Table of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3

Size: px
Start display at page:

Download "Table of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3"

Transcription

1 Open-Xchange Authentication & Session Handling Table of Contents 1.Introduction System overview/implementation Overview Access to IMAP back end services Basic Implementation Rules Authentication and Session Tokens SessionID Session-Secret Random-Token Cookie Handling Only one cookie per client session type Multiple clients with the same cookie store Naming of cookies Lifetime of cookies IP Check Access via web browser with user credentials Access via web browser after authentication with an external system Implementation Details Authentication via JSON interface Example Authentication: Session data transfer via URL Example Login with Random Redirection... 13

2 Copyright 2010, Open-Xchange GmbH - 2 -

3 1. Introduction This paper describes Open-Xchange's authentication and session handling. It gives an overview of all available mechanisms and on how to safely pass on sessions from external applications to the Open-Xchange Server (Single Sign On, SSO)

4 2. System overview/implementation 2.1. Overview The Open-Xchange Server web front end is implemented in JavaScript and uses the AJAX paradigm (Asynchronous JavaScript and XML). Thus the complete user interface (GUI) is running in a browser. Opposed to standard web applications there are no HTML pages generated and delivered by the server. The complete user front end is rendered and displayed in the browser. Based on HTTP/S, data is exchanged with the server via JavaScript Object Notation (JSON). That means it is not possible to simulate the respective front end actions via HTTP/S requests by issuing matching GET/POST calls. Instead, another abstraction is exclusively used to transfer data from the web front end to the server and vice versa. The Open-Xchange Server includes a session daemon (sessiond) that keeps track of users. If the user was successfully authenticated, the information kept in the session is sufficient for accessing the Open-Xchange Server Access to IMAP back end services To access external systems (IMAP/SMTP) the Open-Xchange Server has to know the credentials of the current user for the external system, i. e. the session object has to contain the password for accessing the external system in plain text. That means authenticating via SessionIDs alone is not sufficient. Authentication always has to take place by entering the username and password. Copyright 2010, Open-Xchange GmbH - 4 -

5 (There are two exceptions: either one master password is used for all IMAP accounts, or a very special implementation of MAL is used, which does not need a password.) Basic Implementation Rules It must not be possible to get a valid session by e. g. guessing a SessionID. This is especially important when session information is being passed on by an external system. A session must not be verified by only a SessionID, but has to be verified with at least two different pieces of information, this is what the Session- Secret is for. Both SessionID and Session-Secret must never be passed from the Open- Xchange server to the client in the same part of a response. This ensures, that potential issues in the stack between the client and Open-Xchange (proxies, caches, loadbalancer, Apache, ) can not lead to wrong sessions. One information is passed to the front end in the headers of the response, the other in the body. Headers are automatically processed by the browser while the body is processed by the client application. To enhance security, the Session-Secret and SessionID are transferred as different parts of a request as well. The Session-Secret will always be transferred as a cookie, the SessionID will be transferred as a URL parameter, if persistent auto-login is not activated for this session. It must never be possible to have conflicting session information per client (multiple cookies) within the same cookie store. If any error in the session handling is detected, the relevant request is discarded and logged. No attempts to recover will be made. In memory data (SessionID) of the web front end must never be changed during a valid session. All relevant information regarding session management must always be written to log files. The whole mechanism is only secure when being used via an encrypted connection. ATTENTION: If persistent auto-login is activated for the system and a user decides to use it, all information necessary to access the Open- Xchange server is stored within the browsers cookie store. This means, that the security of the whole system depends on the level of security of the browsers cookie store

6 2.2. Authentication and Session Tokens Following tokens are used for the session management: SessionID The SessionID is used to identify every session. It is a unique UUID without dashes, generated as a random UUID. It is written into the OX log files for every log message. When no auto-login is used for the session, then the SessionID is transferred as an URL parameter. If auto-login is activated, then the SessionID is transferred as a cookie Session-Secret The Session-Secret is used to verify every session. It is a unique UUID, generated as a random UUID. Only accesses, with the Session-Secret matching the one stored in the SessionD for the given SessionID are valid. Mismatches lead to immediate session termination Random-Token The Random-Token is a one time token with a limited lifetime, which is used to initiate sessions through 3 rd party applications or websites. It is a unique UUID, generated as a random UUID Cookie Handling In several situations, cookies are used to store and transfer the session tokens. The following rules for cookie creation and storage apply Only one cookie per client session type It must never happen, that the same client has more than one session associated with an Open-Xchange server. Therefore the cookies need to have the same name. If a new cookie is sent to the browser, the original one will be overwritten. With the next client access the SessionID and the Session-Secret do not match anymore and the invalid session is terminated. Copyright 2010, Open-Xchange GmbH - 6 -

7 Multiple clients with the same cookie store On the other hand it may happen, that several clients use the same cookie store. E.g. a standard browser GUI session and a browser plug-in session. Therefore the cookie name needs to contain information about the client Naming of cookies The cookies are named following this schema: open-xchange-session-<<name token>>=<<sessionid>> open-xchange-secret-<<name token>>=<<session-secret>> Where <<name token>> is generated from configurable data associated with the client. It is a hash built from the clientid and the User-Agent and is used to identify the client. Other parameters to be taken into consideration can be added through a configuration file Lifetime of cookies Normally, cookies are session cookies, which are invalidated/deleted when the browser is shut down. Using the persistent auto-login, the cookies are persistent cookies, with a configurable lifetime. The default lifetime is one week. All cookies are deleted when a logout is performed IP Check Per default an IP check is activated to terminate every session immediately, if the IP address of the client changes during the session lifetime. This check is not applied, when a session is reactivated following the persistent auto-login process Access via web browser with user credentials When directly logging in to the system by entering the credentials, following steps will be done to authenticate the user or verify the valid session after the authentication: - 7 -

