Best Way To Perform Authentication On Every Request?

May 31, 2010

For every incoming request I need to perform custom authorization before allowing the file to be served.

(This is based on headers and contents of the querystring. If you're familiar with how Amazon S3 does rest authentication - exactly that).

I'd like to do this in the most perfomant way possible, which probably means as light a touch as possible, with IIS doing as much of the actual work as possible.

The service will need to handle GET requests, as well as writing new files coming in via POST/PUT requests.

The requests are for an abitrary file, so it could be:

GET http://storage.foo.com/bla/egg/foo18/something.bin

POST http://storage.foo.com/else.txt

Right now I've half implemented it using an IHttpHandler which handles all routes (with routes.RouteExistingFiles = true), but not sure if that's the best, or if I should be hooking into the lifecycle somewhere else?

I'm also interested in supporting partial downloads with the Range header. Using

response.TransmitFile(finalPath);

as I am now means I'll have to do that manually, which seems a bit lowlevel?

View 2 Replies


Similar Messages:

Security :: How To Perform Authentication Between Websites

Jun 1, 2010

I have 2 web sites both located physically on the same web server, I'll call them siteA and siteB. These sites are accessed by internal users on our intranet as well as external users on the internet.

SiteA is is setup on IIS6 using basic authentication which we connect to an active directory. The web config is set to use Windows authentication mode. The url to site a is etoolbox.xxx.yyy

SiteB is the same setup. The url to siteB is rdow.xxx.yyy

What I want is once the user is authenticated against the active directory when the login to SITEA for them to be able to click the url in siteA which opens SiteB in a separate browser window and automatically takes them to the welcome page without being prompted for credentials again.

Currently when clicking on the url to go to siteB I am being prompted again for my credentials.

Is there any way for both external and internal users to only be prompted once for their active directory credentials and then be able to go to whatever site they want to without be prompted for credentials again? Is this something I have to code for or is it handled automatically by IIS?

View 3 Replies

How To Intercept An Authentication Request In Webform

Nov 30, 2010

I have user's who are losing their data because they sit on a page too long, then are asked to log back in. I want to do the following:

1) Instead of redirecting them to a login page, I want to cancel the current request and give the user a popup dialog box to login with.

2) When the login is successful, I want the user to be sent back to their form, with all data intact. (Even better if the request could go through without sending them back to that form, but this is optional).

How can I intercept these authentication requests, and present the user with a popup login?

I am using ASP.net forms authentication.

View 2 Replies

Security :: Authentication When Web Service Is Being Request?

Feb 10, 2010

I am using .NET roles and membership model to manage user accounts in my system back-end.

If the request is come from within my web-app, I can authenticate through form.

But if the user is requesting from else where, maybe their own apps, how to I do authentication?

attach username and password (GET/POST) and then secure the line by SSL? is that what I should do?

View 3 Replies

MVC :: Capture If Authentication Request Failed?

Mar 30, 2011

Using Forms Authentication in an MVC application, is there a way to capture if a particular authentication request has failed? For instance, if I have a controller attributed [Authorize( Roles="Admin" )] And a user not within the Admin group attempts to use it, I'd like to do something with that on a case by case basis.Is this possible?

View 5 Replies

Add Per Request - Token Based Authentication To Mvc Site

Apr 4, 2011

I have an existing asp.net mvc website that uses basic forms authentication. The site has a login page that posts back to a login action, which logs the user in via FormsAuthentication.SetAuthCookie(). I am looking to add an api to the site, as an mvc2 area, where users would be authenticated based on a token passed as an http header. This area will consist of only json actions, so redirecting the user to a login page doesn't make sense. Instead, I want the users to just pass a token along with each request. That token is mapped to each user account and the user would be authenticated automatically.

I'm struggling with where to put this logic. At this point, the best choice seems to be adding the header lookup logic and authentication to the Global.asax in the Application_AuthenticateRequest method. I want to avoid needing to redirect the user after calling FormsAuthentication.SetAuthCookie(), though. I want the login action to be transparent to them. Am I approaching this the wrong way? As a side note: Requiring a username/password for api requests is not possible, as the site has a mix of users. Some joined using OpenID while the rest joined with a username/password.

View 1 Replies

How To Request The Extended Permission At The Time Of Authentication Only In Facebook App Development

Nov 8, 2010

I am developing a facebook application in asp.net using the facebook developkit downloaded from [URL] website.

I am practicing a sample application in SDK 3.02samplesIFrame.

They have give an attribute called RequiredAttribute = true in IFrameMaster.Master.cs, which will access the basic information.

