Security :: Pass Credential From On Request To Another Request (one Site To Another Site)?
Jul 27, 2010
WebApp1: on IIS and configured with Windows authentication. Get User account from AD.
WebAPP2: a java web app on another windows box in same domain with authentication from AD
On web app1, I have a http handler like
public class MyHandler : IHttpHandler
{
public void ProcessRequest(HttpContext context)
{
string url = "http://WebApp2/Test";
HttpWebRequest myReq = (HttpWebRequest)WebRequest.Create(url);
CredentialCache myCache = new CredentialCache();
NetworkCredential netCredential = new NetworkCredential("myname", "mypassword", "");
myCache.Add(new Uri(url), "Basic", netCredential);
//...
myReq.Credentials = myCache;
//....
}
}
in above way, I can set authentication in code and pass it WebApp2.
But I don't want to put name and password in code. User info already available on WebApp1: in context.User I can find out the user info who already logined into WebApp1, so I want to pass this credential to WebApp2. I have tried to do following:
I want to open B site as new window from A site, so its ask for windows credential. I have credential in A site. I am opening B site using Javascript.window.open.
I am building a simple intranet site and want to get the employees user name, but when i use Request.LogonUserIdentity.Name , i keep getting the servers credentials and not the users. what am i doing wrong and is there a better way to do this.
I am using if (HttpContext.Current.User.Identity.IsAuthenticated){ //do sth. } in my web service to do credential. Is that good enough? or is there some best practices that I can follow?
At one point this was working, but somewhere something happened. What I am trying to do is simply download a page from our local site. I keep getting the 401 unauthorized.
I have tried NetworkCredential("user", "password", "domain")
and
CredentialCache cc = new CredentialCache(); cc.Add(new Uri("http://site/"), "Windows", new System.Net.NetworkCredential("user", "password", "domain"));
but that didnt work . We are using Windows authentication with no anonymous access.
it is possible to do a request for another page on internet from page_load? I mean if it is possible to aquire markup code with informations from another page and display them on my aspx site? For example something like this:
I have an existing asp.net mvc website that uses basic forms authentication. The site has a login page that posts back to a login action, which logs the user in via FormsAuthentication.SetAuthCookie(). I am looking to add an api to the site, as an mvc2 area, where users would be authenticated based on a token passed as an http header. This area will consist of only json actions, so redirecting the user to a login page doesn't make sense. Instead, I want the users to just pass a token along with each request. That token is mapped to each user account and the user would be authenticated automatically.
I'm struggling with where to put this logic. At this point, the best choice seems to be adding the header lookup logic and authentication to the Global.asax in the Application_AuthenticateRequest method. I want to avoid needing to redirect the user after calling FormsAuthentication.SetAuthCookie(), though. I want the login action to be transparent to them. Am I approaching this the wrong way? As a side note: Requiring a username/password for api requests is not possible, as the site has a mix of users. Some joined using OpenID while the rest joined with a username/password.
i have some aspx page that handle form data submit from few websites. how can i retrieve the ip of the site (server) that send the request? (not the ip of the user that use the site and fill the form) if the form is hosted in server like 55.343.33.343 i need to retrieve to the handler page this ip. (Just to be clear : the handler.aspx is hosting in one server xx.xx.xxx.xx and the forms hosting in other servers cc.ccc.cc.cc, yy.yyy.yy.yy etc
Suddenly, IIS 7.0 is redirecting every request for the root of any domain hosted on the box to ~/Account/Logon, which is our Forms Authentication redirect. Additionally, some JavaScript and image requests are being similarly redirected, but not other aspx pages.
EDIT: It turns out that something has gone wrong with the disk permissions. Can anyone point me to the way things are supposed to be in Windows Server 2008 for a standard ASP.Net installation? The disk permissions are out of whack now.
I'm getting an exception when trying to access an .asmx webservice within a MVC site. I've tried numerous things like updating the web reference within the console application and building another quick app to test, but can't get passed this issue. If I pull the URL out of the svc variable, I can browse to it directly.