8 The user does not use the persistent auto-login. The session is only valid as long, as the browser is open. It will be cleared either on logout, on browser termination or with any occurring error. 1. Browser sends initial request to the Open-Xchange Server 1. not authenticated yet 2. no cookie 3. no SessionID 2. Open-Xchange Server sends initial AJAX application to browser, it is loaded, no data is exchanged. 3. User enters username and password in the front end. 4. Username and password are sent to the server via JSON (SSL) If the user activated persistent auto-login on the login screen, this information must not be passed to the server but it triggers a separate request to store the SessionID as a cookie. 5. The server authenticates the user and sends the following data back to the browser via JSON (all this information is also saved in the session object in sessiond) 1. SessionID, as part of the JSON object 2. Random token for initial login, as part of the JSON object (required for SSO login) 3. Cookie with JSESSIONID for load balancing 4. Cookie with Session-Secret 6. AJAX front end saves the SessionID in memory. AJAX front end ignores the random token. 7. AJAX front end sends the initial data request via JSON to the Open- Xchange Server and provides the following data: 1. SessionID as URL parameter 2. Open-Xchange Server processes this data request and uses the browser cookie with the Session-Secret. 8. Open-Xchange Server checks: 1. SessionID is known by sessiond 2. Session-Secret from cookie is the same as the one stored for this session in sessiond 9. Request is successfully verified and is answered. Copyright 2010, Open-Xchange GmbH - 8 -

9 10. Random token is discarded after timeout from sessiond. 11. If persistent auto-login is selected, the web front end sends a specific request to the backend: 1. Cookie with SessionID is sent to the browser. The cookie is configured with the relevant type and lifetime 12. Repeat until end of session Access via web browser after authentication with an external system The goal is to authenticate a user with the Open-Xchange system, from an external system and to safely pass on the received session data to a browser. To do so the external system has to know the user data (username, password) in plain text. The process is based on the session initialization in the Open-Xchange Server via the JSON interface and on passing on the received data to a browser. The browser finally retrieves the session with an additional random token that is only valid for one single access. 1. External tool sends initial JSON request directly to Open-Xchange Server 1. not authenticated yet 2. no cookie 3. no SessionID 2. The Open-Xchange Server authenticates the user and responds to the external tool with the following data via JSON (all this information is also stored in the session object in sessiond) 1. SessionID, as part of the JSON object 2. Random token for initial login, as part of the JSON object (required for SSO login) 3. Cookie with Session-Secret is not set 3. External tool starts a browser and points it to a special URL, that contains at least following data: 1. Random token for initial login 2. JSESSIONID separated with a semicolon for loadbalancing - 9 -

10 4. Open-Xchange Server verifies: 1. Random token for validity in sessiond 5. Open-Xchange Server sends to the browser: 1. SessionID, as part of the JSON object 2. Cookie with JSESSIONID for loadbalancing 3. Cookie with the Session-Secret 6. Open-Xchange removes the random token from sessiond. Then the process continues as described in the section above. The session is from then on verified using the SessionID and Session-Secret. Copyright 2010, Open-Xchange GmbH

11 3. Implementation Details The following sections define in detail the required requests and data types for connecting an external system to the Open-Xchange Server Authentication via JSON interface Authenticating via JSON interface corresponds to a simple HTTP/S request: GET/POST https://<open-xchange.server>/ajax/login?action=login Following parameters are used: action provides the login value name the username password the password This request can be answered with following return values: 200 OK Authentication successful The body of the reply contains a JavaScript object in JSON format. This object contains the attributes session and random. The session attribute contains a valid SessionID, while the random attribute contains a random value that can only be used for one single request. 200 OK Authentication failed The body of the reply again contains a JavaScript object in JSON format. But in this case the object only contains the attribute error. The error attribute informs about the reason for the authentication failure. Currently, this attribute returns Invalid credentials or User not found. Values like Your account is disabled are also possible though Example Authentication: Connected to localhost. GET /ajax/login?action=login&name=<user>&password=<password> HTTP/1.0 HTTP/ OK Date: Wed, 28 Jul :09:56 GMT Expires: Sat, 06 May :00:00 GMT Content-Type: text/javascript; charset=utf

12 Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate,post-check=0, pre-check=0 Set-Cookie: JSESSIONID=c070a5b658ae4362b31bb5e0b29ed2b0.OX1; path=/ Set-Cookie: open-xchange-secretwhwm18d0z1d4epe252gg=baae10ef3dab4c489e5e295e31bb9dab; path=/ Connection: close {"session":"c7a3c6e9de024a6caf8d55214f1cff49","random":"c0c36ba4016e4be58dfc d4d00325a12c"} Connection closed by foreign host Session data transfer via URL If the SessionID and the random token are requested by an external application as described above, the browser will be started with following URL to initialize the browser session once, using the random token. When having an OX server cluster the JSESSIONID too has to be passed on, but it is essential to use the JSESSIONID from the cookie with the identical name: https://<open-xchange.server>/ajax/login ;jsessionid=<sessiond.jvmroute>?action=redirect &random=<random-token> Example Login with Random Connected to localhost. Escape character is '^]'. GET /ajax/login;jsessionid= ox1? action=redirect&random=176200f5423f4bd899282bce2618efde HTTP/1.0 HTTP/ Found Date: Wed, 28 Jul :21:20 GMT Expires: Sat, 06 May :00:00 GMT Location: /ox6/index.html#session=b40ca3c255b540a49ae9a5f3b17a1409 Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate,post-check=0, pre-check=0 Set-Cookie: JSESSIONID=222b c7aa303b352952d10f.OX1; path=/ Copyright 2010, Open-Xchange GmbH

