Best Way To Perform Authentication On Every Request?
May 31, 2010
For every incoming request I need to perform custom authorization before allowing the file to be served.
(This is based on headers and contents of the querystring. If you're familiar with how Amazon S3 does rest authentication - exactly that).
I'd like to do this in the most perfomant way possible, which probably means as light a touch as possible, with IIS doing as much of the actual work as possible.
The service will need to handle GET requests, as well as writing new files coming in via POST/PUT requests.
The requests are for an abitrary file, so it could be:
GET http://storage.foo.com/bla/egg/foo18/something.bin
POST http://storage.foo.com/else.txt
Right now I've half implemented it using an IHttpHandler which handles all routes (with routes.RouteExistingFiles = true), but not sure if that's the best, or if I should be hooking into the lifecycle somewhere else?
I'm also interested in supporting partial downloads with the Range header. Using
response.TransmitFile(finalPath);
as I am now means I'll have to do that manually, which seems a bit lowlevel?
I have 2 web sites both located physically on the same web server, I'll call them siteA and siteB. These sites are accessed by internal users on our intranet as well as external users on the internet.
SiteA is is setup on IIS6 using basic authentication which we connect to an active directory. The web config is set to use Windows authentication mode. The url to site a is etoolbox.xxx.yyy
SiteB is the same setup. The url to siteB is rdow.xxx.yyy
What I want is once the user is authenticated against the active directory when the login to SITEA for them to be able to click the url in siteA which opens SiteB in a separate browser window and automatically takes them to the welcome page without being prompted for credentials again.
Currently when clicking on the url to go to siteB I am being prompted again for my credentials.
Is there any way for both external and internal users to only be prompted once for their active directory credentials and then be able to go to whatever site they want to without be prompted for credentials again? Is this something I have to code for or is it handled automatically by IIS?
I have user's who are losing their data because they sit on a page too long, then are asked to log back in. I want to do the following:
1) Instead of redirecting them to a login page, I want to cancel the current request and give the user a popup dialog box to login with.
2) When the login is successful, I want the user to be sent back to their form, with all data intact. (Even better if the request could go through without sending them back to that form, but this is optional).
How can I intercept these authentication requests, and present the user with a popup login?
Using Forms Authentication in an MVC application, is there a way to capture if a particular authentication request has failed? For instance, if I have a controller attributed [Authorize( Roles="Admin" )] And a user not within the Admin group attempts to use it, I'd like to do something with that on a case by case basis.Is this possible?
I have an existing asp.net mvc website that uses basic forms authentication. The site has a login page that posts back to a login action, which logs the user in via FormsAuthentication.SetAuthCookie(). I am looking to add an api to the site, as an mvc2 area, where users would be authenticated based on a token passed as an http header. This area will consist of only json actions, so redirecting the user to a login page doesn't make sense. Instead, I want the users to just pass a token along with each request. That token is mapped to each user account and the user would be authenticated automatically.
I'm struggling with where to put this logic. At this point, the best choice seems to be adding the header lookup logic and authentication to the Global.asax in the Application_AuthenticateRequest method. I want to avoid needing to redirect the user after calling FormsAuthentication.SetAuthCookie(), though. I want the login action to be transparent to them. Am I approaching this the wrong way? As a side note: Requiring a username/password for api requests is not possible, as the site has a mix of users. Some joined using OpenID while the rest joined with a username/password.
I am developing a facebook application in asp.net using the facebook developkit downloaded from [URL] website.
I am practicing a sample application in SDK 3.02samplesIFrame.
They have give an attribute called RequiredAttribute = true in IFrameMaster.Master.cs, which will access the basic information.
But I want to request for extended permission in the same screen itself.
For that i have used this.RequiredPermissions = new List() { Facebook.Schema.Enums.ExtendedPermissions.publish_stream, Facebook.Schema.Enums.ExtendedPermissions.offline_access };
Suddenly, IIS 7.0 is redirecting every request for the root of any domain hosted on the box to ~/Account/Logon, which is our Forms Authentication redirect. Additionally, some JavaScript and image requests are being similarly redirected, but not other aspx pages.
EDIT: It turns out that something has gone wrong with the disk permissions. Can anyone point me to the way things are supposed to be in Windows Server 2008 for a standard ASP.Net installation? The disk permissions are out of whack now.
