Add Per Request - Token Based Authentication To Mvc Site
Apr 4, 2011
I have an existing asp.net mvc website that uses basic forms authentication. The site has a login page that posts back to a login action, which logs the user in via FormsAuthentication.SetAuthCookie(). I am looking to add an api to the site, as an mvc2 area, where users would be authenticated based on a token passed as an http header. This area will consist of only json actions, so redirecting the user to a login page doesn't make sense. Instead, I want the users to just pass a token along with each request. That token is mapped to each user account and the user would be authenticated automatically.
I'm struggling with where to put this logic. At this point, the best choice seems to be adding the header lookup logic and authentication to the Global.asax in the Application_AuthenticateRequest method. I want to avoid needing to redirect the user after calling FormsAuthentication.SetAuthCookie(), though. I want the login action to be transparent to them. Am I approaching this the wrong way? As a side note: Requiring a username/password for api requests is not possible, as the site has a mix of users. Some joined using OpenID while the rest joined with a username/password.
View 1 Replies
Similar Messages:
Mar 2, 2010
How to create Uniue Token with properties like expiration time,
Any standars method provided by Microsoft,
View 2 Replies
Apr 30, 2010
Suddenly, IIS 7.0 is redirecting every request for the root of any domain hosted on the box to ~/Account/Logon, which is our Forms Authentication redirect. Additionally, some JavaScript and image requests are being similarly redirected, but not other aspx pages.
EDIT: It turns out that something has gone wrong with the disk permissions. Can anyone point me to the way things are supposed to be in Windows Server 2008 for a standard ASP.Net installation? The disk permissions are out of whack now.
View 1 Replies
Sep 15, 2010
I'm working on a solution to part of my companys site that is done in 2 different languages. My part of the project is in ASP.NET, and the login portal is in a different language. We pass authentication credentials by storing login information in the database on the portal page and then sending a corresponding token to the URL in the page written in .NET. Almost all the tutorials and articles I've read about security for ASP.NET, and most languages, the message has generally been "just use the built in stuff and don't mess with it".
I have code that takes the token, goes into the database and gets the user details.. what do I do then to integrate that into the built-in security stuff for ASP.NET? I'd like to ultimately use Action Filters for authorization on my controllers.
View 1 Replies
Jul 28, 2010
We have a SSO authentication service that other externally facing web pages and services use to authenticate users. A user tries to reach a service, if no cookie is found containing an authentication token, they are redirected (HTTP 302) to the SingleSignOn authentication service. The auth service does it's work, and redirects the user (HTTP 302) to the original URL with their encrypted authentication token in the URL. Great. How can I invoke this from a WCF POX service? No SOAP here, just HTTP GET/POST with XML responses.
What I'm currently doing is, in each service method implementation method, checking the headers for the cookie. If the cookie exists, verify the auth token and process the request. If the cookie doesn't exist or the auth token has expired, then respond with:
[Code]....
That works, but isn't integrated with any of the WCF features, and requires me to manually code for a whole bunch of scenarios. Is there a way I could implement this using these classes:
[Code]....
or use some other means that checks each request to the service? I've been reading pages like: How to: Create a Custom Token, but I don't see how it applies to my needs. I'm looking into this because I have some time before my project kicks off, and I'd like to implement this project correctly and learn about WCF as much as I can.
View 2 Replies
Oct 30, 2010
I have an asp.net site. Its a mixture of web forms and MVC2.
I have this on 2 different servers which I get to via different urls.
On one server authentication works fine via all browsers (IE 8, FF 3.6, Chrome)
On the other IE 8 fails, it doesn't send back the cookie on the request to the page after authenticating.
Using Fiddler I have seen that both sites attempt to set the cookie, in the response from the login page.
Response Header I see from both servers
Set-Cookie: DemandLaunch=CCA4...E79C2D1; path=/; HttpOnly
Both sites are in the internet zone of IE.
I'm at a loose for what to check now.
I also have a page that sets a cookie via c# code and that cookie fails in IE as well.