13 Set-Cookie: open-xchange-secretwhwm18d0z1d4epe252gg=8beb2e450f3d482fbda35e1a532a9a96; path=/ Content-Length: 0 Connection: close Content-Type: text/plain Redirection When initializing the browser with the random token, the cookie with the secret is sent to the browser and the browser is redirected to load the web front end. The URL for loading the GUI looks like this: https://<open-xchange.server>/index.html#session=<random-token> The AJAX GUI has to be located under the respective URL

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

Configuration Worksheets for Oracle WebCenter Ensemble 10.3

Configuration Worksheets for Oracle WebCenter Ensemble 10.3 Configuration Worksheets for Oracle WebCenter Ensemble 10.3 This document contains worksheets for installing and configuring Oracle WebCenter Ensemble 10.3. Print this document and use it to gather the

More information

Title page. Alcatel-Lucent 5620 SERVICE AWARE MANAGER 13.0 R7

Title page. Alcatel-Lucent 5620 SERVICE AWARE MANAGER 13.0 R7 Title page Alcatel-Lucent 5620 SERVICE AWARE MANAGER 13.0 R7 APPLICATION API DEVELOPER GUIDE 3HE-10590-AAAA-TQZZA Issue 1 December 2015 Legal notice Legal notice Alcatel, Lucent, Alcatel-Lucent and the

More information

CloudOYE CDN USER MANUAL

CloudOYE CDN USER MANUAL CloudOYE CDN USER MANUAL Password - Based Access Logon to http://mycloud.cloudoye.com. Enter your Username & Password In case, you have forgotten your password, click Forgot your password to request a

More information

HTTP Protocol. Bartosz Walter

HTTP Protocol. Bartosz Walter <Bartek.Walter@man.poznan.pl> HTTP Protocol Bartosz Walter Agenda Basics Methods Headers Response Codes Cookies Authentication Advanced Features of HTTP 1.1 Internationalization HTTP Basics defined in

More information

Fairsail REST API: Guide for Developers

Fairsail REST API: Guide for Developers Fairsail REST API: Guide for Developers Version 1.02 FS-API-REST-PG-201509--R001.02 Fairsail 2015. All rights reserved. This document contains information proprietary to Fairsail and may not be reproduced,

More information

Lecture Notes for Advanced Web Security 2015

Lecture Notes for Advanced Web Security 2015 Lecture Notes for Advanced Web Security 2015 Part 6 Web Based Single Sign-On and Access Control Martin Hell 1 Introduction Letting users use information from one website on another website can in many

More information

Load testing with. WAPT Cloud. Quick Start Guide

Load testing with. WAPT Cloud. Quick Start Guide Load testing with WAPT Cloud Quick Start Guide This document describes step by step how to create a simple typical test for a web application, execute it and interpret the results. 2007-2015 SoftLogica

More information

Configuring Single Sign-on for WebVPN

Configuring Single Sign-on for WebVPN CHAPTER 8 This chapter presents example procedures for configuring SSO for WebVPN users. It includes the following sections: Using Single Sign-on with WebVPN, page 8-1 Configuring SSO Authentication Using

More information

Siteminder Integration Guide

Siteminder Integration Guide Integrating Siteminder with SA SA - Siteminder Integration Guide Abstract The Junos Pulse Secure Access (SA) platform supports the Netegrity Siteminder authentication and authorization server along with

More information

Configuring Nex-Gen Web Load Balancer

Configuring Nex-Gen Web Load Balancer Configuring Nex-Gen Web Load Balancer Table of Contents Load Balancing Scenarios & Concepts Creating Load Balancer Node using Administration Service Creating Load Balancer Node using NodeCreator Connecting

More information

Sticky Session Setup and Troubleshooting

Sticky Session Setup and Troubleshooting 1 Sticky Session Setup and Troubleshooting Day, Date, 2004 time p.m. ET Teleconference Access: US & Canada: 888-259-4812 Teleconference Access: North America: xxxx Toll Number: 706-679-4880 International:

More information

2015-11-30. Web Based Single Sign-On and Access Control

2015-11-30. Web Based Single Sign-On and Access Control 0--0 Web Based Single Sign-On and Access Control Different username and password for each website Typically, passwords will be reused will be weak will be written down Many websites to attack when looking

More information

Riverbed Cascade Shark Common REST API v1.0

Riverbed Cascade Shark Common REST API v1.0 Riverbed Cascade Shark Common REST API v1.0 Copyright Riverbed Technology Inc. 2015 Created Feb 1, 2015 at 04:02 PM Contents Contents Overview Data Encoding Resources information: ping information: list

More information

Load testing with WAPT: Quick Start Guide

Load testing with WAPT: Quick Start Guide Load testing with WAPT: Quick Start Guide This document describes step by step how to create a simple typical test for a web application, execute it and interpret the results. A brief insight is provided