But I want to request for extended permission in the same screen itself.

For that i have used this.RequiredPermissions = new List() { Facebook.Schema.Enums.ExtendedPermissions.publish_stream, Facebook.Schema.Enums.ExtendedPermissions.offline_access };

But there is no use.

Is there any way to do it.

View 2 Replies

IIS 7.0 - Every Site Suddenly Redirecting Root Request To Forms Authentication?

Apr 30, 2010

Suddenly, IIS 7.0 is redirecting every request for the root of any domain hosted on the box to ~/Account/Logon, which is our Forms Authentication redirect. Additionally, some JavaScript and image requests are being similarly redirected, but not other aspx pages.

EDIT: It turns out that something has gone wrong with the disk permissions. Can anyone point me to the way things are supposed to be in Windows Server 2008 for a standard ASP.Net installation? The disk permissions are out of whack now.

View 1 Replies

.NET Forms Authentication Failed For The Request. Reason: The Ticket Supplied Has Expired?

Mar 10, 2011

I am getting this error many times in the event log , and users are logged out .

Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired.
Event time: 3/10/2011 3:35:22 PM
Event time (UTC): 3/10/2011 8:35:22 PM [code]...

I am not using web farms. I do not think the app pool is recycling , i compared the Process ID in several events and it is equal . My machine key is not AutoGenerate .

View 2 Replies

.net - Forms Authentication Failed For The Request. Reason: The Ticket Supplied Has Expired?

Apr 21, 2010

My event log is flooded with this message: Forms authentication failed for the request. Reason: The ticket supplied has expired.I think this happens when people timeout instead of logout.First of all , this is not an error, it's Type: InformationI don't want this information, how do I stop ASP.NET from logging it?My application is not web-farmed, and uses a static machine key.

View 1 Replies

WCF / ASMX :: The HTTP Request Was Forbidden With Client Authentication Scheme 'Anonymous'?

Feb 24, 2011

I am getting following error in the Test which is in the same Box but IIS requires Https to view the Page. I have change Web.Config to accept https. I was able to add the Service References without any problem but while call the method I get The HTTP request was forbidden with client authentication scheme 'Anonymous'. this error message. I am trying to use userNameAuthentication.

<bindings>
<wsHttpBinding>
<binding name="Binding1">

[code]...

View 1 Replies

WCF / ASMX :: Error - The HTTP Request Is Unauthorized With Client Authentication Scheme 'Negotiate'

Oct 15, 2010

I'm using a WCF with windows authentication.

I also use custom binding:

[Code]....

While trying to access the service without specifing the user credentials everything work's ok and the current user(Thread.CurrentPrincipal.Identity.Name) at service is the logged in user.

When I try to set user credentials this way:

[Code]....

The service just ignores them.

When I try it this way:

[Code]....

I'm getting this error: "The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'."

View 1 Replies

Security :: Digest Authentication In Web Service Error / The Request Failed With HTTP Status 401

Apr 20, 2010

I am connecting to remote server for web service using ASP.NET 3.5 web site. something like, [URL]. Remote server is providing digest authentication to access the web service. I dont have access to modify authentication on the remote server but I have an windows account on that server. If I try to Access service WSDL through programming I get the following error:

The request failed with HTTP status 401: Unauthorized. Same web service if I try to access through browser, [URL], it asks for user name and password. Entered windows account user name and password, still getting error: You are not authorized to view this page, HTTP Error 401.1 - Unauthorized. How to pass the digest authentication credentials to the web service through visual studio or any other programmatic method?

View 1 Replies

Security :: Forms Authentication Failed For The Request. Reason - The Ticket Supplied Has Expired

Jan 25, 2010

we recently upgrated our project from 1.1 to 2.0. since then we are seeing "Forms authentication failed for the request. Reason: The ticket supplied has expired" in Event Viewer. this keeps coming 1-2 times for every minute. this is the full message. this also made the response time increased it seems.

Event code: 4005

Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired.

Event time: 1/25/2010 5:00:30 PM
Event time (UTC): 1/25/2010 10:00:30 PM
Event ID:
Event sequence: 20601
Event occurrence: 2692
Event detail code: 50202.....

View 1 Replies

Firefox Asks For Username/password On Every HTTP Request With Digest Authentication Enabled On IIS6

Nov 12, 2010

I've recently enabled Digest Authentication on an intranet website/application I am creating for my company in ASP.NET.

The reason I have done so is because Windows Authentication seemed to only work for some users, and not for others. I could not figure out why nor do I know enough about IIS to try and trace the issue. After some trial and error, I found that digest authentication seemed to give me the behaviour that I wanted. That is: allow only users with a valid account on the domain to log in to the website with their credentials.

