Secure WCF Operations Depending On The User For Authorization Means?
Jan 27, 2011
My scenario is a 3-Tier app where the data tier is a SQL Server database, the middle tier is a WCF application hosted in a Windows Service and finally the presentation is an Asp.Net MVC application.As usual, the middle tier is the one that performs all of the business logic. Access database, define business rules.. etc. BUT now here's question: How do you handle security in such a scenario? I mean, the user has to log in on the ASP.NET application, but I want to authenticate it not only in ASP but in the WCF middle tier as well, since a WCF service is supposed to be accessed by more apps.
I want the user to log in on the Asp.Net application and let WCF know the credentials as well. Is there some kind of session in WCF in which to specify a logged in user? How do pros handle security in this case? I know you can secure the WCF services with message security, but how do Asp.Net and WCF sync on a single logged user? I want to secure WCF operations depending on the user for authorization means.
View 2 Replies
Similar Messages:
Aug 11, 2010
i am using validators for validation and on linkbutton i am diaplaying popup.my problem is i want to disable linkbutton means until page is validated means the popup should not be displayed till the page gets validated
<asp:LinkButton ID="LinkButton1" runat="server" CssClass="addProduct-disable" Enabled ="false"
Text="Assign Filter Criteria" CausesValidation="true"></asp:LinkButton>
View 2 Replies
Jun 28, 2010
When a user attempts to directly visit the url admin.aspx, and they are not an admin, they are redirected to the login page. However, the user then attempts to visit ViewWeek.aspx, it indicates that they are still logged in. Why does this ASP.NET authorization boot the user to the login screen, yet keep the user logged in? I'd rather it just direct the user to the default URL specified in the forms tag.
Here's my Forms Authentication:
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" defaultUrl="ViewWeek.aspx" timeout="50000000" />
</authentication>
View 1 Replies
Sep 22, 2010
How can we log user operations for a asp.net application. Further what is the approach for saving the log data ?
View 3 Replies
Mar 29, 2011
I am using ASP.NET MVC 3 and am trying to do something that should be really straight forward...
My application uses Forms authentication and that is working perfectly for controllers/actions. For example if I decorate either a controller or an action with the attribute below only members of the administrators group can view them:
[Authorize(Roles="Administrators")]
However I have a folder under the default Scripts folder called Admin. I only want members of the Administrators group to be able to access scripts within this directory so I created a new web.config in the directory with the following inside:
[code]....
However no matter whether a user is a member of the Administrators group or not they receive a 302 Found message and are then redirected to the login page.
If I change the web.config to allow user="*" then it works. It also works if I add an allow users="Username" for a specific user I am testing with.
View 1 Replies
Jan 14, 2010
I'm writing an application that will be accessed by different groups of users. I have one aspnetdb for logon; then depending on which group a user belongs to, I want to point them at a different 'content' database. Each user wants similar information, but unique to each group, so the schema of each database will be the same, but the content will be different. We're probably talking a dozen or so groups here.
What's the best way to achieve this? Would roles do? I could put each user into a specific role, group1, group2 etc, then check which role a user was in and use a connectionstring in the web.config file based on that. This seems like it would work, but it seems a bit of a cludge. A dozen or so connection strings doesn't seem too much of a problem, but it doesnt' really seem the correct use for roles.
View 7 Replies
May 19, 2010
I've an application only used in my site, and I'm interested to put in production from a global scope and the same instance to all the sites.
The fastest solution I've in mind is to use the current database for each different site, as copy from current system and add/clean a new one when a new site will start using it.
For this purpose I though in a front database where to check the logged in user site and then, depending user configuration, access his own site database.
I'm using now a connection string called ConnectionString1 in all the controls/code-behind database access. Then, my trouble is how to make it configurable to point to a certain database with the same connection string name but different connection string value depending on the user who has logged in, in order to not modify the current code I did. The only work I must do is change LogIn page to select appropiate database to access.
web.config:
[Code]....
