security,,jwt,thinktecture-ident-model , Verify JWT Claims in WebAPI

Verify JWT Claims in WebAPI


Tag: security,,jwt,thinktecture-ident-model

Given the Thinktecture AuthenticationConfiguration below:

var authConfig = new AuthenticationConfiguration
    EnableSessionToken = true,
    SendWwwAuthenticateResponseHeaders = true,
    RequireSsl = false,
    ClaimsAuthenticationManager = new ClaimsTransformation(),
    SessionToken = new SessionTokenConfiguration
        EndpointAddress = "/api/token",
        SigningKey = CryptoRandom.CreateRandomKey(32),
        DefaultTokenLifetime = new TimeSpan(1, 0, 0)

It would return an example JWT of eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJzZXNzaW9uIGlzc3VlciIsImF1ZCI6Imh0dHA6Ly9zZXNzaW9uLnR0IiwibmJmIjoxNDIwMzk2ODgyLCJleHAiOjE0MjA0MDA0ODIsInVuaXF1ZV9uYW1lIjoicGFzcyIsImF1dGhtZXRob2QiOiJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvYXV0aGVudGljYXRpb25tZXRob2QvcGFzc3dvcmQiLCJhdXRoX3RpbWUiOiIyMDE1LTAxLTA0VDE4OjQxOjA0LjAxOVoiLCJyb2xlIjoiVmVyaWZpZWQifQ.h7curaLrqkMT4Btg-AAoEpNYqUIYNQA_y-eUdEwQBqs

Which is:

    "alg": "HS256", 
    "typ": "JWT"

    "unique_name": "pass", 
    "aud": "", 
    "iss": "session issuer", 
    "authmethod": "", 
    "role": "Verified", 
    "exp": 1420400482, 
    "auth_time": "2015-01-04T18:41:04.019Z", 
    "nbf": 1420396882

How would I verify that the JWT was issued from a trusted machine, can we use a symmetric key for the private signing key and the same key on the remote machine to verify against?

How could I wire up the WebAPI so that it automatically does this for us (assuming the AuthenticationConfiguration is on a different machine dedicated to account security api).


You can use a shared symmetric key or a private key to sign the JWT and that use that same symmetric key or respectively the associated public key to verify it.

The algorithm in use for this JWT (HS256) suggests that a shared symmetric key was used so you need to know that symmetric key at the receiving end in order to verify the JWT.


WebApi Routing not working for Post

My WebApiConfig has following routes // Web API routes config.MapHttpAttributeRoutes(); config.Routes.MapHttpRoute( name: "DefaultApi", routeTemplate: "api/{controller}/{id}", defaults: new { controller = "Employee", action = "Get", id = RouteParameter.Optional } ); The Post WebApi method has got following Signatures [HttpPost] public IHttpActionResult Post(Employee emp) { ..... } When i try to call...

XSS in angularjs app and web api 2

I have a web application. I am using Angularjs and Web Api2. I have a simple form where user can insert some free text that will be send via email to other people. The text is also saved on db and later can be shown in a web site page....

Run Golang as www-data

When I run a Node HTTP server app I usually call a custom function function runAsWWW() { try { process.setgid('www-data'); process.setuid('www-data'); } catch (err) { console.error('Cowardly refusal to keep the process alive as root.'); process.exit(1); } } from server.listen(8080,'localhost',null,runAsWWW); so the server is actually running as the www-data user to...

Role concept in the authorization

I'm writing the following public interface SecurityService{ public Error tryLogin(String usr, String psw); public String getRoleCurrentUser(); //Attention here } and of course, there will be a couple implementations. For instance, now I have public SpringSecurityService{ @Autowired AuthenticationManager authenticationManager; public Error tryLogin(String usr, String psw){ //Implementation here } public String getRoleCurrentUser(){...

File security System in java? [on hold]

i'm new to java world.I have a idea about file secure system.When i add a file to the application it will encrypt and store a folder in the installation path.If i need to see the file ,i need to login with my username and password and the file will automatically...

How sanitize and store user input, that contains HTML regex pattern in WordPress

I working on some WordPress plugin that one of its features is ability to store HTML regex pattern, entered by user, to DB and then display it on settings page. My method is actually work but I wonder if that code is secure enough: That's the user entered pattern: <div(.+?)class='sharedaddy...

