Security :: Using Membership Services Through Web Service?
Sep 13, 2010Is there any way to use Asp.net's membership services through a web service? My boss, for some reason, wants this...
View 1 RepliesIs there any way to use Asp.net's membership services through a web service? My boss, for some reason, wants this...
View 1 RepliesI am writing two ASP.NET apps. One is a web service that provides xml data and the other is a web client that will use the service to display and manipulate data. I would like for the web service to do the membership authentication and authorization. Is there any way to simply point the login controls in my client application to the web service instead of to a database. I assume I would have to provide the necesarry methods in my web service interface, which would then use the membership provider database I created and pass the results back through to the client.
Is this possible? I have seen many articles on security provisioin from a web service but none has really been what I am looking for. I was hoping that, since my service and my client are both written in ASP.NET, there might be some built functionality that would benefit me.
I have a web application that uses a SQL database which contains all the standard asp membership tables.Within my Web application I use the standard asp.net membersip logic for adding new users, roles, etc...The point here is I dont use any custom providers for anything.Now on that same machine that is hosting my web application I am writing a Windows service in c# .net.As part of one of the method calls to the windows service application I was curious if I would be able to use any type of membership classes that would connect to my existing database and perform the same functionality as does the ASP.NET membership classes.
View 1 RepliesCan I use the membership provider api on a hosted service? I can create mssql databases but have no control over iis. Will I be able to use the membership admin webpage on the hosted service?
Am I correct in stating that the api uses ASPNETDB.MDF in the app_data folder as it's database?
I have an ASP.NET web application and a WCF Application that share the same ASP.NET membership database.
They are both sharing the same ASP.NET membership database.
It is basically like:
WCF: is [URL]
ASP.NET: is [URL]
(both are two virtual folders in the same web application and both are using the same ASP.NET membership database).
The user logs on to the ASP.NET application and can then decide to call the WCF service.
What are my options for setting the security for the call between the ASP.NET and the WCF service that make the call using the credentials supplied by the user when logging to the ASP.NET application?
I've set up a system with forms based authentication and using the asp:Login control. When I put in an invalid password I get the approriate invalid password message. However when I put in a valid password, it does nothing...just returns to the login page again. I'm triple checked the login info. There is no error message, and the invalid attempts counter doesn't increment. When I put a break point in the Login_LoggedIn event of the Login form, it hits it, but User.Identity.IsAuthenticated is false. I'm not 100% sure it should be true at this point, as I'm pretty new to .NET but it seems kind of odd.
My user database is stored in a sqlserver 2005 db that already existed. I've added a new connection for it.In the authorization I have
<authorization>deny
users="?"/><authorization>
I had created a Membership ASP.NET 3.5 website and selected the Forms authentication. Therefore, I created several users with related information into the ASPNETDB database. Yesterday, I changed the website security to Windows authentication.
This morning, when reviewing the ASPNETDB data for another website, I still can see those Membership Forms users and their ApplicationIDs in the aspnet_Users and aspnet_membership tables. How can I delete those Forms users?
Another question: In aspnet_Applications table, I can see the ApplicationName (e.g. /WebPartsDemo) for the Web Parts websites. I have 2 ApplicationIDs in the aspnet_Membership table. I can not see only one ApplicationID in the aspnet_Applications table, but with an empty ApplicationName, i.e. / only.
Do I miss something when creating the Membership website? What is the ApplicationName for the Membership website?
I have a client asp.net website that uses ASP.Net Membership, Roles and Profile providers and Login controls. I need to expand the application so was going to use WCF Workflows, the ASP.Net website will be hosted on a different server than the WCF Services so what I want to do is get the ASP.Net Website to auth via the WCF Service. So process will go:
ASP.Net Website ------------------> WCF Service ------------------> SQL Database (Membership, Roles, Profile, Workflow Persistence Data and Business Data)
I tried creating a custom Membership and Role providers but I have had problems managing the users (Membershipuser class) saying null when a vaild user has been return by the WCF Service as can access the properies but not the methods.
I want to access membership and profile objects and wants to access profile properties that I have defined in my web app web.config file, from a windows service. Anyone have any idea on how to do this?
View 3 RepliesI'm developing a web application using EF4, POCO's, WCF Data Services and the presentation tier (HTML, CSS, JavaScript, Ajax - NO WebForms). For security I would like using ASP.NET Membership Provider (Authentication Service): from a *.htm file calling the AuthenticationService. I executed aspnet_regsql.exe (to create the necessary database tables) and modified my web.config file:
<configuration>
<system.web>
<roleManager enabled="true" />
[code]...
I am using the ASP membership services to create and manage users. I notice that on user account registration everything works fine... Until I call Roles.AddUserToRole, and suddenly I get a second user account created in the aspnet_users table. I am quite certain that I should only ever have one user account in the database per registered user...