I am getting this error many times in the event log , and users are logged out .
Event code: 4005 Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired. Event time: 3/10/2011 3:35:22 PM Event time (UTC): 3/10/2011 8:35:22 PM [code]...
I am not using web farms. I do not think the app pool is recycling , i compared the Process ID in several events and it is equal . My machine key is not AutoGenerate .
My event log is flooded with this message: Forms authentication failed for the request. Reason: The ticket supplied has expired.I think this happens when people timeout instead of logout.First of all , this is not an error, it's Type: InformationI don't want this information, how do I stop ASP.NET from logging it?My application is not web-farmed, and uses a static machine key.
I am getting following error in the Test which is in the same Box but IIS requires Https to view the Page. I have change Web.Config to accept https. I was able to add the Service References without any problem but while call the method I get The HTTP request was forbidden with client authentication scheme 'Anonymous'. this error message. I am trying to use userNameAuthentication.
While trying to access the service without specifing the user credentials everything work's ok and the current user(Thread.CurrentPrincipal.Identity.Name) at service is the logged in user.
When I try to set user credentials this way:
[Code]....
The service just ignores them.
When I try it this way:
[Code]....
I'm getting this error: "The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'."
I am connecting to remote server for web service using ASP.NET 3.5 web site. something like, [URL]. Remote server is providing digest authentication to access the web service. I dont have access to modify authentication on the remote server but I have an windows account on that server. If I try to Access service WSDL through programming I get the following error:
The request failed with HTTP status 401: Unauthorized. Same web service if I try to access through browser, [URL], it asks for user name and password. Entered windows account user name and password, still getting error: You are not authorized to view this page, HTTP Error 401.1 - Unauthorized. How to pass the digest authentication credentials to the web service through visual studio or any other programmatic method?
we recently upgrated our project from 1.1 to 2.0. since then we are seeing "Forms authentication failed for the request. Reason: The ticket supplied has expired" in Event Viewer. this keeps coming 1-2 times for every minute. this is the full message. this also made the response time increased it seems.
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired.
I've recently enabled Digest Authentication on an intranet website/application I am creating for my company in ASP.NET.
The reason I have done so is because Windows Authentication seemed to only work for some users, and not for others. I could not figure out why nor do I know enough about IIS to try and trace the issue. After some trial and error, I found that digest authentication seemed to give me the behaviour that I wanted. That is: allow only users with a valid account on the domain to log in to the website with their credentials.
The problem now, is that Firefox (3+) seems to ask for the user to authenticate on every HTTP request sent to the server. This does not appear to occur in Internet Explorer (6+) or Chrome.
I've tried searching for solutions but I always arrive at dead-ends. I'll find a discussion about the issue, and every posted solution leads to a dead link...or it's on Experts Exchange and I don't have access to view to solution.
The issue appears to be related (from what I've read) to the way the different browsers send their authentication headers vs how IIS interprets them. I'm not sure what I can do to change this though? One of the solutions I had found mentioned writing an ISAPI filter to fix this, but of course the link to the finished filter was broken and I have no idea how to go about making one myself.
I've tried messing with the NTLM and other auth related strings in about:config to try and force Firefox to trust my server but that doesn't seem to work either.
From a few other sources I've read, it appears that everything should work if I switch back to Windows Authentication, but then I'm back at square one where the authentication would work only for some users and not others.
A solution for either problem would work for me, but I have very little information for the Windows Authentication issue. If someone could guide me through tracing the problem I'd gladly post more information for it as well.
Just going to start making a web application and was wondering which was better, or at least what are the main differences between them (as it probably matters what I am using them for)?
I have a webservice which works 100% fine on my developer machine. Where Web Service is installed on LOCALHOST on my developer machine,Then i went to my servers, I installed webservice on one server and map it with the server where the website is hosted, Then i tried accessing this service using BROWSER from my web server, it worked fine, That means the mapping was done perfect.Then i run my program on web server (website). It worked fine on page1, then on page2, but when i did the same and call same function on page3, It popped me any error of
Is it at all possible to inject a request into IIS for a page, have IIS and ASP.Net handle it as normal, but get the response as html handed back to me programmatically?
