Hello smart people on stackoverflow,
I would be very happy if someone could point me to the right libraries/frameworks to do what I want.
We have the following web architecture set up.
1. We have a tomcat server that offers REST services.
2. We have an apache2 server that serves up php pages to users.
a. Some of these php pages make REST calls to tomcat for data.
b. Other php pages contain javascript that makes REST calls that are routed through apache2 via mod_proxy to tomcat. e.g. All request to http://myapache.com/PASSTOTOMCAT/rest/getSecureData would go to tomcat.
Now, I'm asked to add authentication to everything, both the user pages as well as the REST calls. It would obviously be ideal for the user to sign-in once for access to both.
What library can I use for this? I don't think I can use any php-based solution (ie. one that involves adding a ) because the pass-through url's won't have a chance to add this code and check for authentication. I think I need to use something built into apache2 itself.
One minor requirement is that I would like the user credentials stored in a mysql database as opposed to a file.
Am I over-thinking this?
Thanks in advance
Well it's been 5 days, so I guess I'll answer my own question...
I ended up using the new mod_auth_form for authentication because it lets you use a nice stylized webpage to log users in.
I also used mod_dbd to access user credentials in mysql.
I couldn't find a nice tutorial on this so I struggled through the installation and setup a bit, but if anyone cares, I created a set of instructions on my blog in case anyone else tries to do the same thing.
Installation
Setup
Related
I'm entering the world of Shiny Rstudio now. So this is a beginner question
One question I came up with is: how do I search for the Shiny Apps available/created? Are all created Apps available? Is there any way that, once I create my app, I prevent it from being viewed? Or during the creation I "block it"?
From so much searching I found this link via Rstudio's website: http://www.showmeshiny.com/
Would this be the search platform for all apps made?
But in the case of http://www.showmeshiny.com/ it seems that it is necessary to send it via "Submit App".
I am not sure if I understand your questions correctly but I might be able to give you some insights.
Are all created Apps available?
No, some shiny Apps are hosted on private servers or/and are embedded in password-protected websites or Wordpress-pages for example. If you dont have those access rights, then you cannot see those Apps.
How do I search for the Shiny Apps available/created?
There is no way of doing that, except on pages like Showmeshiny, the RStudio Shiny Gallery, this gallery of recent Shiny-Apps or pther similar pages. Those Apps are publicly available and you can submit your own App if you like sharing it. Shinyapps.io is a nice and easy way of deploying your App on a server with a few clicks. But you need at least the standard license to include authentication, otherwise they would be free and open for everyone.
Is there any way that, once I create my app, I prevent it from being
viewed?
I am not quite sure, what you mean. If it should be blocked from being viewed at all, I dont see the reason of building a ShinyApp. If you just want to access it yourself, then there are ways of doing so. Either password-protect it where only you know the password or host it on a local server that only you can access.
Or during the creation I "block it"?
If you create it on your computer and run it, it will run on your computer and only be accessible to yourself, except you explicitly configure it otherwise. So there is no need of "blocking it".
I've got a little Django site in which users can link to images on other sites in their comments. It's by no means a core feature.
I've just moved the entire site to SSL. That has worked fine for the most part but remote images are obviously not always going to be available over SSL. Only the slightest number of domains have valid certificates.
What's the best way to funnel images through then?
Download them when the user posts and alter the URL to a local one?
Make a proxy that just proxies another URL?
The second seems like less work (I feel like it would be possible just with NGINX rules) but that it would also open the site up to people using my proxy for their own nefarious gain... Which I'd like to avoid.
What's the best compromise here?
Github ran into this same issue when they moved to HTTPS everywhere and detailed it in their blog: https://github.com/blog/743-sidejack-prevention-phase-3-ssl-proxied-assets
Their solution was to create a proxy server which they open sourced as https://github.com/atmos/camo To address the same concerns about abuse of the proxy it is deployed with a shared secret with the application server. Integrating this would a Django project would be straight forward as you would just need to generate the digest from the shared key for the given image url.
What are the risks of doing this? I understand the documentation says not to do it, but I have password protected all the pages.
The point is that your "password protection" is useless if a hacker can simply bypass that and read your database directly. We don't know if they can, but - as the docs say - the dev server has undergone no security testing whatsoever, so they might well be able to.
Plus, the server is single-threaded. It will only ever be able to serve one request at a time. That makes for a very slow experience for your users.
Seriously, there is no reason to do this. Setting up Apache + mod_wsgi, or whatever your preferred hosting environment is, is a five-minute process if you follow the very detailed instructions.