Wordpress: Changed HTTP to HTTPS, now security certificate error

I was trying to secure my website and found a blog on wordpress which shows how to change HTTP to HTTPS from the wordpress settings. I did what it said and now my website won't let me navigate further than the home page. I tried logging into the admin page,...

Web Api and where should I contorol Request Header data,
In Web Api, I want to control, request "access token" key is (which is in request header) valid or not. But I cound't decide where should I implement this kind of control. ActionFilter or controller constructor etc. etc.

Securing JWT tokens in a AJAX call

Say site A has a piece of javascript that does an ajax call to an endpoint on site B. Site A uses a JWT generated from site B to authenticate the requests. Wouldn't a user be able to get the JWT, simply by inspecting (e.g Chrome) the request and it's...

WebApi Serving Videos on Mobile Devices

I'm using WebApi to serve videos on a website. I've tested this on all major desktop browsers and the HTML5 Video tag plays the video as expected. However, I can't get this to work on iPhones (Mobile Safari). The Get() method is never called even after pressing the play button....

Entity Framework throws Invalid object name

I have a DB in SQL Server with several tables. I have created a Class Library project in VS2013. Created a DBContext, added the database as a ADO.NET file and created a repository for running the queries. I have created a Web API2 empty project with a controller for creating...

iptables put all forwarding rules in prerouting

I have a question about security in iptables. Is it safe to give ACCEPT policy to FORWARD chain? I mean, if packet gets there, it has come through PREROUTING table and in PREROUTING you only change destination ip of packet if you "like it". all packets that get in FORWARD...

Preventing brute-force login attempts [closed]

I want to prevent hackers to break into my users' accounts. It is often said that: The best approach it to lockout an account temporarily after x failed login attempts. I understand this and it seems like a good idea. Using IP for example is a very bad idea -...

User process can't see global shared memory created by service

I have a Windows service (running in the system process) and a desktop application that need to share a configuration structure. The data originates in the app, but the user process doesn't have permission to create a global memory object so I create it when the service starts using CreateFileMapping()...

When a security update is applied as a patch, does the product name change?

When a security update is applied as a patch, does the product name change? I.e. Windows Server 2008 If this server undergoes a patch and/or security update, does it still appear as Windows Server 2008, or does it have to undergo a name change - I.e Windows Server 2008 version...

How to secure configuration file containing database username and password

Issue In order to connect my PHP code with MySQL database I use PDO way, creating variable, assigning it with new PDO object where arguments contain settings such as server, database, login and password. So in resulting code it could look like this: $DAcess=new PDO("mysql:host=server;dbname=database","login","password"); I don't feel comfortable having...

Leverage MultipleApiVersions in Swagger with attribute versioning

Is it possible to leverage MultipleApiVersions in Swagger UI / Swashbuckle when using attribute routing? Specifically, I implemented versioning by: using System.Web.Http; namespace RESTServices.Controllers.v1 { [Route("api/v1/Test")] public class TestV1Controller : ApiController { ... } Version 2 would be in a v2 namespace. In a controller named TestV2Controller. The route would...

Placing secure data in Java web application

The question is about security in tomcat, but first consider the following example: Suppose you have apache web server. Then, under www folder, create folder named dist, and under folder dist create folder named bdf23b1c-ddd3-4d5b-8fdf-948693674011. Under this folder create some file with secure information. For example, some private picture you...

Is client-side java intrinsically less secure than javascript?

Much has been made of a series of bugs and exploits on client side java, leading to the blacklisting of various versions by apple, mozilla, etc. Yet javascript is an even less controlled language without static typing. Today javascript allows for many of the same potential problems: local storage, accessing...

OData Annotations do not appear when not localhost

I'm building an OData response by throwing a standard HttpResponseException. The exception itself is built with an HttpResponseMessage based on ODataError. new ODataError() { ErrorCode = code, Message = message, InnerError = new ODataInnerError() { Message = innerException.Message, StackTrace = innerException.StackTrace, TypeName = innerException.GetType().Name }, InstanceAnnotations = annotations }); The...