The IE issue is not on a single computer either. I see this failure on 4 different computers Internet Explorer.
My urls which I should have included were:
beta.[site].com - works
beta_[company].[site].com - fails
View 1 Replies
Feb 21, 2011
I'm trying to get a ASP.NET application to use windows authentication. I have disabled anonymous auth and enabled windows auth in IIS7. On my dev box (my workstation, localhost) I can use fiddler and see proper token is passed in through the header and I'm not prompted. Everything is working fine and I'm authenticated as my domain user.
However, on a remote server on our domain, with identical settings, I continually get prompted. We need it to automatically send the domain authentication for windows auth.
Does anything in IE need to be configured for this to happen for a remote machine on the same domain?
View 2 Replies
Jun 14, 2010
So I have an asp.net Web Application (Not Web Site) that I am trying to support profiles for anonymous users. I have a form and I want anonymous users to be able to enter their name and email only once, and have that information automatically accessible on the next load for them.
In my Web.config I have anonymous ID setup like so:
<anonymousIdentification enabled="true" cookieless="AutoDetect" />
I have my profile section setup like this:
<profile defaultProvider="SqlProvider" enabled="true" inherits="QA_Web_Tools.UserProfile">
<providers>
<clear />
<add connectionStringName="QAToolsConnectionString" name="SqlProvider"
type="System.Web.Profile.SqlProfileProvider" />
</providers>
</profile>
Finally, due to my app being a Web App and not a Web Site, I am using the profiles via this custom object:
public class UserProfile : ProfileBase
{
public static UserProfile GetUserProfile(string username)
{
return Create(username) as UserProfile;
}
public static UserProfile GetUserProfile()
{
return Create(Membership.GetUser().UserName) as UserProfile;
}
[SettingsAllowAnonymous(true)]
public string FullName
{
get { return base["FullName"] as string; }
set { base["FullName"] = value; }
}
[SettingsAllowAnonymous(true)]
public string BuildEmail
{
get { return base["BuildEmail"] as string; }
set { base["BuildEvmail"] = value; }
}
}
This code is based off of this reference. The issue is that that code does not support anonymous users, or if it does I don't know how. I can't use the GetUserProfile() method with no parameters because if the user is anonymous, Membership.GetUser() is null. I could pass in the anonymous ID token into the first GetUserProfile(string username) method but I cant' find any way to get the anonymous ID token for the current user. Does anyone know how to get this information? Google doesn't seem to be returning useful results.
View 1 Replies
Jul 27, 2010
WebApp1: on IIS and configured with Windows authentication. Get User account from AD.
WebAPP2: a java web app on another windows box in same domain with authentication from AD
On web app1, I have a http handler like
public class MyHandler : IHttpHandler
{
public void ProcessRequest(HttpContext context)
{
string url = "http://WebApp2/Test";
HttpWebRequest myReq = (HttpWebRequest)WebRequest.Create(url);
CredentialCache myCache = new CredentialCache();
NetworkCredential netCredential = new NetworkCredential("myname", "mypassword", "");
myCache.Add(new Uri(url), "Basic", netCredential);
//...
myReq.Credentials = myCache;
//....
}
}
in above way, I can set authentication in code and pass it WebApp2.
But I don't want to put name and password in code. User info already available on WebApp1: in context.User I can find out the user info who already logined into WebApp1, so I want to pass this credential to WebApp2. I have tried to do following:
myReq.Credentials = CredentialCache.DefaultCredentials;
but I am failed becuast there is no data in CredentialCache.DefaultCredentials.
View 1 Replies
Jul 16, 2010
In my website, I am not using any authentication or authorization. I've created login page to capture the user credentials and check against database. If the user successfully authenticates, it's storing the user data in session and navigating to other pages. How thinking of implementing Forms Authentication, but my concern is how to secure the authentication token in client browser for security reasons. Does anyone have any ideas how to secure the authentication token?
View 1 Replies
Dec 21, 2010
I have 2 website A and B.