If you mean, you want to deploy your Django project, you should use something like NGINX etc.
If you just want to tell, what if a development server is public, you have the same risks with any another project written in any platform.
I'm following through the Django Tutorials by HackedExistence on youtube.
Since the video is about a year old, I assume that the version differences may contribute to this problem. I'm currently on the 2nd video but this issue arose since the first.
On my browser,
http://video1.hackedexistence.com/
This link opens up the Apache 2 Test Page, and the localhost link opens up the Django Administrator page nicely.
But he sets it up so that the hacked existence link loads up the Django Admin page.
How is he able to achieve this? and what steps are needed for setting it up that way with the versions that I'm working with.
Python 2.7.3, Django 1.4.1, Apache 2.2.22 (Unix)
Running on OS X 10.6.8.
video1.hackedexistence.com is (presumably) a domain under the control of HackedExistence, and it's showing an Apache 2 test page because the server it's pointing to is not configured to show anything else. You have no control over this domain or the server it is pointing to, so you can't affect it directly.
It doesn't have anything to do with different versions of python, django, apache, or anything else; it's likely that HackedExistence chose to move on to something else, is no longer maintaining his site (or at least the content on that subdomain of it) and his tutorial now no longer works as a result.
The closest you can come is add an entry to your /private/etc/hosts file (on OSX) so that video1.hackedexistence.com resolves to 127.0.0.1 (i.e. localhost, your own computer), but this is almost certainly not what you're after. For example, if you do this, everybody else will still see the test page you're seeing now, because the /etc/hosts file is just telling your computer to treat the video1.hackedexistence.com domain as if it's pointing to your computer.
For learning web development, you can safely completely disregard this and can continue to test on your local computer.
When it comes to deploying the website for other people to view and use, you will need to buy a domain (e.g. at http://namecheap.com/), get some hosting (for python/django hosting I can recommend WebFaction , or you can use Heroku's free plan), and follow the Django deployment instructions in the official documentation (or the documentation provided by the hosting provider you choose). My advice is to focus on learning web development and get something working before you spend money on any hosting.
I don't know the videos, but I'm assuming that the author of the book owns (or owned at the time) the hackedexistence.com domain name, and had it pointing to his server so that it would be able to interpret the Django App and serve it up to public requests ... and now it looks like that configuration doesn't exist any more.
If you're asking what I think you want to ask, "how can I get a Django app viewable on the public web," well, there are lots of ways to go about doing this. If your server is Apache, https://docs.djangoproject.com/en/dev/howto/deployment/wsgi/modwsgi/ is the way to go. Google could help you find the similar docs for other servers. Lots of answers on stack overflow as well.
If instead you're asking a different question, namely, "how can I get this app on my local machine to be viewable via some method other than localhost" (and you don't have a server), well, the answer is you'd have to get a domain that points to your local machine -- this is a question that has lots of answers elsewhere. One thing to be aware of is that Django through Apache on Mac OS X isn't terribly simple, as it requires manually installing mod_wsgi, but it's not overly difficult either. Here's Google's top link (a bit old but still relevant): http://jessenoller.com/2009/07/24/django-mod_wsgi-apache-and-os-x-do-it/
And finally, if you're asking how you can get your app to show up at hacked existence, well ... buy that domain and see the above paragraph. :)
We currently have an application that runs an embedded jetty 6.1.14 server to which we need to add authentication via Kerberos. I'm new to Kerberos, which makes the task about 100x harder that maybe it should be. I've scoured the internet and have found conflicting reports as to whether or not it is even possible but nothing much to provides guidance as to how to proceed.
I've managed to have the server basically be able to authenticate the users via kerberos but can't find away to have the client automatically send its kerberos ticket: I have to use the from auth-method, though there are hints that this may be using filters, which are very poorly documented.
My question - and I apologize for it being a bit vague, I've not been this exasperated in quite a long time - is to request some guidance for plugging in kerberos authentication without login forms in Jetty 6? Or am I just out of luck? Has anyone added this type of authentication to jetty 6?
If Jetty supports Servlet Filters (JSR-53), then this open source project http://spnego.sourceforge.net might be what you are looking for.
You have to prepare your domain environment first. Make sure that your server if part of your domain (joined it). Then you have to create an machine account and assign an SPN. If you have done that, create a keytab for that account. From now on a client will be able to search for the host in the domain and create a ticket for. Then comes Jetty into play.