More information

API documentation - 1 -

API documentation - 1 - API documentation - 1 - Table of Contents 1. Introduction 1.1. What is an API 2. API Functions 2.1. Purge list of files 2.1.1 Description 2.1.2 Implementation 2.2. Purge of whole cache (all files on all

More information

Session Management in Web Applications

Session Management in Web Applications Session Management in Web Applications Author: EUROSEC GmbH Chiffriertechnik & Sicherheit Tel: 06173 / 60850, www.eurosec.com EUROSEC GmbH Chiffriertechnik & Sicherheit, 2005 What is Web-based Session

More information

HTTP. Internet Engineering. Fall 2015. Bahador Bakhshi CE & IT Department, Amirkabir University of Technology

HTTP. Internet Engineering. Fall 2015. Bahador Bakhshi CE & IT Department, Amirkabir University of Technology HTTP Internet Engineering Fall 2015 Bahador Bakhshi CE & IT Department, Amirkabir University of Technology Questions Q1) How do web server and client browser talk to each other? Q1.1) What is the common

More information

DEERFIELD.COM. DNS2Go Update API. DNS2Go Update API

DEERFIELD.COM. DNS2Go Update API. DNS2Go Update API DEERFIELD.COM DNS2Go Update API DNS2Go Update API DEERFIELD.COM PRODUCT DOCUMENTATION DNS2Go Update API Deerfield.com 4241 Old U.S. 27 South Gaylord, MI 49686 Phone 989.732.8856 Email sales@deerfield.com

More information

EZcast technical documentation

EZcast technical documentation EZcast technical documentation Document written by > Michel JANSENS > Arnaud WIJNS from ULB PODCAST team http://podcast.ulb.ac.be http://ezcast.ulb.ac.be podcast@ulb.ac.be SOMMAIRE SOMMAIRE 2 1. INTRODUCTION

More information

Using Foundstone CookieDigger to Analyze Web Session Management

Using Foundstone CookieDigger to Analyze Web Session Management Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.

More information

Release Notes for Patch Release #2614

Release Notes for Patch Release #2614 July 22, 2015 Security Patch Release This Patch Release addresses critical vulnerabilities; please consider deploying it as soon as possible. Not deploying this Patch Release may result in remote service

More information

Zabbix Manual. https://www.zabbix.com/documentation/2.0/manual

Zabbix Manual. https://www.zabbix.com/documentation/2.0/manual Zabbix Manual [Zabbix] 11/21/13, 4:25 PM Zabbix Manual Welcome to the user manual for Zabbix 2.0 software. These pages are created to help our users successfully manage their monitoring tasks with Zabbix,

More information

Configuring Health Monitoring

Configuring Health Monitoring CHAPTER4 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features that are described in this chapter apply to both IPv6 and IPv4 unless

More information

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS Published by Tony Porterfield Feb 1, 2015. Overview The intent of this test plan is to evaluate a baseline set of data security practices

More information

Lecture 11 Web Application Security (part 1)

Lecture 11 Web Application Security (part 1) Lecture 11 Web Application Security (part 1) Computer and Network Security 4th of January 2016 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1)

More information

OAuth 2.0 Developers Guide. Ping Identity, Inc. 1001 17th Street, Suite 100, Denver, CO 80202 303.468.2900

OAuth 2.0 Developers Guide. Ping Identity, Inc. 1001 17th Street, Suite 100, Denver, CO 80202 303.468.2900 OAuth 2.0 Developers Guide Ping Identity, Inc. 1001 17th Street, Suite 100, Denver, CO 80202 303.468.2900 Table of Contents Contents TABLE OF CONTENTS... 2 ABOUT THIS DOCUMENT... 3 GETTING STARTED... 4

More information

JASPERREPORTS SERVER WEB SERVICES GUIDE

JASPERREPORTS SERVER WEB SERVICES GUIDE JASPERREPORTS SERVER WEB SERVICES GUIDE RELEASE 5.0 http://www.jaspersoft.com JasperReports Server Web Services Guide Copyright 2012 Jaspersoft Corporation. All rights reserved. Printed in the U.S.A. Jaspersoft,

More information

Twinfield Single Sign On

Twinfield Single Sign On Twinfield Single Sign On manual, version 5.4 April 2009 For general information about our webservices see the Twinfield Webservices Manual Twinfield International NV De Beek 9-15 3871 MS Hoevelaken Netherlands

More information

HTTP 1.1 Web Server and Client

HTTP 1.1 Web Server and Client HTTP 1.1 Web Server and Client Finding Feature Information HTTP 1.1 Web Server and Client Last Updated: August 17, 2011 The HTTP 1.1 Web Server and Client feature provides a consistent interface for users

More information

TROUBLESHOOTING RSA ACCESS MANAGER SINGLE SIGN-ON FOR WEB-BASED APPLICATIONS

TROUBLESHOOTING RSA ACCESS MANAGER SINGLE SIGN-ON FOR WEB-BASED APPLICATIONS White Paper TROUBLESHOOTING RSA ACCESS MANAGER SINGLE SIGN-ON FOR WEB-BASED APPLICATIONS Abstract This white paper explains how to diagnose and troubleshoot issues in the RSA Access Manager single sign-on

More information

AIRTEL INDIA OPEN API. Application Developer Guide for OAuth2 Authentication and Authorization. Document Version 1.1