B site with windows authentication
I want to open B site as new window from A site, so its ask for windows credential. I have credential in A site. I am opening B site using Javascript.window.open.
how i can set credential for B site from A site.
View 2 Replies
Sep 2, 2010
I needed information regarding the capabilities & integration of AzMan tool with Asp.net.Currently, I got a Sharepoint 2007 website along with ASP.NET 2008 where I am using Form Based Authenication.Now, the requirement is any user within a domain registered in AD should be able to login in website through intranet.
Can I acheive this using AzMan, or I need to create two websites one with FBA for internet users and the other one for the intranet users with AD authenication. Also my intenet website is deployed and in use where usermapping and roles are already created, so using this tool what will be the impact on existing webiste.
View 2 Replies
Jul 12, 2011
I have a simple intranet site. It has a role based authorization in the web.config file.
Any user's in a specific role called as "Apr-Sales-Writers" will be authorized to use those pages. If not, they will not be authorized. So far so good. Works fine. But we added additional functionality where a new active directory group (means new role) has to be added and user's belonging to this new AD group should be given access to only specific .aspx pages on the intranet site. I am using a web.sitemap and it looks like this.
If the user's belong to say AD group "Apr-Sales-Writers", they should access only default.aspx and salesData.aspx pages. User's belonging to new AD group (which I did not include in the web.config file below), should have access to other .aspx pages.
[CODE]<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
<siteMapNode url="default.aspx" title="Home" description="Home">
<siteMapNode title="sales Data" description="sales Data">
<siteMapNode url="salesData.aspx" title="sales Data" description="sales Data" />
[Code] ....
View 7 Replies
May 31, 2010
For every incoming request I need to perform custom authorization before allowing the file to be served.
(This is based on headers and contents of the querystring. If you're familiar with how Amazon S3 does rest authentication - exactly that).
I'd like to do this in the most perfomant way possible, which probably means as light a touch as possible, with IIS doing as much of the actual work as possible.
The service will need to handle GET requests, as well as writing new files coming in via POST/PUT requests.
The requests are for an abitrary file, so it could be:
GET http://storage.foo.com/bla/egg/foo18/something.bin
POST http://storage.foo.com/else.txt
Right now I've half implemented it using an IHttpHandler which handles all routes (with routes.RouteExistingFiles = true), but not sure if that's the best, or if I should be hooking into the lifecycle somewhere else?
I'm also interested in supporting partial downloads with the Range header. Using
response.TransmitFile(finalPath);
as I am now means I'll have to do that manually, which seems a bit lowlevel?
View 2 Replies
Nov 30, 2010
I have user's who are losing their data because they sit on a page too long, then are asked to log back in. I want to do the following:
1) Instead of redirecting them to a login page, I want to cancel the current request and give the user a popup dialog box to login with.
2) When the login is successful, I want the user to be sent back to their form, with all data intact. (Even better if the request could go through without sending them back to that form, but this is optional).
How can I intercept these authentication requests, and present the user with a popup login?
I am using ASP.net forms authentication.
View 2 Replies
Feb 10, 2010
I am using .NET roles and membership model to manage user accounts in my system back-end.
If the request is come from within my web-app, I can authenticate through form.
But if the user is requesting from else where, maybe their own apps, how to I do authentication?
attach username and password (GET/POST) and then secure the line by SSL? is that what I should do?
View 3 Replies
Mar 30, 2011
Using Forms Authentication in an MVC application, is there a way to capture if a particular authentication request has failed? For instance, if I have a controller attributed [Authorize( Roles="Admin" )] And a user not within the Admin group attempts to use it, I'd like to do something with that on a case by case basis.Is this possible?
View 5 Replies
Apr 20, 2010
it is possible to do a request for another page on internet from page_load? I mean if it is possible to aquire markup code with informations from another page and display them on my aspx site? For example something like this:
protected void Page_Load(object sender, EventArgs e)
{
UnknownType anotherSite = GetMarkupCode("www.fifa.com");
//parse anotherSite
.