Configure Apache web server to perform SSL authentication

I'm trying to perform SSL authentication in apache web server, using XAMPP in Linux. After I configure httpd.conf like this, Apache server is failing to start. Can some one help me to fix this ? What is wrong with my configuration ? Alias /bitnami/ "/opt/lampp/apache2/htdocs/" Alias /bitnami "/opt/lampp/apache2/htdocs" <Directory "/opt/lampp/apache2/htdocs">...

how to custom spring-security authentication process with my own mechanism

I'm trying to secure my app with spring security. My understanding about spring security is that they check the loaded password from UserDetails against the password user entered. The thing is my login authentication is inputing username and password into a pl/sql function which will return a result code. So...

Protect images download theory

I am a full-time developer but am building a site for my photography hobby. I dont want people to download my images and besides the usual procedures (disable right click, block hotlinks to my images etc.) i was thinking about a solution which would work 99% of the time. The...

how to update multiple data in entityframework through async web api

I am using web api 2, and entity framework 6. I have created an async web api, which updates all the records at once. I am also using Autofac for dependency injection. My service interface is as follows : Task<Approval> TakeAction(int id, bool isApprove) void TakeAction(bool isApprove) These are my...

Reverse ^ operator for decryption

I'm trying to reverse the following code in order to provide a function which takes the buffer and decrypts it. void crypt_buffer(unsigned char *buffer, size_t size, char *key) { size_t i; int j; j = 0; for(i = 0; i < size; i++) { if(j >= KEY_SIZE) j = 0;...

Headers for security

I've been reading articles about the protection of your website and they say to place these 3 headers: X-Frame-Options: DENY X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff In my website to protect it from Website attacks, but I dont know how to declare it in my header, can someone help me with...

What damage can a website do?

Now and then I (accidentally) come across websites that my anti-virus warns me about. Out of curiosity, what kind of damage can a website do? I've been working in web development for around 4 years now and can't think of any 'genuine' damage worth warning the user about. Maybe I'm...

Hashing passwords even when password is server-generated?

Shall I hash users of my portal when password is generated by server and user cannot change it? Logically: User can't use this passwords anywhere else as it is server-generated. Even when somebody access database illegally, they can change password and see it, but it is useless for them as...

Code fails for decrypting without salt or iv in Java

I have a ciphertext and a 256-bit key to decrypt it, using AES. There is no salt or iv. I am using Java. I have implemented many of the solutions online, but they all use salts and input vectors. The following builds fine, but fails at runtime: "Salt not found."...

Is it possible for a user to modify site javascript in browser?

I don't know a lot about security, but I'm trying to figure out how to keep my site as safe as possible. I understand that as much stuff that I can handle on the backend the better, but for instances where I'd like to hold some variables on the client,...

PHP: Secure a Rest Service with a Token mixed with Timestamp

I have a rest service that my website calls it and I want to secure it from calling outside of my website as much as possible. I want to create a token mixed with timestamp, so the user can only call the service in 10 minutes (for example) with the...

No type was found that matches the controller name,
I've got the infamous Web Api No type was found that matches the controller name. I had this web service working until we did a little restructuring of the file system and classes and now I'm getting this error. The File system sits as default with the Controllers and Models...

How to restrict file copying shared using Content Provider in Android?

Is it possible to forbid making copies of files for third party applications (like adobe reader), that I am using to open pdf files stored in internal memory of my application?

Autofac - DelegatingHandler (HttpMessageHandler) Registration

I have a custom DelegatingHandler in a class library that I need to register with Autofac. The webapi host resolves it's dependencies on runtime, so the host has no references to this library. public class LocalizationHandler : DelegatingHandler { protected override async Task<HttpResponseMessage> SendAsync( HttpRequestMessage request, CancellationToken cancellationToken ) {}...

shared memory performance and protection from other processes

I am trying to implement a JIT compiler (I have very geeky hobbies). I would like to have one main process that keeps some persistent variables, and a second process (that has been compiled just-in-time) that does some computation and can access and write on the persistent variables. The second...

Is a site with html and javascript secure

IF: I write a site in HTML5, Javascript and CSS3. It has no forms or any input other than mouse clicks on links. No logins. No messaging. No comments. Will this site have vulnerabilities? For the 2nd time in a month, I've been notified by my host there are files...

Simple.OData.Client - Unable to invoke Action that accepts entity collection parameter

I get error "The parameter 'wheels' is of Edm type kind 'Collection'. You cannot call CreateCollectionWriter on a parameter that is not of Edm type kind 'Collection'." Below are details of my setup: Web API 2.2 OData v4 service : I have defined Action in WheelsController class in my...