AIRTEL INDIA OPEN API. Application Developer Guide for OAuth2 Authentication and Authorization. Document Version 1.1 AIRTEL INDIA OPEN API Application Developer Guide for OAuth2 Authentication and Authorization Document Version 1.1 This Application Developer Guide has been prepared for Airtel India. Copyright Intel Corporation

More information

reference: HTTP: The Definitive Guide by David Gourley and Brian Totty (O Reilly, 2002)

reference: HTTP: The Definitive Guide by David Gourley and Brian Totty (O Reilly, 2002) 1 cse879-03 2010-03-29 17:23 Kyung-Goo Doh Chapter 3. Web Application Technologies reference: HTTP: The Definitive Guide by David Gourley and Brian Totty (O Reilly, 2002) 1. The HTTP Protocol. HTTP = HyperText

More information

Webmail Using the Hush Encryption Engine

Webmail Using the Hush Encryption Engine Webmail Using the Hush Encryption Engine Introduction...2 Terms in this Document...2 Requirements...3 Architecture...3 Authentication...4 The Role of the Session...4 Steps...5 Private Key Retrieval...5

More information

Check list for web developers

Check list for web developers Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation

More information

CTIS 256 Web Technologies II. Week # 1 Serkan GENÇ

CTIS 256 Web Technologies II. Week # 1 Serkan GENÇ CTIS 256 Web Technologies II Week # 1 Serkan GENÇ Introduction Aim: to be able to develop web-based applications using PHP (programming language) and mysql(dbms). Internet is a huge network structure connecting

More information

User and Programmer Guide for the FI- STAR Monitoring Service SE

User and Programmer Guide for the FI- STAR Monitoring Service SE User and Programmer Guide for the FI- STAR Monitoring Service SE FI-STAR Beta Release Copyright 2014 - Yahya Al-Hazmi, Technische Universität Berlin This document gives a short guide on how to use the

More information

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP

More information

Qualys API Limits. July 10, 2014. Overview. API Control Settings. Implementation

Qualys API Limits. July 10, 2014. Overview. API Control Settings. Implementation Qualys API Limits July 10, 2014 Overview The Qualys API enforces limits on the API calls a customer can make based on their subscription settings, starting with Qualys version 6.5. The limits apply to

More information

The Hyper-Text Transfer Protocol (HTTP)

The Hyper-Text Transfer Protocol (HTTP) The Hyper-Text Transfer Protocol (HTTP) Antonio Carzaniga Faculty of Informatics University of Lugano October 4, 2011 2005 2007 Antonio Carzaniga 1 HTTP message formats Outline HTTP methods Status codes

More information

Modern Web Development From Angle Brackets to Web Sockets

Modern Web Development From Angle Brackets to Web Sockets Modern Web Development From Angle Brackets to Web Sockets Pete Snyder Outline (or, what am i going to be going on about ) 1.What is the Web? 2.Why the web matters 3.What s unique about

More information

UpCloud API Documentation. API version 1.1.1 Updated Aug 13, 2013

UpCloud API Documentation. API version 1.1.1 Updated Aug 13, 2013 UpCloud API Documentation API version 1.1.1 Updated Aug 13, 2013 INTRODUCTION 4 Version history... 4 ARCHITECTURE OVERVIEW 5 API overview... 5 API versioning... 5 Authentication... 5 Resource identifiers...

More information

000-284. Easy CramBible Lab DEMO ONLY VERSION 000-284. Test284,IBM WbS.DataPower SOA Appliances, Firmware V3.6.0

000-284. Easy CramBible Lab DEMO ONLY VERSION 000-284. Test284,IBM WbS.DataPower SOA Appliances, Firmware V3.6.0 Easy CramBible Lab 000-284 Test284,IBM WbS.DataPower SOA Appliances, Firmware V3.6.0 ** Single-user License ** This copy can be only used by yourself for educational purposes Web: http://www.crambible.com/

More information

Authentication Methods

Authentication Methods Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the

More information

Varnish Tips & Tricks, 2015 edition

Varnish Tips & Tricks, 2015 edition Varnish Tips & Tricks, 2015 edition ConFoo 2015 Montreal, Canada Magnus Hagander magnus@hagander.net PRODUCTS CONSULTING APPLICATION MANAGEMENT IT OPERATIONS SUPPORT TRAINING Magnus Hagander Redpill Linpro

More information

Introduction to ServerIron ADX Application Switching and Load Balancing. Module 6: Content Switching (CSW) Revision 0310

Introduction to ServerIron ADX Application Switching and Load Balancing. Module 6: Content Switching (CSW) Revision 0310 Introduction to ServerIron ADX Application Switching and Load Balancing Module 6: Content Switching (CSW) Revision 0310 Objectives Upon completion of this module the student will be able to: Define layer

More information

Single Sign-On Guide for Blackbaud NetCommunity and The Patron Edge Online

Single Sign-On Guide for Blackbaud NetCommunity and The Patron Edge Online Single Sign-On Guide for Blackbaud NetCommunity and The Patron Edge Online 062212 2012 Blackbaud, Inc. This publication, or any part thereof, may not be reproduced or transmitted in any form or by any

More information

TIBCO JASPERREPORTS SERVER WEB SERVICES GUIDE

TIBCO JASPERREPORTS SERVER WEB SERVICES GUIDE TIBCO JASPERREPORTS SERVER WEB SERVICES GUIDE RELEASE 6.1 http://www.jaspersoft.com Copyright 2005-2015, TIBCO Software Inc. All rights reserved. Printed in the U.S.A. TIBCO, the TIBCO logo, TIBCO Jaspersoft,