.
.
//display parsed informations
}
If it is possible how can i do that?
View 3 Replies
Oct 16, 2010
i have some aspx page that handle form data submit from few websites. how can i retrieve the ip of the site (server) that send the request? (not the ip of the user that use the site and fill the form) if the form is hosted in server like 55.343.33.343 i need to retrieve to the handler page this ip. (Just to be clear : the handler.aspx is hosting in one server xx.xx.xxx.xx and the forms hosting in other servers cc.ccc.cc.cc, yy.yyy.yy.yy etc
View 8 Replies
Apr 2, 2010
I have to call functions in dataaccesslayer depending on the type of xmlrequest
xmlreq.loadXml(<Request><UserName value=""UserName""></UserName><Password value=""Password""></Password></Request>)
msg.Request=xmlreq
how would I call dataAccessLayer.Function1() if xmlreq looks like above (username and password)else call function2()
View 1 Replies
Sep 5, 2010
I am taking an existing ASP.NET site with authentication, membership & roles and updating it. In the process I am pulling the authentication portion off of the site and using an SSO (through Central Authentication Services - CAS). I need to retain the use the membership and roles of .NET. Right now my site allows users to add an account and I approve and add them to groups. Since I will no longer do the account management I still need a way to add them to the proper groups once they have an account.
The question is sort of a chicken/egg question... Since I am the admin I need to add myself first, but since the authentication is no longer local how do I do this? Do I develop a special function just to add my account and then other pages to manage the rest?
View 2 Replies
Nov 8, 2010
I am developing a facebook application in asp.net using the facebook developkit downloaded from [URL] website.
I am practicing a sample application in SDK 3.02samplesIFrame.
They have give an attribute called RequiredAttribute = true in IFrameMaster.Master.cs, which will access the basic information.
But I want to request for extended permission in the same screen itself.
For that i have used this.RequiredPermissions = new List() { Facebook.Schema.Enums.ExtendedPermissions.publish_stream, Facebook.Schema.Enums.ExtendedPermissions.offline_access };
But there is no use.
Is there any way to do it.
View 2 Replies
Jul 8, 2010
Probably one of those things you know and use every day without thinking what it is:
Do you think Component based frameworks are better than Action/Request based web frameworks?
From the naming I think I'm using both (of course, I must be wrong if things are asked like this).
My web front-end (Pages and Code behind / Views and Controllers) are Request/Action while my other layers are Component based...no?
Or does this apply to specific frameworks or ways doing things?
View 4 Replies
Mar 18, 2010
In one web page we use a flash upload control but becouse a flash bug in the upload event the session is lost as its posted back with a new session.
We have tought of using a table with ip and old session id or a query string with the old session id in order to reassing it in the uploaded event...
Knowing the old session id how can i reassign it to the client? (In C#)
View 2 Replies
Aug 11, 2010
I have a requirement whereby I need to be able to change the controller being used based upon a parameter. I am creating an application that needs to be dynamic enough to be able to change controllers on the fly. Let me explain further;
When the application starts a dictionary of custom controller names is loaded with a controller name as the key and a custom controller name as the value. This will be help in the application scope.
When a request is made I need to access the requested controller name, use that name and check to see if it matches a key in my controller dictionary and if so, replace the requested controller name with the custom controller name from the dictionary.
example;
My dictionary will contain data as follows
Key: 'Home', Value: 'Home_IN'
Key: 'Customer', Value: 'Customer_BE'
Now, the following request is made 'User/Edit/1'. Does the controller name exist in the dictionary? No, continue with original request.
Now, the following request is made 'Home/Details/2'. Does the controller name exist in the dictionary? Yes, replace the original controller name 'Home' withe custom controller name 'Home_IN' so changing the requested URL to be 'Home_IN/Details/2'.
Does this make sense?
My problem here is knowing exactly where in the request cycle I need to do this?
I am assuming I need to create my own custom controller factory?
View 7 Replies