The problem now, is that Firefox (3+) seems to ask for the user to authenticate on every HTTP request sent to the server. This does not appear to occur in Internet Explorer (6+) or Chrome.

I've tried searching for solutions but I always arrive at dead-ends. I'll find a discussion about the issue, and every posted solution leads to a dead link...or it's on Experts Exchange and I don't have access to view to solution.

The issue appears to be related (from what I've read) to the way the different browsers send their authentication headers vs how IIS interprets them. I'm not sure what I can do to change this though? One of the solutions I had found mentioned writing an ISAPI filter to fix this, but of course the link to the finished filter was broken and I have no idea how to go about making one myself.

I've tried messing with the NTLM and other auth related strings in about:config to try and force Firefox to trust my server but that doesn't seem to work either.

From a few other sources I've read, it appears that everything should work if I switch back to Windows Authentication, but then I'm back at square one where the authentication would work only for some users and not others.

A solution for either problem would work for me, but I have very little information for the Windows Authentication issue. If someone could guide me through tracing the problem I'd gladly post more information for it as well.

[URL]

View 1 Replies

C# - What's The Difference: Windows Authentication, Passport Authentication And Form Authentication

Sep 17, 2010

Just going to start making a web application and was wondering which was better, or at least what are the main differences between them (as it probably matters what I am using them for)?

View 3 Replies

HttpHandlers / Modules :: HttpModule That Alters Request.QueryString And Request.Form?

Jan 27, 2011

We're trying to implement functionality that intercepts, inspects, and alters if needed data in the Request.QueryString and Request.Form collections.

Since Request.QueryString and Request.Form are readonly, is it possible to use a HttpModule to do this without Reflection or Response.Redirect?

We're thinking that we can construct a new HttpRequest, and replace the original one. Would there be any implications in doing this?

I know mocking this object is impossible without using HttpRequestWrapper, but wasn't sure whether ASP.NET sets other things beyond the constructor.

View 2 Replies

WCF / ASMX :: Request Failed With HTTP Status 400: Bad Request Accessing Web Service

May 15, 2010

I have a webservice which works 100% fine on my developer machine. Where Web Service is installed on LOCALHOST on my developer machine,Then i went to my servers, I installed webservice on one server and map it with the server where the website is hosted, Then i tried accessing this service using BROWSER from my web server, it worked fine, That means the mapping was done perfect.Then i run my program on web server (website). It worked fine on page1, then on page2, but when i did the same and call same function on page3, It popped me any error of

View 4 Replies

Accessing IIS's Request Handling Pipeline To Inject A Request And Get The HTML Response?

Dec 9, 2010

Is it at all possible to inject a request into IIS for a page, have IIS and ASP.Net handle it as normal, but get the response as html handed back to me programmatically?

Yes, I know that I could connect to port 80 using WebRequest and WebResponse, but that becomes difficult if you are accessing the IIS server from the same physical machine (loopback security controls et al).

Basically, I want to inject the request (eg for [URL]) between the points at which IIS would normally talk to the browser, and the point at which it would route it to the correct ASP.Net application, and get a response back from IIS between the points at which ASP.Net/IIS applies the httpfilters and hands the html back to the browser.

I'm predominantly working with IIS7 so if there is a solution that works just for IIS7 then thats not an issue.

View 2 Replies

MVC :: Request.Params Request.Form Not Working In Internet Explorer 8?

Jun 29, 2010

This is a input

<input type="image" src="<%=Url.Content("~/images/shopping-cart.jpg")%>" alt="shopping cart" id="btnshoppingCart" name="btnshoppingCart" value="shoppingCart" />

when i browse the page with firefox and click on the input Request.Params["btnshoppingCart"] != null or Request.Form["btnshoppingCart"] != null is statisfied.