More information

DNS Update API November 15, 2006 Version 2.0.3

DNS Update API November 15, 2006 Version 2.0.3 DNS Update API November 15, 2006 Version 2.0.3 Dynamic Network Services, Inc. phone: +1-603-668-4998 1230 Elm Street, Fifth Floor fax: +1-603-668-6474 Manchester, NH 03101 www.dyndns.com Table of Contents

More information

Lecture 8a: WWW Proxy Servers and Cookies

Lecture 8a: WWW Proxy Servers and Cookies Internet and Intranet Protocols and Applications Lecture 8a: WWW Proxy Servers and Cookies March 12, 2003 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Terminology Origin

More information

Message Containers and API Framework

Message Containers and API Framework Message Containers and API Framework Notices Copyright 2009-2010 Motion Picture Laboratories, Inc. This work is licensed under the Creative Commons Attribution-No Derivative Works 3.0 United States License.

More information

Demystifying cache. Kristian Lyngstøl Product Specialist Varnish Software AS

Demystifying cache. Kristian Lyngstøl Product Specialist Varnish Software AS Demystifying cache Kristian Lyngstøl Product Specialist Varnish Software AS Montreal, March 2013 Agenda - The types of caches involved - The benefits of a cache - HTTP - Reverse proxy specifics Not: L1/L2

More information

URLs and HTTP. ICW Lecture 10 Tom Chothia

URLs and HTTP. ICW Lecture 10 Tom Chothia URLs and HTTP ICW Lecture 10 Tom Chothia This Lecture The two basic building blocks of the web: URLs: Uniform Resource Locators HTTP: HyperText Transfer Protocol Uniform Resource Locators Many Internet

More information

Web Security Threat Report: January April 2007. Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots

Web Security Threat Report: January April 2007. Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots Web Security Threat Report: January April 2007 Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots What are we reporting? We are presenting real, live web attack data captured in-the-wild.

More information

2 Downloading Access Manager 3.1 SP4 IR1

2 Downloading Access Manager 3.1 SP4 IR1 Novell Access Manager 3.1 SP4 IR1 Readme May 2012 Novell This Readme describes the Novell Access Manager 3.1 SP4 IR1 release. Section 1, Documentation, on page 1 Section 2, Downloading Access Manager 3.1

More information

Network Technologies

Network Technologies Network Technologies Glenn Strong Department of Computer Science School of Computer Science and Statistics Trinity College, Dublin January 28, 2014 What Happens When Browser Contacts Server I Top view:

More information

Oracle Web Cache 11g Overview

<Insert Picture Here> Oracle Web Cache 11g Overview Oracle Web Cache 11g Overview Oracle Web Cache Oracle Web Cache is a secure reverse proxy cache and a compression engine deployed between Browser and HTTP server Browser and Content

More information

1.5.5 Cookie Analysis

1.5.5 Cookie Analysis 1.5.5 Cookie Analysis As part of the first audit, Facebook were asked to provide an explanation of the purpose of each of the identified cookies. The information provided at the time has been reviewed

More information

Force.com REST API Developer's Guide

Force.com REST API Developer's Guide Force.com REST API Developer's Guide Version 35.0, Winter 16 @salesforcedocs Last updated: December 10, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark

More information

Web. Services. Web Technologies. Today. Web. Technologies. Internet WWW. Protocols TCP/IP HTTP. Apache. Next Time. Lecture #3 2008 3 Apache.

Web. Services. Web Technologies. Today. Web. Technologies. Internet WWW. Protocols TCP/IP HTTP. Apache. Next Time. Lecture #3 2008 3 Apache. JSP, and JSP, and JSP, and 1 2 Lecture #3 2008 3 JSP, and JSP, and Markup & presentation (HTML, XHTML, CSS etc) Data storage & access (JDBC, XML etc) Network & application protocols (, etc) Programming

More information

Two-Factor Authentication

Two-Factor Authentication Two-Factor Authentication This document describes SonicWALL s implementation of two-factor authentication for SonicWALL SSL-VPN appliances. This document contains the following sections: Feature Overview

More information

Web Authentication Application Note

Web Authentication Application Note What is Web Authentication? Web Authentication Application Note Web authentication is a Layer 3 security feature that causes the router to not allow IP traffic (except DHCP-related packets) from a particular

More information

Administering Jive Mobile Apps

Administering Jive Mobile Apps Administering Jive Mobile Apps Contents 2 Contents Administering Jive Mobile Apps...3 Configuring Jive for Android and ios... 3 Native Apps and Push Notifications...4 Custom App Wrapping for ios... 5 Native

More information

AccountView. Single Sign-On Guide

AccountView. Single Sign-On Guide AccountView Single Sign-On Guide 2014 Morningstar. All Rights Reserved. AccountView Version: 1.4 Document Version: 2 Document Issue Date: March 09, 2013 Technical Support: (866) 856-4951 Telephone: (781)

More information

Internet Technologies Internet Protocols and Services

Internet Technologies Internet Protocols and Services QAFQAZ UNIVERSITY Computer Engineering Department Internet Technologies Internet Protocols and Services Dr. Abzetdin ADAMOV Chair of Computer Engineering Department aadamov@qu.edu.az http://ce.qu.edu.az/~aadamov

More information

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access

More information

Cache Configuration Reference

Cache Configuration Reference Sitecore CMS 6.2 Cache Configuration Reference Rev: 2009-11-20 Sitecore CMS 6.2 Cache Configuration Reference Tips and Techniques for Administrators and Developers Table of Contents Chapter 1 Introduction...

