Frankly speaking azure still does not have direct way to set up alerts on continuous web job's so that one can get notification if web job stops for unknown reasons. After some investigation i found that logic apps are best way to do that. Here are the steps how one can achieve this
Go to azure web job, select properties and copy web hook url, username and password.
By default web hook url will have /run option at end to so remove that as you dont want to run webjob
Create a logic app setting following parameters in exact order
Recurrence - Your choice how frequently you want to run your logic
app
Initialize a variable for example status (type - string)
Call Http end point giving following details which you copied
earlier []2]
Add a step of parse
JSON response, pasting response so that logic app can create its own
schema
Pick the item name for
value you want to read for example i am using status
Add a condition for failure
Send the mail or whatever you want to do
Over all your Login app will look something like this
This is helpful, indeed. But I was facing issue with the web hook url authentication. The logic app connector was returning 401 – Unauthorized for the http request, as the password was encoded. Took a while to understand why it is throwing unauthorized even after providing correct credentials. Hence, copying the original password helped in that case ( if not anything else).
Related
I am making a chatting service (something like Zendesk) and a website must be registered in order to use the service. There will be a frame which the website owner places in the .html file and the rest is up to me.
Problem
Anyone can start using the service right now (by reading the requests and copying them in Postman). I want a method to restrict access only to those websites that have registered to use the service when the session is started or by the messages sent from that session.
Failed solutions (to give an idea of what I am trying to do)
A stupid idea was to read and send the website URL with JavaScript and check if it exists in the database, but that can easily be forged.
I also tried generating unique tokens for each registered website, but the token is something that must be send with the request for validation and since it is something that public can see (the token is placed with the frame) that token is indeed meaningless. (Maybe I don't understand how tokens work)
At this point, seems like this is inevitable, any Ideas?
(Back-end is written in Django 3.1 and My database tables look like this, if it helps - Ignore the details, just an overview)
I'm currently trying to make an account signup page for a small project I'm working on and I don't know how to send data back to the server (I'm using the Flask framework) without also allowing everyone to send data. Let's say that I've set up an API endpoint on /createAccount. I can then send POST requests to that endpoint: {"username": "test", "password": "test"}. The web server will then handle that request by inserting that data into a database and responding with 201. The problem is, anybody would be able to send these requests, and I only want users to be able to register through the login page, and not by making an API call. Is there any way of doing this?
Edit: I've given this problem a bit more thought and I think that the only API that is difficult to secure is the signup API. When a user has created an account, I can just assign them an API key, which they will send to the API every time they want to make a request, which means that an account is required to make API calls. If a certain key is making too many requests, they can be rate limited or temporarily banned from making further requests. The problem with the signup API however, is that there is no information by witch a request sender could be identified. I could use the IP address, but that can be changed and wouldn't really help if multiple IPs are spamming the API at the same time. Is there a way I can identify non-registered users?
Short answer: no.
You have to check data to make sure the account being created is something legit and not trash data to fill your database or any other malicious intents.
This is the reason you usually have to confirm an account clicking on a confirmation link sent to your mail: this way the app is sure that your account is legit.
You could also check info on the front end, but that is never as secure as back end checking, because of your concern in the question: in the end, anyone who gets to know your endpoints could potentially send direct requests to your server with whatever data they wanted.
Assuming you have a trusted source of registrations, an if that source can make an ssh connection to the server where your Flask app is running, an alternative to trying to lock down a registration API is to provide a command line script to do the registration.
The trusted source does something like
ssh someuser#youripaddress /path/to/register.py "username" "password" "other info"
If you use a Flask custom command you can share model definitions db configuration.
I have a jmeter test plan that runs well when I access my own development machine.
When I move to a staging server with the application, I always get no session errors, it means I can't make a request to an authenticated page while running the test on my staging server.
I thought it was problem with the cookie manager, but I tried to switch between all of the cookie policies and got nothing better.
I don't know where I can check anymore, can you help?
Without knowing your structure, i can only tell you what you need to look into. My last test's authentication was something like this:
-CSV Data Config (contains csv with username and password)
-HTTP Request (Login page)
Response Assertion (which makes sure that session exists)
Regular Expression Extractor (find Session ID and set it to a variable)
-...
If you can post your structure, I may help you a little more.
I'm very novice when it comes to web applications and ASP.
Recently, I've been experimenting with the Microsoft Sync Toolkit to synchronize databases over a OData web service.
The obvious question here is: Once the service is set up and published - so it is open for anyone knowing the URL - how to prevent unauthorized users from accessing this service.
Please note: Basic authentication of forms authentication - as far my little web development knowledge reaches - doesn't seem to be appropriate for this task, as it's not a web page that the client is trying to reach - where the page can display / or re-direct a logon request - it's a service that we are accessing here.
To make things more difficult, for the client-side syncing I'm using a 3rd party library/sync-provider that only accepts a URL for the service. So, there's no way (I think) I can experiment with incorporating login credentials inside a request header etc.
I assume the best bet would be embedding the login credentials inside the URL and use that for the 3rd party library.
Can somebody please direct me how to to set up such thing on the server? I would prefer to have somehow somewhere in the server-side code a place where I can check for the credentials and based upon it to proceed or abort (return 401) the service request.
I could not find any place where to hook such code into the sync service. Although somebody in MSDN suggested to handle the _OnBeginSyncRequest event, there is no way to access the web-request header from within that method.
Is there by-any-chance a global object accessible from everywhere from which I can access the request header? Could anyone please help with this?
And last, I would prefer a plain User / Password string pair. It should not necessarily (or rather not) have anything to do with windows or directory accounts. I would prefer in my code to simple check against plain strings, such if(userStr == "Authenticated user" && passwordStr == "Correct Password").
if you are using SOAP web service, you can use WS-Security usernametoken which adds your user name and password to the request header, otherwise you can add username and password as parameters in your webservice and then simply validate it on the server side. i.e.
instead of
bool SyncData(datatable)
it becomes
bool SyncData(datatable, username, password)
note for web service you will authenticate per call, if you want to do it per session, you need first login with username password, retrieves a token than on each subsequent call your service with the token.
You would also use SSL to secure the channel so username and password aren't transmitted as plain text.
I implemented a batch job which makes a webservice call within the same salesforce instance, which then is supposed to send emails with a pdf attachment,
since you cannot send pdf attachments directly from a batch job. My webservice call looks like this:
public static void callOut(List ids){
InvoiceAttachmentConnector.InvoiceAttachmentService ws = new InvoiceAttachmentConnector.InvoiceAttachmentService();
ws.SessionHeader = new InvoiceAttachmentConnector.SessionHeader_element();
ws.SessionHeader.sessionId = UserInfo.getSessionId();
ws.handleInvoicePdfAttachment(ids);
}
However in batch jobs UserInfo.getSessionId() returns null, therefore i get a INVALID_SESSION_ID exception.
How can i log in to get a SessionId? So far I found no solution to login from salesforce to salesforce. If u can help I would appreciate it! Thanks!
You cannot get a session Id like this in batch apex as it runs under the system context and so has no specific user info for retrieval.
UPDATE:
You have the following options:
Try running the web services wsdl from your Salesforce org through the wsdl to apex generator in your org to generate some classes that may allow you to login. You are only allowed one web service request per execute call.
You could create a sites page that you make a HTTP get request to in your batch apex. This needs to retrieve the Ids of the items you want to send the PDFs for and a particular user to run as for you to use the System.runAs(user) method. You could pass these parameters in the HTTPRequest header or in a custom setting.
Note that neither of these solutions are ideal, you may want to reconsider why you are using Batch apex first of all and see whether you could reimplement it in a different way.