Should I store my user claims in the JWT token?
I am using JWT tokens in HTTP headers to authenticate requests to a resource server. The resource server and auth server are two separate worker roles on Azure.
Token based authentication and multiple sessions
I’ve a token based authentication system (REST) that I inherited for an iOS app (can’t change), and I’ve to re-use the same authentication web api system (that I can change to adapt for the web requests while still accommodating iOS app).
Prevent download of static files referenced only from pages a user is not authorized to access
Let’s say a user is authenticated to a website and can access a given page only if authorized to access it specifically, e.g. if the website has only these 2 pages
In a web application, should “private” user images be protected with authentication/authorization?
When creating a web application that will allow users to upload images and mark them as private, should those images be protected by authentication and authorization mechanisms against access by other users?
Authorization and Audit on models in MVC architecture
What are the best practices to extend Authorization to the Model layer if in a monolith MVC application (i.e rails) you have other entry-points than just the Controller? I.e background jobs, or the model interaction?
How to support anonymous user in web application?
I work for a publishing company that also provides content distribution to their users. In order to access a piece of content the user must be entitled to do so. Traditionally this authorization check has been done with several different ways (most of them legacy, unsecure and, tbh, very ugly). We do support username and password authentication but this is by far the less common way used for gaining access to content. For the sake of this post let’s assume that the only alternative is for a user to reach our product from a company’s internal portal – we call this “Referral access”.
OWASP Broken Access Control by example: preventing user’s from reading/writing data that isn’t theirs
I have experience building RBAC-based authorization mechanisms, and understand the theory behind ACLs (DAC?) though I’ve never had the need to implement them.