Exception Details
System.Web.Services.Protocols.SoapException occurred Message=Server was unable to process request. ---> Value cannot be null. Parameter name: uriString Source=System.Web.Services Actor="" Lang="" Node="" Role=""
StackTrace:
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at ClarityIntegration.SendTrackerDataToClarity() in [REDACTED].Reference.cs:line 78 at [REDACTED].Program.Main(String[] args) in [REDACTED].Program.cs:line 33 InnerException:
CONSOLE APP CODE
var svc = new TrackerClarityService.ClarityIntegration() { Url = url, Credentials = new System.Net.NetworkCredential("user", "pass", "domain") }; svc.SendTrackerDataToClarity(); svc.Dispose();
The exception was coming out of the Web Service itself. There were some global variables not being initialized directly through the .asmx call that were being initialized by the application itself.
Some simple checks on variables within the Web Service and setting what needs to be set have fixed up the issue.
I am using DotNetNuke and I have posted this in their forum. But it is more appropriate here. I am trying to upload a 13 MB video file to my site ( a .flv file) using the file manager function under the host login. I understand that .NET limits the upload size to 4 MB for security reasons. In accordance with other posts here I added this code to my web.config file to allow bigger upload.
I added it in the system.web section. Now, I still get this error:
"An error has occurred.DotNetNuke.Services.Exceptions.PageLoadException: Maximum request length exceeded. ---> System.Web.HttpException: Maximum request length exceeded. at System.Web.HttpRequest.GetEntireRawContent() at System.Web.HttpRequest.GetMultipartContent() at System.Web.HttpRequest.FillInFormCollection() at System.Web.HttpRequest.get_Form() at System.Web.HttpRequest.get_HasForm() at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) at System.Web.UI.Page.DeterminePostBackMode() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint,
Boolean includeStagesAfterAsyncPoint) --- End of inner exception stack trace.
I hosted two asp.net web project in IIS with unique VirtualDirectory (sample and Sample2). Now i access a web page from Sample site and from this page i'm sending request to a web page in a site Sample2 with some values through Query String. I got the page and the values from query string.
Now my problem is, instead of sending values through QueryString is there is any other way to pass values from one site to another. Because, i never give the url for the second site to client. They know only the first site url based on user input i'll redirect it to the second site. Problem is user can see the values passed through QueryString and there is a chance to bookmark that link by user, it just like hacking. I donot want the user to do that.
I have an ASP.NET website that worked fine using and debugging in VS2008. I went through the upgrade process opening the solution in VS2010. I can run the site, but as I make changes in the app_code folder classes, they don't seem to commpile and warn me of compile-time errors. As soon as I get to a point that calls the class, the errors show up. Sounds JIT I guess, but this isn't how it was working in 08. Is there an option that was changed in the upgrade process? This is a large project, I really don't want to break something and not find out until some obscure page is opened.
I have a requirement where I have to transfer a user from Web Site 1 on Server A to web Site 2 on Server B.
On Web Site 1, I have to provide controls to enter user id and password and which have to be validated on Web Site 2 on server B, after validating them I have to redirect the user to Web site 2.
what is best way fo doing it. code examples are greatly appreciated.
Note: On Web Site 2, user login functionality is already existing and it is provided by ASP.Net login control, am not sure how to handle the user login process from two different places.
or is it the best way to move Web Site 2 from Server B to Server A so that, the same login controls will be shown using Iframe on Web Site A.
I have an application that uses the ASPNET role provider.My SQL Server crashed so I took a backup of the database and restored it to a new SQL Server and changed the db connection string to that server.The web site runs but no users can login to the site.Is there something that I should have done when the db was on the other server?
I have a webservice which works 100% fine on my developer machine. Where Web Service is installed on LOCALHOST on my developer machine,Then i went to my servers, I installed webservice on one server and map it with the server where the website is hosted, Then i tried accessing this service using BROWSER from my web server, it worked fine, That means the mapping was done perfect.Then i run my program on web server (website). It worked fine on page1, then on page2, but when i did the same and call same function on page3, It popped me any error of
Is it at all possible to inject a request into IIS for a page, have IIS and ASP.Net handle it as normal, but get the response as html handed back to me programmatically?