When i browse the same page with internet explorer 8 and click on the same input Request.Params["btnshoppingCart"] != null or Request.Form["btnshoppingCart"] != null is not satisfied. When i used the watch i saw that there is no key by the name of "btnshoppingCart" in either Request.Form or Request.Params if input is clicked from internet explorer. However when it is clicked from firefox there is value "shoppingCart" inside Request.Form and Request.Params against "btnshoppingCart" key. One more strange thing that i observed was that are two keys "btnshoppingCart.x" and "btnshoppingCart.y" inside both Request.Form and Request.Params whenver clicking is done from both internet explorer and firefox. This is happening against all inputs of type image irrespective if the input is present inside a html form or not. Forms are created like this

<% using (Html.BeginForm("Action", "Controller", FormMethod.Post)){%>

The version of internet explorer is 8.0 and firefox is 3.6.6

View 5 Replies

Determine If A HTTP Request Is A Soap Request On HttpApplication.AuthenticateRequest

Jan 21, 2010

I there a way to know if a request is a soap request on AuthenticateRequest event for HttpApplication? Checking ServerVariables["HTTP_SOAPACTION"] seems to not be working all the time.

public void Init(HttpApplication context) {
context.AuthenticateRequest += new EventHandler(AuthenticateRequest);
}
protected void AuthenticateRequest(object sender, EventArgs e) {
app = sender as HttpApplication;
if (app.Request.ServerVariables["HTTP_SOAPACTION"] != null) {
// a few requests do not enter here, but my webservice class still executing
// ...
}
}
I have disabled HTTP POST and HTTP GET for webservices in my web.config file.
<webServices>
<protocols>
<remove name="HttpGet" />
<remove name="HttpPost" />
<add name="AnyHttpSoap" />
</protocols>
</webServices>
Looking at ContentType for soap+xml only partially solves my problem. For example,
Cache-Control: no-cache
Connection: Keep-Alive
Content-Length: 1131
Content-Type: text/xml
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: ro
Host: localhost
mymethod: urn:[URL]

Some clients instead of having the standard header SOAPAction: [URL], have someting like in example above. "mymethod" represents the method in my web service class with [WebMethod] attribute on it and [URL] is the namespace of the webservice. Still the service works perfectly normal. The consumers use different frameworks (NuSOAP from PHP, .NET, Java, etc).

View 4 Replies

First Request Fails With HTTP 400 (Bad Request) After Reading HttpRequest.InputStream

Oct 24, 2010

I develop an asmx web service (i.e. ASP.NET 2.0). There's a piece of code that may read the contents of the HTTP request (via HttpContext.Current.Request.InputStream) while processing it. I realise that InputStream may only be read once for a request, and I make sure I never try to read it more than once.

The problem seems to be that if InputStream happens to be read during the early stages of the application's lifecycle (e.g. after pskill w3wp, during Application_Start), the HTTP request fails with a HTTP 400 - Bad Request error, with no explanation given, no exception thrown and no entry in the httperr log. If it is read later (e.g. within the web method itself), requests run fine whether InputStream is read or not. Application_Start runs fine if InputStream isn't read.

Is this some sort of ASP.NET bug? IIS bug? Or am I doing something wrong by daring to read InputStream? And if so, is there another way to get a look at the "raw" contents of the request without disturbing the inner workings of IIS/ASP.NET? In short, adding this code within Application_Start is enough to reproduce this error: using (StreamReader reader = new StreamReader(HttpContext.Current.Request.InputStream))reader.ReadToEnd();

View 1 Replies

How To Bypass Request Size и Request Processing Time Restrictions

Mar 1, 2011

I want to component to upload large filesP.How can I bypass request size и request processing time restrictions?

View 4 Replies

PHP Curl Request To IIS Results In Request Format Is Invalid?

Apr 4, 2011

I am trying to use curl to access 3rd party webservice, I used the following code which works well if I try it on my own linux server, the data is being sent ok, but the IIS on the 3rd party server returns an error.

$longdata is a long string of data, maybe over 1000 characters long the 3rd party has many working clients with various implementations so the problem is on my side. what do I need to add to the request in order to get this through ?

<?php
$c = curl_init();
// curl_setopt($c, CURLOPT_HTTPHEADER, array('Expect:'));
curl_setopt($c, CURLOPT_URL, 'http://XXX.com/test/index.asmx');
curl_setopt($c, CURLOPT_POST, 1);
curl_setopt($c, CURLOPT_HEADER, 1);
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
$post = array('param1' => 'XXXX', "param2" => "Y", "Param3" => $long_data);
curl_setopt($c, CURLOPT_POSTFIELDS, $post);
$response = curl_exec($c);
echo $response;
/*

Response:

HTTP/1.1 100 Continue
HTTP/1.1 500 Internal Server Error
Date: Tue, 05 Apr 2011 14:11:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 100
Request format is invalid: multipart/form-data; boundary=----------------------------5d738237d9e0.
*/
?>

View 2 Replies

WCF / ASMX :: Calling A Web Request - 400 Bad Server Request?

May 28, 2010

I am facing an issue while calling a web request thru my code. I have searched a lot on number of sites but did not get any solution.

Here is the code which I am using:

[Code]....

View 3 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved