I was using a Yahoo web service to resolve zip codes to geo information. An example url is
http://where.yahooapis.com/geocode?q=35060,mx
where 35060 is the area code and mx is the country.
I am now receiving 404s when I do this. Did this service change? I see now that yahoo offers GeoPlanet which requires an application id as well.
Although there doesn't appear to be an official announcement from Yahoo, there have been consistent reports about this service no longer working.
As an "official" alternative, consider Yahoo Placefinder, which requires an app ID and 2-legged OAuth authentication: http://developer.yahoo.com/boss/geo/docs/requests-pf.html
Alternately, you may be able to use YQL to retrieve the information you need without requiring authentication:
http://query.yahooapis.com/v1/public/yql?q=select%20%2a%20from%20geo.placefinder%20where%20postal=%2236050%22%20and%20country=%22mexico%22&diagnostics=true
Related
I have a Delphi application, that needs to send a generated PDF file by email to one recepient of a predefined list of recepients.
I do not want to mess around with MAPI (not all customers have configured this)
I do not want my customers to enter their mail account details (this means SMTP is no option either)
Therefore I consider to use / setup a PAAS web service to receive the email text, the pdf file and the index number of the recepient to actually do the work.
My question is: Does an out-of-the-box solution exist to do this in Delphi, or what would be a preferable way?
For instance I considered using Google App Engine but there seems to be no builtin support in Delphi. I would prefer an out of the box solution or a tested solution with decent documentation. The server part should be as simple as possible.
Edited: Some clarifications:
The resulting exe is installed at the customer computer. I think setting up an extra mail account therefore is no option, because someone could extract the credentials from the exe and abuse the mail account. The same seems to be true for web services that provide only one (login/password) access.
Using OAuth2 seems to be no option either because I do want to send the email without user interaction.
If credentials need to be saved in the executable, and the existing answers suggest so, they should at least provide only very limited rights.
Is this solveable at all?
Is this solveable at all?
No.
If you require that neither the user (by filling in a login form, as is the case with OAuth 2.0) nor the program (by providing hard-coded credentials) authenticates with the web service, the communication with the web service can not be secure.
I suggest to re-think the security requirements and make them much clearer in your question.
To send mail you can use a webservice like http://www.mailgun.com/ or http://aws.amazon.com/ses/
They provide you with a http(s)-api that you can use to send email messages.
You can use Google App Engine with some programming in Python, PHP, Go or Java:
define a HTTPS address where your GAE application listens for POST requests
POST the PDF and the Email text with TIdHTTP
receive the PDF amd theEmail text in the GAE HTTPS server and forward it to the recipient
Here is an excerpt of a Python example for Google App Engine which handles a POST request
class Guestbook(webapp2.RequestHandler):
def post(self):
self.response.write('<html><body>You wrote:<pre>')
self.response.write(cgi.escape(self.request.get('content')))
self.response.write('</pre></body></html>')
Regarding OAuth: GAE supports OAuth but it is not required.
How to Signup and get LoginID and password to access RedBus Api?
From what it looks like, Redbus has not yet opened up the web service to the public. Aparently the web service exposed is for only Bus operators with their own credentials.
The API is open only to registered merchant or integrator. I got one and they will give based on your operation country. As in my case, I registered only for Malaysia, paid about 300 usd for the registration and given the api key. Although I would say their technical support is not the best as I've implemented in PHP and they didn't really have the expertise to support integration using PHP. The most problematic part is the seat selection process. The rest was quite straightforward.
I suggest that you take a look at their website and see what if there is any merchant registration link. As in my case, we came to their regional office and registered there.
My company will be soon switching to Google Apps, and I would like to propose the idea of having our site administration page being authenticated with OpenID. Therefore, any user who is logged into Google Apps would be automatically logged in to our site Administration. Currently, our site administration has it's own list of users and passwords in the DB, but I would like to have the user list based off Google Apps, with their unique identifier saved in our DB. That way, new employees would only have to be set up in Google Apps to access our site Administration.
I've done some research, and come across terms like SSO, OpenID, and SAML, but I can't quite narrow down which route I'm supposed to go. It seems like Google has a lot of paths open for development, and I'm not sure which one I'm supposed to take.
My question is: What kind of Authentication am I seeking for my purpose described above, and can anyone point me in the direction of where to get started? My site is published in ColdFusion 9, so answers specific to that platform are a bonus.
If you just need Web SSO -- I believe you would use your GApps domain as an OpenID Provider. Your application would then act as an RP and consume identities as established by your own GApps domain and company administration. GApps can only act as a SAML Service Provider -- so using SAML for this use case isn't realistic.
HTH
Ian
I work for a company that develops a software product that processes bank transactions and gives the user insight into his/her spending. Our customers (usually banks) integrate the product into their online banks.
I have a question about securing the communication between the online bank, and our system. Before I ask the question, I want to give you some background.
The bank will usually install our system on a set of servers in their hosting environment.
We offer a number of ways to integrate:
Web services - In this case the bank will make calls to a set of REST services on the server, and then generate a webpage with the results (on the server side).
Iframes - In this case the bank will embed iframes in their online bank webpages. The iframes contain webpages rendered directly from our web application.
Inline widgets - In this case the bank will embed JavaScript references on their pages. When the document loads, the JavaScript widgets will render themselves, using AJAX calls. They communicate with a proxy on the bank server, which in turn communicates with our webapp.
We currently have a custom solution where we generate and sign security tokens for the users, and pass these with the requests.
But as banks have very strict security policies, they would feel better with us using a known and trusted security protocol for the communication. It is a big concern, which we want to address.
So the question is, which protocol is best suited for the integration use cases I listed above? There is a plethora of single-sign-on standards out there, and solutions like SAML, oauth, etc. I get the feeling that these solutions might be an overkill for my situation.
I want to find a solution that is simple. As the servers will run side by side in the same hosting environment, and trust each other completely, there is no need for the end user to authorize one or the other (or being redirected between, clicking buttons to give access to the app).
That is, the security protocol should not require any intervention from the end user. The end user simply logs into his/her online bank, and via secure communication has access to the data from our web server.
So...any suggestions?
Thanks a lot!
OGG
After some deliberation, we decided to use 2-legged OAuth (online bank uses consumer key and consumer secret to sign requests to our app).
OAuth signature can either be put in a request header, or request parameters. It nicely solves our problem, as the REST requests can be signed, and the IFRAME src URL-s can also be signed (all communication is over HTTPS).
For those interested, a couple of references:
This article shows using OAuth with IFRAMEs: http://developer.tradeshift.com/blog/cross-site-user-verification/
This article mentiones some security issues with OAuth, and how threats can countered: http://software-security.sans.org/blog/2011/03/07/oauth-authorization-attacks-secure-implementation
I'm reading the Terms of use which can be found here: http://code.google.com/apis/visualization/terms.html
But I do not see anything telling how Google use the data provided to generate the charts. Can someone be kind and enlighten me?
The Privacy Policy is likely to apply here. The relevant part should be:
Log information – When you access
Google services via a browser,
application or other client our
servers automatically record certain
information. These server logs may
include information such as your web
request, your interaction with a
service, Internet Protocol address,
browser type, browser language, the
date and time of your request and one
or more cookies that may uniquely
identify your browser or your account.
In combination with
Affiliated Google Services on other
sites – We offer some of our services
on or through other web sites.
Personal information that you provide
to those sites may be sent to Google
in order to deliver the service. We
process such information under this
Privacy Policy
Because you send the chart information with the URI and thus they will at least log it.