View 2 RepliesIn our application, we have a need for a user to "impersonate" a different user. Think of it as a hierarchy -- Bob is above Frank in a hierarchy. Bob is logged in, and he needs to do things in the system for a short time as Frank. So, we have given Bob a list of users that report to him, and an impersonate link. He clicks on this link, and, behind the scenes, I log Bob out, and log in as Frank. I also set a session variable that tells me that really Bob is they guy who is the user. Also, Bob (acting as Frank now) has a nice little link at the top of every page that says "Stop Impersonation."
In addition, when Bob is impersonating Frank, Bob is restricted from doing some things, like changing Frank's password.
This was working great, until we encountered a situation where, if the session (I think -- getting confused here) gets destroyed (such as when I copy up new code and dlls to the live site), then when Bob clicks on "Stop Impersonation" he gets redirected to the default page, and is still logged in as Frank, but without the Impersonation session variable. So, now Bob really is logged in as Frank, and can change Frank's password (among other things).
How is it that a session variable (Impersonation) gets destroyed, but I guess the session is still hanging around, because it doesn't make the user log in again?
This is a somewhat serious bug for how our system works (bug in our code, I'm sure, not in .Net). We are using ASP.Net c#, aspnet membership services, .net 3.5, forms auth...not sure what else you need to know.
EDIT: Updated information. Looks like when "something" happens, for instance, when I recompile some dlls and copy them to the webserver, the session gets dumped. Or, rather, the variables in the session get dumped. The session id stays the same. I do get to check for Session.IsNewSession and it returns true, even though the id is the same as it was before.
Just like Utaal mentioned, Membership Services is separate from Session, so it's forms auth token is still hanging around in the browser, but my session variable telling me that that isn't really the user who is controlling the browser isn't there anymore.
EDIT: Sky, here is what I'm doing to authenticate a user. I can't figure out where I would insert a ticket into this flow:
if (Membership.ValidateUser(txtUserName.Text, txtPassword.Text))
FormsAuthentication.SetAuthCookie(txtUserName.Text, false);
I have a web site and a web service and I would like to host them somewhere.
I need to use it mostly for testing and so that a some friends who are developing some applications to use the service have access to it. Also the service is using a MS SQL 2008 database.good free or cheap web hosting service for this.
In my application I need to get Service status from differnt servers.I usedSystem.ServiceProcess class for implementation.Now,I got service status from my local machine. My current requirement is to get service status from different servers with credentials.Conside I host this webapplication in One server A. I need to get service status of ServerB,Server C. We can't install or copy any dll or exe in that server(Server B & Server C)<Webservicesalso we can't host in Server A &Server B >.But, we have credentials.I tried to pass credentials.But getting errors<authentication problems>. Please help me to do the same. Have any other solutions by dos net sat commands..
View 4 RepliesI haven't deployed behind a load balancer before. My customer has a WCF service built and tested on servers using a service model configuration that is relatively straightforward. It provides a service to return an image of a map for another application. To get the map, it calls other services.
The service was built in Visual Studio 2010 targeting the 3.5 framework. The customer is using IIS 7.5 and an F5 load balancer. When moving to the production server, the Web.config was changed to add the load balancer behavior and specify the endpoint to show the physical and logical address of the service:
[Code].....
There was a problem when the service was deployed to a server behind the load balancer. When I try to call the service from WCFStorm or WebServiceStudio I get the message "The provided URI scheme 'https' is invalid; expected 'http'.
The endpoints for the service itself look right to me. However in the development and testing versions of the config, the client section uses http instead of http, while on the production servers it uses the load balancer's https address. This seems like it should be obvious, but we're missing it.
I have a WSDL, and I need to write this web service. (I am not the client, I am the provider of this service) Is there any tool and/or best approch to create this Web Service?
View 1 RepliesI have a simple .Net web service. When I visit the /webservice.svc path in a browser .Net renders a nice help page with some sample C# and VB.Net code. How do I stop this from displaying? Also, is there any way to prevent a request for ?wsdl from returning the wsdl file?
View 2 RepliesApologies if this seems obvious, but after a week searching I can't find a clear answer to my problem.
I have developed an application in Visual Web Developer 2010 Express that uses the asp.net application services membership provider. It works well in development on my machine (data in the ASPNETDB.MDF database).
I packaged my application and deployed the relevant files with FTP to my shared hosting provider.
I took a copy of the ASPNETDB.MDF and restored it to the SQL Server 2008 on my shared hosting. I can connect to this through the Database Explorer in Visual Web Developer, but it doesn't contain any schema or data.
I know once I have the database in production I will have to make sure the connection string in web.config is poiting to it, but I don't know how to get the DB to production in the first place.
I'm working on a website where it should be possible for registered users to upload word documents. The administration of users is done through Membership and Profiles. When the documents have been uploaded, the following needs to be achieved:Non-registered users should not be allowed to download documents I should be able to control which users that has access to which documents I should be able to register which user downloads which documents I should be able to track how many times a document has been downloaded
Can this be achieved be using Membership and Profiles?
