I have a basic website written in Python Django, hosted on IIS 8.5. The website is used in the company intranet with Windows Authentication.
Accessing the website through a browser gives no problems for authentication. However, making use of a simple web API to retrieve data for reporting purposes is giving problems.
I'm trying to load a URL into Excel which supplies data in CSV format (Data -> From Web). Disabling IIS Windows Authentication and using Anonymous works perfectly. However, enabling Windows Authentication does not work as Excel says 'credentials are incorrect'.
The URL response is a simple HttpResponse object with CSV data. Nothing weird or complicated happening.
Any idea where to troubleshoot this? My IIS knowledge is limited in this regard.
So I changed the API part of the website to anonymous authentication as per this answer. it did the trick for me:
IIS 8.5: Change authentification mode for url sub path
Related
I have created a chrome extension which gets data from the current active tab in chrome. I send the data to my webapp via an API which stores it in the database.
At the moment my chrome extension has a fixed user_id. I would like to prompt the user the user to log in in order to get the correct user.
Is it safe/valid to check for cookie - if it exists use it otherwise prompt user to sign in via the browser?
It's probably okay, as long as you're not storing anything sensitive in the cookie like a password (obviously).
However, the appropriate way to accomplish this would be through something like oAuth. In this scenario your web app's API would be a oAuth consumer, and you would use the following library to authenticate in a Chrome extension:
https://developer.chrome.com/extensions/tut_oauth.html
This library will save an authentication to local storage for you. It's pretty easy to use. The difficult part is ensuring your web app's API supports OpenID. Google's AppEngine supports this pretty much out of the box with little configuration on your side, but this may not be the case with your API.
I have a Chrome Packaged Application that I am currently integrating with the Facebook API. The Facebook Javascript SDK requires that I provide the URL of where my application is hosted and for security reasons they only redirect to this url.
The problem is that a Chrome Packaged Application doesn't have a url. I am aware of the chrome.extension.getURL but this url is not static, it changes per installation. Is there any way to set a URL for a Chrome Application that works for all installations?
Once you publish your app the id from chrome.extension.getURL will not change. The id matches the key used to sign the extension and once you publish an extension to the Web Store that key doesn't change. Developing locally will be more annoying since each time you "load an unpacked extension" it will get a new id.
I have a SharePoint server running on my network and I am trying to build an app in Delphi which allows me to access the various SharePoint Web Services hosted there.
Running my app on the same network as the SharePoint server works fine, however, when I attempt to run it on a VM which is not part of the same Domain I can't get authenticated. I was looking for some advice as to how I should be handling authentication for this type of scenario, more specifically, should I be prompting the user for their credentials or is there some built in security model I can use for this?
Ideally I would like to try avoid dealing with Usernames & Passwords in my app and let the OS handle that sort of thing, however, at the moment I can't seem to see any other way around this.
After some investigation, for my particular scenario I decided that the best approach would be to use WinINet. I chose this approach over Indy because after some thorough investigation I found Indy did have some bugs & also it didn't have all the authentication handling we needed built in.
WinINet supports prompting for credentials & automatically authenticating across the wire. See Handling Authentication.
I have a Django web app that I would like to use in a single-sign-on solution for a number of remote apps that use Apache authentication.
I can see how to authenticate Apache from a local Django instance and an old Apache module for doing basic queries off postgresql (but without the syntax support to phrase queries with joins to check Django group permissions)
Any suggestions?
I would like to avoid having to switch to using a directory service in the short term (e.g. ActiveDirectory, LDAP) if possible.
.M.
EDIT: Also found mod_auth_external
The following should work for you.
http://www.openfusion.com.au/labs/mod_auth_tkt/
You can use the apache module to hit a specific view in your Django app to generate a ticket for valid users. Then all the other applications can do basic authentication against Django via a URL.
This gives you SSO using the Django user database for legacy apps using HTTP basic authentication.
I want to upload a file to a website via a desktop app and then take the user to the website. The website has a web service, but requires authentication as does the web site. Is there a way to do this without forcing the user to authenticate twice (once in the desktop app and once in the web browser)?
Unfortunately, you can't prefill an input of type file for security reasons, which makes sense since the user won't want you uploading arbitrary files from his/her computer. But if they have a desktop app, is there some way around this?
Or maybe make the user log into the web app first and then the authentication cookie can be reused?
Any other ideas?
Thanks,
Ben
I would use the dekstop app as a client to the website app via an api.
So, login via the desktop app. The api returns a authentication token (as Carlos suggested) which might be a md5 hash stored in your database for a certain period of time, possibly matched to the clients ip address.
The desktop app can then make calls on the api (like uploading a file) as a authenticated user (by using the auth token).
When loading the website, perhaps the url is http://website/login/{auth_token} where the auth token is added to the url. The api can check to see if its a valid auth token and consider the user logged in.
You could generate an authentication token that could later be used on the website.
It all depends on the type of authentication of the service and the site. Is it integrated Kerberos, WS-Auth, is it Basic/Digest HTTP, is it forms/cookie ?
This answer will most likely not work in the very general users-on-the-wide-open-web scenario, but in intranet contexts, using Windows Authentication (on an ASP .Net solution), would provide this.