Yes, I know that I could connect to port 80 using WebRequest and WebResponse, but that becomes difficult if you are accessing the IIS server from the same physical machine (loopback security controls et al).
Basically, I want to inject the request (eg for [URL]) between the points at which IIS would normally talk to the browser, and the point at which it would route it to the correct ASP.Net application, and get a response back from IIS between the points at which ASP.Net/IIS applies the httpfilters and hands the html back to the browser.
I'm predominantly working with IIS7 so if there is a solution that works just for IIS7 then thats not an issue.
when i browse the page with firefox and click on the input Request.Params["btnshoppingCart"] != null or Request.Form["btnshoppingCart"] != null is statisfied.
When i browse the same page with internet explorer 8 and click on the same input Request.Params["btnshoppingCart"] != null or Request.Form["btnshoppingCart"] != null is not satisfied. When i used the watch i saw that there is no key by the name of "btnshoppingCart" in either Request.Form or Request.Params if input is clicked from internet explorer. However when it is clicked from firefox there is value "shoppingCart" inside Request.Form and Request.Params against "btnshoppingCart" key. One more strange thing that i observed was that are two keys "btnshoppingCart.x" and "btnshoppingCart.y" inside both Request.Form and Request.Params whenver clicking is done from both internet explorer and firefox. This is happening against all inputs of type image irrespective if the input is present inside a html form or not. Forms are created like this
<% using (Html.BeginForm("Action", "Controller", FormMethod.Post)){%>
The version of internet explorer is 8.0 and firefox is 3.6.6
I there a way to know if a request is a soap request on AuthenticateRequest event for HttpApplication? Checking ServerVariables["HTTP_SOAPACTION"] seems to not be working all the time.
public void Init(HttpApplication context) { context.AuthenticateRequest += new EventHandler(AuthenticateRequest); } protected void AuthenticateRequest(object sender, EventArgs e) { app = sender as HttpApplication; if (app.Request.ServerVariables["HTTP_SOAPACTION"] != null) { // a few requests do not enter here, but my webservice class still executing // ... } } I have disabled HTTP POST and HTTP GET for webservices in my web.config file. <webServices> <protocols> <remove name="HttpGet" /> <remove name="HttpPost" /> <add name="AnyHttpSoap" /> </protocols> </webServices> Looking at ContentType for soap+xml only partially solves my problem. For example, Cache-Control: no-cache Connection: Keep-Alive Content-Length: 1131 Content-Type: text/xml Accept: */* Accept-Encoding: gzip, deflate Accept-Language: ro Host: localhost mymethod: urn:[URL]
Some clients instead of having the standard header SOAPAction: [URL], have someting like in example above. "mymethod" represents the method in my web service class with [WebMethod] attribute on it and [URL] is the namespace of the webservice. Still the service works perfectly normal. The consumers use different frameworks (NuSOAP from PHP, .NET, Java, etc).
I develop an asmx web service (i.e. ASP.NET 2.0). There's a piece of code that may read the contents of the HTTP request (via HttpContext.Current.Request.InputStream) while processing it. I realise that InputStream may only be read once for a request, and I make sure I never try to read it more than once.
The problem seems to be that if InputStream happens to be read during the early stages of the application's lifecycle (e.g. after pskill w3wp, during Application_Start), the HTTP request fails with a HTTP 400 - Bad Request error, with no explanation given, no exception thrown and no entry in the httperr log. If it is read later (e.g. within the web method itself), requests run fine whether InputStream is read or not. Application_Start runs fine if InputStream isn't read.
Is this some sort of ASP.NET bug? IIS bug? Or am I doing something wrong by daring to read InputStream? And if so, is there another way to get a look at the "raw" contents of the request without disturbing the inner workings of IIS/ASP.NET? In short, adding this code within Application_Start is enough to reproduce this error: using (StreamReader reader = new StreamReader(HttpContext.Current.Request.InputStream))reader.ReadToEnd();
I am trying to use curl to access 3rd party webservice, I used the following code which works well if I try it on my own linux server, the data is being sent ok, but the IIS on the 3rd party server returns an error.
$longdata is a long string of data, maybe over 1000 characters long the 3rd party has many working clients with various implementations so the problem is on my side. what do I need to add to the request in order to get this through ?