I'm investigating creating a WCF REST service for an existing asp.net application to be consumed by various clients including Windows Phone 7, Android, iPhone apps etc.Creating a simple WCF REST service and consuming it from the above platforms is not a problem and works really well. What I am struggling to get my head around is authorization.The asp.net application uses the Membership provider to provide authentication and authorization and I'm comfortable in using that API from the REST service.
How do I secure my REST service so that the first call has to be to authenticate (passing the username and password) and following calls know who is 'logged in'. I'm guessing the authenticate method will have to pass back some sort of token to be used in subsequent calls identifying the caller. Is this secure enough as the whole site / service is over SSL?
Recently, I tried to get my Web Service class to inherit from a custom base class that inherits from System.Web.Services.WebMethod instead of the System.Web.Services.WebMethod directly.
However, I've been getting Error 500.
Public Class Service1
Inherits BaseClass
<System.Web.Services.WebMethod()> _
Public Function GetSessionID() As String
GetSessionID = Me.Session.SessionID
End Function
End Class
public class BaseClass
Inherits System.Web.Services.WebService
public property Property1 as string
public property Property2 as string
End Class
I'm trying to use the Membership.CreateUser method without passing a security question and answer. I set them to string.empty, but no go. I have my provider set to not require a question in my web.config. What am I doing wrong?
[Code]....
This is my first membership provider; I converted the sample provider [URL] to SQL. I created a vb class provider and put it into the App_Code folder. After it was created I tried to modify my webconfig but the error pops up. I don't know what else to try, I don't know if I have missed something
webconfig:
[code]....
I am creating a few web services for use with a mobile application. My current site uses asp .net membership and one of the web services will validate username and password.
In the web service I get passed uname and pword and just use
Code:
If Membership.ValidateUser(username, password) = True Then
Return "True"
Else
Return "false"
End If
Is there a similar way to get the userid without logging the user on or do I need to create a Stored procedure?
I have a SqlMembershipProvider store with Roles enabled. This is configured and has the user "devtest" in the roles "xxUser" and "xxAdmin".
I also have a WCF service, which I want to authenticate and authorize against. My problem is that:
the authorisation is not happening, code just executes despite the policy attribute I don't get any identity or security context so do not know who is calling the service I need: to know which user is calling the
method some degree of rejecting users if permissions don't match (ideally this should be performed
within the RoleProvider/MembershipProvider/WCF but can do it myself if I have to) SSL in transport
I have my service contract set up thus:
[ServiceContract]
public interface ISupportService
{
[OperationContract]
[PrincipalPermission(SecurityAction.Demand, Role = "ThisRoleDoesNotExist")]
List<BaseInterestRate> GetAllBaseInterestRates();
}
the code is simple enough:
public class SupportService : ISupportService
{
public List<BaseInterestRate> GetAllBaseInterestRates()
{
OperationContext operationContext = OperationContext.Current;
ServiceSecurityContext serviceSecurityContext = ServiceSecurityContext.Current; // is always null
using (xxxEntities entities = new xxxEntities())
{
return new List<BaseInterestRate>(entities.BaseInterestRates);
}
}}
My service configuration is thus:
-->
<behaviors>
<serviceBehaviors>
<behavior name="SupportServiceBehavior">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="AspNetSqlRoleProvider" />
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="MembershipProvider"
membershipProviderName="SqlMembershipProvider" />
</serviceCredentials>
</behavior>
<behavior>
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
Having already configured the MembershipProvider:
<membership defaultProvider="SqlMembershipProvider" >
<providers>
<clear/>
<add name="SqlMembershipProvider"
connectionStringName="SqlMembershipProvider"
applicationName="xxx"
type="System.Web.Security.SqlMembershipProvider" />
</providers>
</membership>
<roleManager enabled="true">
<providers>
<clear />
<add connectionStringName="SqlMembershipProvider" applicationName="xxx"
name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" />
<add applicationName="xxx" name="AspNetWindowsTokenRoleProvider
type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
I have followed the instructions at these pages to the letter:
How to: Use the SQL Server Role Provider with Windows Authentication in WCF Calling from Windows Forms (MSDN)
How to: Create and Install Temporary Client Certificates in WCF During Development (MSDN)
How to: Use wsHttpBinding with Username Authentication and TransportWithMessageCredentials in WCF Calling from Windows Forms (MSDN)
Also quite useful found via SO: Use Asp.Net Membership provider with a WCF .svc service (Alkampfer's Place)
I would at lest expect an issue with certificates/transport/etc. to fail with exceptions, but I can debug right in and over the WCF call. I have no security context/ user context available to me and when I use a user not in the two mentioned roles (which I do in the code example above), I don't get "kicked out".
My client app is currently a Web App, but will ultimately also serve a Windows Forms app and Test suite. I'm currently using the ASP.NET WebDev server and am running .NET 4.0.
Am I missing something?