More information

Novell Access Manager

Novell Access Manager Access Gateway Guide AUTHORIZED DOCUMENTATION Novell Access Manager 3.1 SP2 November 16, 2010 www.novell.com Novell Access Manager 3.1 SP2 Access Gateway Guide Legal Notices Novell, Inc., makes no representations

More information

The HTTP Plug-in. Table of contents

The HTTP Plug-in. Table of contents Table of contents 1 What's it for?... 2 2 Controlling the HTTPPlugin... 2 2.1 Levels of Control... 2 2.2 Importing the HTTPPluginControl...3 2.3 Setting HTTPClient Authorization Module... 3 2.4 Setting

More information

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual TIBCO Spotfire Web Player 6.0 Installation and Configuration Manual Revision date: 12 November 2013 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED

More information

Multi Factor Authentication API

Multi Factor Authentication API GEORGIA INSTITUTE OF TECHNOLOGY Multi Factor Authentication API Yusuf Nadir Saghar Amay Singhal CONTENTS Abstract... 3 Motivation... 3 Overall Design:... 4 MFA Architecture... 5 Authentication Workflow...

More information

An Insight into Cookie Security

An Insight into Cookie Security An Insight into Cookie Security Today most websites and web based applications use cookies. Cookies are primarily used by the web server to track an authenticated user or other user specific details. This

More information

Chapter 6 Virtual Private Networking Using SSL Connections

Chapter 6 Virtual Private Networking Using SSL Connections Chapter 6 Virtual Private Networking Using SSL Connections The FVS336G ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN provides a hardwarebased SSL VPN solution designed specifically to provide

More information

Login with Amazon. Developer Guide for Websites

Login with Amazon. Developer Guide for Websites Login with Amazon Developer Guide for Websites Copyright 2014 Amazon Services, LLC or its affiliates. All rights reserved. Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

More information

www.novell.com/documentation Jobs Guide Identity Manager 4.0.1 February 10, 2012

www.novell.com/documentation Jobs Guide Identity Manager 4.0.1 February 10, 2012 www.novell.com/documentation Jobs Guide Identity Manager 4.0.1 February 10, 2012 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation,

More information

sessionx Desarrollo de Aplicaciones en Red Web Applications History (1) Content History (2) History (3)

sessionx Desarrollo de Aplicaciones en Red Web Applications History (1) Content History (2) History (3) sessionx Desarrollo de Aplicaciones en Red José Rafael Rojano Cáceres http://www.uv.mx/rrojano Web Applications 1 2 Content History (1) History Http CGI Web Tiers ARPANet Email, Ftp, IRC, news Explosive

More information

Startup guide for Zimonitor

Startup guide for Zimonitor Page 1 of 5 Startup guide for Zimonitor This is a short introduction to get you started using Zimonitor. Start by logging in to your version of Zimonitor using the URL and username + password sent to you.

More information

ACR Connect Authentication Service Developers Guide

ACR Connect Authentication Service Developers Guide ACR Connect Authentication Service Developers Guide Revision History Date Revised by Version Description 29/01/2015 Sergei Rusinov 1.0 Authentication using NRDR account Background The document describes

More information

DEPLOYMENT GUIDE DEPLOYING THE BIG-IP LTM SYSTEM WITH CITRIX PRESENTATION SERVER 3.0 AND 4.5

DEPLOYMENT GUIDE DEPLOYING THE BIG-IP LTM SYSTEM WITH CITRIX PRESENTATION SERVER 3.0 AND 4.5 DEPLOYMENT GUIDE DEPLOYING THE BIG-IP LTM SYSTEM WITH CITRIX PRESENTATION SERVER 3.0 AND 4.5 Deploying F5 BIG-IP Local Traffic Manager with Citrix Presentation Server Welcome to the F5 BIG-IP Deployment

More information

Kaseya 2. User Guide. Version 6.1

Kaseya 2. User Guide. Version 6.1 Kaseya 2 Kaseya SQL Server Reporting Services (SSRS) Configuration User Guide Version 6.1 January 28, 2011 About Kaseya Kaseya is a global provider of IT automation software for IT Solution Providers and

More information

Administering Jive for Outlook

Administering Jive for Outlook Administering Jive for Outlook TOC 2 Contents Administering Jive for Outlook...3 System Requirements...3 Installing the Plugin... 3 Installing the Plugin... 3 Client Installation... 4 Resetting the Binaries...4

More information

Traitware Authentication Service Integration Document

Traitware Authentication Service Integration Document Traitware Authentication Service Integration Document February 2015 V1.1 Secure and simplify your digital life. Integrating Traitware Authentication This document covers the steps to integrate Traitware

More information

Cookies Overview and HTTP Proxies

Cookies Overview and HTTP Proxies Cookies Overview and HTTP Proxies What is a Cookie? Small piece of data generated by a web server, stored on the client s hard drive. Serves as an add-on to the HTTP specification (remember, HTTP by itself

More information

IBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide

IBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide IBM SPSS Collaboration and Deployment Services Version 6 Release 0 Single Sign-On Services Developer's Guide Note Before using this information and the product it supports, read the information in Notices

