Questions tagged [authorization]

Authorization is the process of determining whether a user, program or device is allowed to access a protected resource in a particular way. Authorization is a key theme in computer security practices.

Authorization is distinct from authentication but the two are often used together.

In Role Based Access Control (RBAC), an authorization decision may be dependent upon the identity of the user - whether the user is a member of a given role or group. This usually requires that the authorization authority know and understand the users identity and their membership in various groups or roles.

In Attribute Based Access Control (ABAC), an authorization decision may be based upon attributes provided by a trusted authority. These attributes may be indirectly associated with the user making the access request, but the authorization decision can be made even if the authorization authority does not know or recognize the identity of the user. (See SAML claims and assertions)

Authorization is sometimes abbreviated as "AuthZ", while authentication is "AuthN".

8893 questions

834

votes

18 answers

Best Practices for securing a REST API / web service

When designing a REST API or service are there any established best practices for dealing with security (Authentication, Authorization, Identity Management) ? When building a SOAP API you have WS-Security as a guide and much literature exists on the…

asked Aug 11 '08 at 05:44

Nathan

12,160
3
25
27

664

votes

14 answers

Authentication versus Authorization

What's the difference in context of web applications? I see the abbreviation "auth" a lot. Does it stand for auth-entication or auth-orization? Or is it both?

security authorization authentication

asked Jul 02 '11 at 10:44

daGrevis

19,600
35
95
134

630

votes

10 answers

How is OAuth 2 different from OAuth 1?

In very simple terms, can someone explain the difference between OAuth 2 and OAuth 1? Is OAuth 1 obsolete now? Should we be implementing OAuth 2? I don't see many implementations of OAuth 2; most are still using OAuth 1, which makes me doubt OAuth 2…

oauth oauth-2.0 authorization

asked Nov 06 '10 at 16:18

sullivan

6,353
3
13
8

517

votes

14 answers

How do you create a custom AuthorizeAttribute in ASP.NET Core?

I'm trying to make a custom authorization attribute in ASP.NET Core. In previous versions it was possible to override bool AuthorizeCore(HttpContextBase httpContext). But this no longer exists in AuthorizeAttribute. What is the current approach to…

c# asp.net-core asp.net-core-mvc authorization

asked Jul 16 '15 at 20:55

jltrem

10,475
4
37
46

267

votes

7 answers

Why does AuthorizeAttribute redirect to the login page for authentication and authorization failures?

In ASP.NET MVC, you can mark up a controller method with AuthorizeAttribute, like this: [Authorize(Roles = "CanDeleteTags")] public void Delete(string tagName) { // ... } This means that, if the currently logged-in user is not in the…

asp.net-mvc authentication authorization

asked Oct 26 '08 at 18:51

Roger Lipscombe

81,986
49
214
348

239

votes

4 answers

How to get http headers in flask?

I am newbie to python and using Python Flask and generating REST API service. I want to check authorization header which is sent the client. But I can't find way to get HTTP header in flask. Any help for getting HTTP header authorization is…

python http flask http-headers authorization

asked Apr 01 '15 at 09:16

emil

4,978
3
23
34

237

votes

2 answers

How to define the basic HTTP authentication using cURL correctly?

I'm learning Apigility (Apigility docu -> REST Service Tutorial) and trying to send a POST request with basic authentication via cURL: $ curl -X POST -i -H "Content-Type: application/hal+json" -H "Authorization: Basic YXBpdXNlcjphcGlwd2Q="…

http curl authorization basic-authentication laminas-api-tools

asked Sep 22 '14 at 07:58

automatix

10,950
17
85
198

154

votes

1 answer

How can a JACC provider use the Principal-to-role mapping facilities of the server it's deployed on?

I am writing a JACC provider. Along the way, this means implementing a PolicyConfiguration. The PolicyConfiguration is responsible for accepting configuration information from the application server, such as which permissions accrue to which roles. …

security jakarta-ee glassfish authorization jacc

asked Jan 27 '11 at 22:00

Laird Nelson

12,770
15
64
105

153

votes

26 answers

Can't connect Nexus 4 to adb: unauthorized

I have a Nexus 4 with Android 4.3 and I am trying to connect the device to a computer with Windows 7 64bit. I installed the latest drivers and the latest adb version. I think I tried almost everything and I still get the following…

android authorization adb nexus-4 android-4.2-jelly-bean

asked Aug 02 '13 at 07:57

orS

1,531
2
9
5

125

votes

4 answers

Custom HTTP Authorization Header

I was wondering if it's acceptable to put custom data in an HTTP authorization header. We're designing a RESTful API and we may need a way to specify a custom method of authorization. As an example, let's call it FIRE-TOKEN authentication. Would…

http rest header authorization

asked Oct 18 '11 at 03:32

NRaf

6,759
10
47
83

125

votes

4 answers

ASP.NET MVC 4 Custom Authorize Attribute with Permission Codes (without roles)

I need to control the access to views based on users privilege levels (there are no roles, only privilege levels for CRUD operation levels assigned to users) in my MVC 4 application. As an example; below the AuthorizeUser will be my custom…

asp.net-mvc-4 authorization custom-attributes

asked Nov 07 '12 at 06:46

chatura

4,057
4
17
19

121

votes

3 answers

Custom Authorization in Asp.net WebApi - what a mess?

I'm reading from several resources (books and SO answers) about authorization in WebApi. Suppose I want to add Custom Attribute which allows access only for Certain Users: Case #1 I've seen this approach of overriding OnAuthorization , which…

asp.net authorization asp.net-web-api

asked Oct 20 '14 at 11:41

Royi Namir

131,490
121
408
714

118

votes

8 answers

ASP.NET Web API : Correct way to return a 401/unauthorised response

I have an MVC webapi site that uses OAuth/token authentication to authenticate requests. All the relevant controllers have the right attributes, and authentication is working ok. The problem is that not all of the request can be authorised in the…

c# asp.net-mvc authorization

asked Jul 03 '15 at 11:20

GoatInTheMachine

3,155
3
22
31

109

votes

9 answers

Python requests library how to pass Authorization header with single token

I have a request URI and a token. If I use: curl -s "" -H "Authorization: TOK:" etc., I get a 200 and view the corresponding JSON data. So, I installed requests and when I attempt to access this resource I get a 403 probably…

python get authorization token python-requests

asked Sep 28 '13 at 17:25

user1552586

105

votes

5 answers

Authorize Attribute with Multiple Roles

I would like to add Authorization to a controller, for multiple Roles at once. Normally that would look like this: [Authorize(Roles = "RoleA,RoleB,RoleC")] public async Task Index() { } But I have stored my Roles in consts, since they…

c# asp.net-mvc authorization

asked Jun 12 '14 at 10:14

Christian Sauer

8,793
8
43
68

2 3

…

99 100 Next