Android encryption and decryption of text fails

I try to encrypt some text (here it is named code) and decrypt it again. For this i use a 4 digit Pin which is salted. After this the text is encrypted, also again some Base64 decoding, so i can safely output the String again. As i understand i have...

Hide sensitive information from git changes

Is there a way to instruct git to hide my sensitive information. E.g. credentials.php (in local repository). Line1: $dbname = 'xyz'; Line2: $dbpassword = 'password'; credentials.php (in github repository and history). Line1: $dbname = 'xyz'; Line2: $dbpassword = 'xxxxxxxx'; So git automatically hides the information with 'x'. If not via...

RSA encryption in Android and Java

I would like to encrypt a String with RSA encryption. My public/private keys were generated and stored in DB. In android, I use this code: public static String encryptRSAToString(String text, String strPublicKey) { byte[] cipherText = null; String strEncryInfoData=""; try { KeyFactory keyFac = KeyFactory.getInstance("RSA"); KeySpec keySpec = new X509EncodedKeySpec(Base64.decode(strPublicKey.trim().getBytes(),...

Am I safe?? [trying to prevent sql injection] [duplicate]

This question already has an answer here: How can I prevent SQL-injection in PHP? 28 answers I was wondering if I'm safe from SQL injection if I have this in a script: < script> //some stuff var item = <?php echo json_oncode($PHPVAR) ?> item.replace(/"/,'&quot').replace(/'/,'&#39'); //do more script stuff with...

Unsure if website has been hacked with iframe

My website seems to be loading code which doesn't actually exist on my server. I know the problem is server-side because I've tested with other computers... The code seems to load a header and then put's my real website inside an iframe, strangely there are no ads or redirects which...

SAML service provider signature verification

This is a basic question about SAML protocol and how it specifies verification of a SAML token. Looking an different diagrams and resources, it looks like the service provider doesn't need to make calls to the Identity Provider (IdP) in order to verify a SAML token. I am interested in...

salt created by Java SecureRandom has different getBytes() value [duplicate]

This question already has an answer here: how to convert byte array to string and vice versa 13 answers I use java SecureRandom to create salt to encrypt user. However, when I tried to match user with salt and password, they failed on different machine. The user is created...

Android how to handle sensitive data in memory

Please I have the following scenario: the app uses a password to access to some remote webservice over HTTPS; to do so, the app asks the user the password, does NOT store it on the device (and use it in a safe manner to access the webservice). My concern is...

Route parameter with slash “/” in URL,routing,,,attributerouting
I know you can apply a wildcard in the route attribute to allow / such as date input for example: [Route("orders/{*orderdate}")] The problem with wildcard is only applicable to the last paramter in URI. How do I solve the issue if want to have the following URI: [Route("orders/{orderdate}/customers")] ? EDIT:...

X509Certificate: what is the difference between getIssuerDN() and getSubjectDN() methods

I'm using X509Certificate class in java, and when I want to get the subject name I try: x509certificate.getIssuerDN().getName(); and x509certificate.getSubjectDN().getName(); both methods have the same result. So what is the difference between them ??...

Getting “format not a string literal and no format arguments” warning while using GTK+2

I am getting an error like this: warning: format not a string literal and no format arguments [-Wformat-security] GTK_BUTTONS_OK, (const gchar*)message); ^ because of this function: static void show_message (gchar *message, GtkMessageType type) { GtkWidget *dialog = gtk_message_dialog_new(NULL, 0, type, GTK_BUTTONS_OK, message); gtk_dialog_run(GTK_DIALOG(dialog)); gtk_widget_destroy(dialog); } How can I fix it?...

Can I receive a JavaScript Object on an API WITHOUT a Corresponding C# Object?

I have a Web API 2 controller. I am sending a JavaScript Object from the client in a call: myObject = {propertyOne: 'Hi', propertyTwo: 'Bye'} Do I HAVE to make a class with those properties in C# to receive the object as an argument to the Web API controller? public...

JQuery Add expiration to authentication token stored with HTML5 localStorage?

I am making a mobile game with JQuery Mobile, a multipage template (so all pages in 1 html file, which makes it usable with PhoneGap). Since it is HTML I am using JQuerys $.post function to send data to php scripts such as login.php, register.php, which add/update/delete data from the...