More information

THE PROXY SERVER 1 1 PURPOSE 3 2 USAGE EXAMPLES 4 3 STARTING THE PROXY SERVER 5 4 READING THE LOG 6

THE PROXY SERVER 1 1 PURPOSE 3 2 USAGE EXAMPLES 4 3 STARTING THE PROXY SERVER 5 4 READING THE LOG 6 The Proxy Server THE PROXY SERVER 1 1 PURPOSE 3 2 USAGE EXAMPLES 4 3 STARTING THE PROXY SERVER 5 4 READING THE LOG 6 2 1 Purpose The proxy server acts as an intermediate server that relays requests between

More information

Exploiting the Web with Tivoli Storage Manager

Exploiting the Web with Tivoli Storage Manager Exploiting the Web with Tivoli Storage Manager Oxford University ADSM Symposium 29th Sept. - 1st Oct. 1999 Roland Leins, IBM ITSO Center - San Jose leins@us.ibm.com Agenda The Web Client Concept Tivoli

More information

Manual. Netumo NETUMO HELP MANUAL WWW.NETUMO.COM. Copyright Netumo 2014 All Rights Reserved

Manual. Netumo NETUMO HELP MANUAL WWW.NETUMO.COM. Copyright Netumo 2014 All Rights Reserved Manual Netumo NETUMO HELP MANUAL WWW.NETUMO.COM Copyright Netumo 2014 All Rights Reserved Table of Contents 1 Introduction... 0 2 Creating an Account... 0 2.1 Additional services Login... 1 3 Adding a

More information

Remote Access API 2.0

Remote Access API 2.0 VYATTA A BROCADE COMPANY Vyatta System Remote Access API 2.0 REFERENCE GUIDE Vyatta A Brocade Company 130 Holger Way San Jose, CA 95134 www.brocade.com 408 333 8400 COPYRIGHT Copyright 2005 2015 Vyatta,

More information

APACHE WEB SERVER. Andri Mirzal, PhD N28-439-03

APACHE WEB SERVER. Andri Mirzal, PhD N28-439-03 APACHE WEB SERVER Andri Mirzal, PhD N28-439-03 Introduction The Apache is an open source web server software program notable for playing a key role in the initial growth of the World Wide Web Typically

More information

Grandstream Networks, Inc. GXP2130/2140/2160 Auto-configuration Plug and Play

Grandstream Networks, Inc. GXP2130/2140/2160 Auto-configuration Plug and Play Grandstream Networks, Inc. GXP2130/2140/2160 Auto-configuration Plug and Play Introduction: This is a technical guide targeted to PBX developers that want to learn the different mechanisms that GXP2130/2140/2160

More information

By Bardia, Patit, and Rozheh

By Bardia, Patit, and Rozheh HTTP By Bardia, Patit, and Rozheh HTTP - Introduction - Hyper Text Transfer Protocol -uses the TCP/IP technology -has had the most impact on the World Wide Web (WWW) - specs in RFC 2616 (RFC2616) HTTP

More information

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5 DEPLOYMENT GUIDE Version 1.1 Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5 Table of Contents Table of Contents Deploying the BIG-IP system v10 with Citrix Presentation Server Prerequisites

More information

SSL VPN Portal Options

SSL VPN Portal Options 1. ProSecure UTM Quick Start Guide This quick start guide describes how to use the SSL VPN Wizard to configure SSL VPN portals on the ProSecure Unified Threat Management (UTM) Appliance. The Secure Sockets

More information

Web Application Security

Web Application Security Web Application Security The OWASP Foundation Securing the application Input validation Authorization Session mgmt Config mgmt Authenticatio n Error handling Web server App server DB server Secure storage

More information

Integrating the F5 BigIP with Blackboard

Integrating the F5 BigIP with Blackboard Integrating the F5 BigIP with Blackboard Nick McClure nickjm@uky.edu Lead Systems Programmer University of Kentucky Created August 1, 2006 Last Updated June 17, 2008 Integrating the F5 BigIP with Blackboard

More information

Reverse Proxy Scenarios for Single Sign-On

Reverse Proxy Scenarios for Single Sign-On Sterling Secure Proxy Reerse Proxy Scenarios for Single Sign-On Version 3.4 Sterling Secure Proxy Reerse Proxy Scenarios for Single Sign-On Version 3.4 Note Before using this information and the product

More information

ATS Test Documentation

ATS Test Documentation ATS Test Documentation Release 0.1 Feifei Cai March 31, 2015 Contents 1 HTTP 3 1.1 Keep-alive................................................ 3 1.2 Connection Timeouts...........................................

More information

RoomWizard Synchronization Software Manual Installation Instructions

RoomWizard Synchronization Software Manual Installation Instructions 2 RoomWizard Synchronization Software Manual Installation Instructions Table of Contents Exchange Server Configuration... 4 RoomWizard Synchronization Software Installation and Configuration... 5 System

More information

Configuring Sponsor Authentication

Configuring Sponsor Authentication CHAPTER 4 Sponsors are the people who use Cisco NAC Guest Server to create guest accounts. Sponsor authentication authenticates sponsor users to the Sponsor interface of the Guest Server. There are five

More information

Kentico CMS security facts

Kentico CMS security facts Kentico CMS security facts ELSE 1 www.kentico.com Preface The document provides the reader an overview of how security is handled by Kentico CMS. It does not give a full list of all possibilities in the

More information