View 8 Replies
Nov 30, 2010
I am going through the Security Tutorials here on ASP.Net. I am currently working on the last part of the Membership - User-Based Authorization. The tutorial covers restricting access to specific pages or to directories using a second Web.Config file. I am running into a problem with the myLogin page DestinationPageURL. Here is what is happening: 1. When the website starts, the Login page opens. 2. If I log in with an existing user, I am sent to the Default.aspx page. That is what is in the yLogin.DestinationPageURL for the login page.
View 1 Replies
Mar 31, 2010
Access to my application is controlled by user accounts. I would like my text labels to change within my pages depending on the user logged in. This needs to be easily managed.
What is the best way to achieve this? Would using the resources file work?
View 6 Replies
Jun 30, 2010
I have a page that I need to disable, or re-direct to another page if a different type of user logs in.
The application has this page for one type of user but another type of user is not allowed access it.
How would you do this type of thing?
View 3 Replies
Feb 15, 2010
I have two user groups set up in AD and Im "authorizing" against these in my web.config file :
[Code]....
What I need to do is redirect the user if they are a member of "CD" or "Individual".
View 2 Replies
May 7, 2015
Lets suppose my application is deployed on a server located in USA. Now if any client visits my website from anywhere and from any device e.g Mobile , iPad , Surface or Laptop. Now if i want to save his local time then what should i use ?
DateTime.Now;
or
TimeZone curTimeZone = TimeZone.CurrentTimeZone;
var yourTime = TimeZoneInfo.ConvertTime(DateTime.Now, TimeZoneInfo.Local, TimeZoneInfo.FindSystemTimeZoneById(curTimeZone.StandardName));
tell me the difference between both commands.
View 1 Replies
Jan 27, 2011
I am using asp.net authentication and authorization with form authentication for my web application.
When I create a new user using asp.net create user control,the newly create user automatically gets logged in,the already logged users looses his session.
Don't know why this is happening.Is there some setting for this?
View 1 Replies
Mar 28, 2011
Suppose some users log in to my web app. They get authenticated (as something other than the anonymous user), so they can access any resource in the directory. The system.web/authorization section of web.config is set to deny access to anonymous users like this:
<system.web><authorization>
<deny users="?" />
</authorization></system.web>
Actually, from what I understand, this only protects files accessed through the ASP.NET system. If I drop a JPG file in there, it's accessible to everyone, without authentication/authorization. In order to ensure all files are protected, there's a different section for that:
<system.webServer><security><authorization>
<add accessType="Deny" users="?" />
</authorization></security><system.webServer>
Of course, now when someone attempts to access the JPG file, they don't get redirected to the login page. Instead, they get a nasty HTTP Error 401.2 - Unauthorized.
Now, suppose a user causes a file to be created on the server. How, in context of this elaborate Forms Authentication and Authorization scheme, do I ensure that only that user's web browser can access the file via it's URL? For example, must I modify the web.config file? If so, do I have to do this manually or can it be done through code? Will modifying it frequently cause the application to be interrupted/restarted?
View 2 Replies
Jun 11, 2010
Iam building a website and i need to store somehow some informations that i will use in the whole site depending of the user type logged in.
Example:
1) User XPTO logs in
2) Query DataBase to see where he belongs
3) Store those 2 or 3 fields that i will get in Database in a persistent way to use it in the whole site.
Whats the best practices to do this?
View 4 Replies
Oct 27, 2010
I am currently using the built in ASP login function... the destinationpageurl of that login function locates to "loginhome.aspx" for all users... but for one specific user ("Admin") it needs to link to "adminhome.aspx"... just wondering whats the best way to do this? Can I change the destinationpageurl of the login function depending on the user or creating an admin role so "If membershiprole = 'Admin' redirect to 'adminhome.aspx' End If" or can I just add some code behind the login function so "If User.login.Name = 'Admin' Then destinationpageurl = 'adminhome.aspx' End If" think I have already tried this on the login1_authenticate event but it didn't work
View 3 Replies
Jun 11, 2010
I´m building a website and i need to store somehow some informations that i will use in the whole site depending of the user type logged in.3) Store those 2 or 3 fields that i will get in Database in a persistent way to use it in the whole site.My question is: Whats the best practices to do this?