Yes, I know that I could connect to port 80 using WebRequest and WebResponse, but that becomes difficult if you are accessing the IIS server from the same physical machine (loopback security controls et al).
Basically, I want to inject the request (eg for [URL]) between the points at which IIS would normally talk to the browser, and the point at which it would route it to the correct ASP.Net application, and get a response back from IIS between the points at which ASP.Net/IIS applies the httpfilters and hands the html back to the browser.
I'm predominantly working with IIS7 so if there is a solution that works just for IIS7 then thats not an issue.
when i browse the page with firefox and click on the input Request.Params["btnshoppingCart"] != null or Request.Form["btnshoppingCart"] != null is statisfied.
When i browse the same page with internet explorer 8 and click on the same input Request.Params["btnshoppingCart"] != null or Request.Form["btnshoppingCart"] != null is not satisfied. When i used the watch i saw that there is no key by the name of "btnshoppingCart" in either Request.Form or Request.Params if input is clicked from internet explorer. However when it is clicked from firefox there is value "shoppingCart" inside Request.Form and Request.Params against "btnshoppingCart" key. One more strange thing that i observed was that are two keys "btnshoppingCart.x" and "btnshoppingCart.y" inside both Request.Form and Request.Params whenver clicking is done from both internet explorer and firefox. This is happening against all inputs of type image irrespective if the input is present inside a html form or not. Forms are created like this
<% using (Html.BeginForm("Action", "Controller", FormMethod.Post)){%>
The version of internet explorer is 8.0 and firefox is 3.6.6
I there a way to know if a request is a soap request on AuthenticateRequest event for HttpApplication? Checking ServerVariables["HTTP_SOAPACTION"] seems to not be working all the time.
public void Init(HttpApplication context) { context.AuthenticateRequest += new EventHandler(AuthenticateRequest); } protected void AuthenticateRequest(object sender, EventArgs e) { app = sender as HttpApplication; if (app.Request.ServerVariables["HTTP_SOAPACTION"] != null) { // a few requests do not enter here, but my webservice class still executing // ... } } I have disabled HTTP POST and HTTP GET for webservices in my web.config file. <webServices> <protocols> <remove name="HttpGet" /> <remove name="HttpPost" /> <add name="AnyHttpSoap" /> </protocols> </webServices> Looking at ContentType for soap+xml only partially solves my problem. For example, Cache-Control: no-cache Connection: Keep-Alive Content-Length: 1131 Content-Type: text/xml Accept: */* Accept-Encoding: gzip, deflate Accept-Language: ro Host: localhost mymethod: urn:[URL]
Some clients instead of having the standard header SOAPAction: [URL], have someting like in example above. "mymethod" represents the method in my web service class with [WebMethod] attribute on it and [URL] is the namespace of the webservice. Still the service works perfectly normal. The consumers use different frameworks (NuSOAP from PHP, .NET, Java, etc).
I develop an asmx web service (i.e. ASP.NET 2.0). There's a piece of code that may read the contents of the HTTP request (via HttpContext.Current.Request.InputStream) while processing it. I realise that InputStream may only be read once for a request, and I make sure I never try to read it more than once.
The problem seems to be that if InputStream happens to be read during the early stages of the application's lifecycle (e.g. after pskill w3wp, during Application_Start), the HTTP request fails with a HTTP 400 - Bad Request error, with no explanation given, no exception thrown and no entry in the httperr log. If it is read later (e.g. within the web method itself), requests run fine whether InputStream is read or not. Application_Start runs fine if InputStream isn't read.
Is this some sort of ASP.NET bug? IIS bug? Or am I doing something wrong by daring to read InputStream? And if so, is there another way to get a look at the "raw" contents of the request without disturbing the inner workings of IIS/ASP.NET? In short, adding this code within Application_Start is enough to reproduce this error: using (StreamReader reader = new StreamReader(HttpContext.Current.Request.InputStream))reader.ReadToEnd();
