sense that all the examples I can find are for web applications and none of them for desktop applications.
I understand the Web application work flow, but that includes some redirections between the web app and twitter.
How does one do this in an desktop application?
How does the redirects work?
Should I have to include a Web Browser object?
Is there a way to go around this?
Could anyone point me to resources instead of a full blown solution please?
Thanks
Not sure which language you're using, but the .NET library for Twitter called Tweetsharp has a post on using Tweetsharp from a desktop app and authenticating via OAuth. See http://tweetsharp.com/?p=68. If you're not using .NET then perhaps it will inspire something you can do?
Basically, what tweetsharp does is launch the browser to the authentication URL and then waits for the user to return. I don't know of any way to do this other than something like that (Or include a WebBrowser control of some kind to launch the authentication URL in your own window).
Here's a straightforward solution, implemented as a set of PHP scripts for running from the command line. Well documented and explained, with a helpful 'verbose' option for debugging.
http://nullinfo.wordpress.com/oauth-twitter/
After some poking around and asking some questions about this subject to some other programmers, it looks like it's still an ongoing discussion, with no visible light at the end of the tunnel.
But for people interested on the ongoing discussion, here's the best link to have:
OAuth Desktop Discussion
I've seen a few desktop apps get around this by effectively embedding a browser into their program, so they can just open the in-app browser window to let you do the login and authorisation. This strikes me as a bit of a cheat or defeat of purpose because you still end up typing your ID and password inside the application anyway.
One possibility I was thinking of was, your desktop application could embed a mini HTTP server inside it. So then it launches the default browser to perform the authorisation, with a callback URL something like http://127.0.0.1:8765/oauthorized and then just listen for it.
Would that work?
Not sure what you would do for console applications... spawn a copy of lynx?
Include a WebBrowser control in your app. Put it in a panel or a separate form that you'll Form.ShowDialog().
Create a callback for the browser's successful posting of OAuth and one for a rejection. Don't forget to check for a FailWhale.
In the callback, you close the panel or form and store the token.
Here's a nice overview with sample code and everything: http://tweetsharp.com/2009/04/how-to-authenticate-a-desktop-application-with-oauth/