View 1 Replies
Jul 13, 2010
My web application will be launched through existing thick client applications. When launched, an HTTP POST request will be generated including information like the userID and additional context information (basically stuff like the target user's name, birthday, etc.).
My plan for authentication is for there to be a look-up table in the database. If the username is already there, automatically login the user, but if there is no entry in the database, redirect the user to an initial login page which will be used to create that database entry.
My question is how to secure this against MITM and other security holes. How can the request generated through the thick client be on an SSL connection? Doesn't an SSL connection have to be authenticated with the username (and password) first? And if so, will the additional context information be publicly exposed until the user is logged in?
View 1 Replies
Oct 25, 2010
I have a browser compatibilty problem with https? I have SSL installed and is in usage. Until today morning, my https part is working well. From then, Https is shown as https(with slashed in red color) saying the page has some insecure content. I have not changed any code and suddenly i see this problem in chrome. In IE 8, i see the same problem but on every page, it shows me a popup if i should allow to opne secure and non secure or just secure. Firefox has no issues . It shows correct https without any problem. I am fed up with it searching all over. Why is this happenening for me in Chrome and IE 8.
View 3 Replies
Mar 1, 2010
In my environment, we use Active Directory as our password repository. I'm writing an app that uses the users windows session (windows auth) to authenticate the user. This is working well, but I need to provide a way for users to log in as a different user. I setup a web form to accept a username and password. My question is this, I need a secure way to validate the user's credentials against AD. I cant have the credentials passed as clear text. Ive come across the impersonate user functions, but i'm leary because you have to pass a clear text password into the password field. I know I could also use LDAP, but without a certificate, I know plain LDAP is relatively insecure. Can someone point me in the right direction of a more secure solution to query AD with the credentials?
View 3 Replies
Apr 16, 2010
I have a Menu control in MasterPage based on web.sitemap file. My website has roles enabled (AspNetWindowsTokenRoleProvider) and uses Windows authentication mode. So, user has to be in a specific Windows Group to be able to access the site. I need to allow some users to see all menu nodes and some restricted set of nodes. How do I do that?
I would like to be able to create, say following Windows groups:
domain_namemy_app_users
domain_namemy_app_superusers
domain_namemy_app_admins
and code sitemap nodes this way:
<siteMapNode url="~/MOC_Masterdata_MOC_Approvers_Plain.aspx" title="MOC Approvers" description="MOC Approvers" />
View 5 Replies
Oct 24, 2010
I have a custom mini login user control that I have embedded in the top of my website which shows on every page. These pages are non-secure HTTP://. I would like to avoid having to redirect the user to a HTTPS page to perform the login but I definitely don't want to send login credentials to the server in plain text.
I am trying find a method to send the user's login credentials encrypted via https from a non-secure (http) page.
I tried to set the postbackurl for the login button to itself but in https, but the user's input is not retained and the buttonLogin_click is not fired when I set the button postbackurl property. My ASP.net web application is VB.Net framework 4.0
I am assuming this can be done because I see lots of websites where login fields are on available on every page and they are running http and I can believe they are not encrypting the login credentials.
View 3 Replies
Apr 8, 2010
Requirment is to stop more than one user to login at a time using same user id.I am storeing user id in session. I searched the internet and found some ways but somehow they do not work in these situations:If javascript in brower is turned off. If user do not click logout and directly close brower.
View 3 Replies
Feb 10, 2010
I have created an asp.net site with anonymous access turned off. Its for an internal (intranet) system which uses User.Identity.Name.ToString() to get the users login windows ID and then displays some records from a datagrid depending on their login ID. Is this secure? Also i am struggling to workout how best to store the result of User.Identity.Name.ToString() as I am not keen on storing it in a hidden text field and would rather not call it all the time unless this is the best way?
View 3 Replies
Nov 2, 2010
I have an asp TreeView that has images associated with each node. I am using this CSS that I found on the web to create spacing between the image and the node text:
[Code]....
It works fine, the thing I am struggling with understanding is the " img" part of the style declaration. What is that? It seems apparent that the style pertains to the image portion of a TreeView... How do I know what values can be there? I.E. Is ".TreeView node" valid?
View 5 Replies