I'm learning blazor and am having some difficulty wrapping my head around authentication. I have a .net core web api hosted and want to connect a blazor web assembly to it, but all the tutorials i find use it hosted in an asp.net core host in one package. How secure is the authentication when hosted like this on the same machine?
use Blazor WebAssembly with authentication (also if possible) is not a great idea:
usually, when you write a normal client-server application, the client collect the user typed data and send it to the server. In the server you can check if the password is correct (for example establishing a connection to a database and checking matches between username and password).
In Blazor WebAssembly, all the code is compiled, dll are generated, sent to the client (using the Web-Assembly technology) and runs inside a JavaScript sandbox. This mean that ALL the objects are available on client side and can be seen by the user, so also all the connection strings can be readed.
Also if there are some ways to mask them, none of them are 100% secure, actually.
If you don't need to have an off-line application I suggest you to use Blazor Server technology, that use SignalR.
However, if you really want to implement authentication in WebAssembly, you can take a look at the Microsoft documentation.
Hope this can be useful!
You can first go through the official docs. I also recommend you seeing this video. You'll likely need to use IdentityServer4, for that see this playlist and the official Github repo for sample projects.
Related
I'm brand new to C#/.NET
Why does ASP.NET have so many different choices of projcets? (Web Application, Web API, Web Site, MVC ect). I just want to listen on a tcp port, and a way to send a response. If there are libraries to help me do routine stuff like constructing the HTTP request, parsing the header, ect - then cool. But I don't want a super opinionated framework that tries to do everything under the sun.
Why do I need IIS at all?
Addressing your points in reverse order, first - why do I need IIS?
The answer is, maybe you don't. If you are doing a simple listener that won't be exposed to the public internet, then you don't need it.
If you are doing a web application that needs to scale, be robust and easy to manage then it can help you with:
Logging
Operating in a multi-server environment for scale/high availability
Handling multiple requests in an isolated way
Serving multiple applications from the same host with sandboxing to ensure each application has guaranteed resources (memory, CPU)
Application lifecycle management
IP address restrictions
support for FTP, CGI, WebDAV
URL rewriting
Response header manipulation
Failed request tracing
Protection against some DoS exploits like slow HTTP attacks
Etc.
In short, it is an industrial strength, real world web server that will keep your application up reliably in a hostile world and scale as your application grows. it is certainly overkill for some cases if you don't need this kind of scale/high availability/management capability. In those cases you have the option to self host ASP.Net in a Windows Service or even a console app. This might sound complicated, but it has been made pretty simple by OWIN - Open Web Interface for .Net. This is an abstraction of the interface used by Asp.Net to communicate with its hosting server.
There is a very good tutorial on how to self host web API in a console app here
http://www.asp.net/web-api/overview/hosting-aspnet-web-api/use-owin-to-self-host-web-api
It does exactly what you ask for in your comment:
You create a console app project
You add references to the right assemblies (the tutorial uses NuGet to download the assembly packages)
You code up your web operation logic
You compile
You run the resulting exe
That's it!
On your second point about ASP.Net - it is a framework that has gone through a lot of evolution trying to keep up with very rapid changes in the web development world. This meant it got a bit bloated and lost some of its coherence, but recently the developers have been focussed on making it more lightweight, more modular and simpler. Scott Guthrie summarises it in his blog:
http://weblogs.asp.net/scottgu/introducing-asp-net-5
Why does ASP.NET have so many different choices of projcets? (Web Application, Web API, Web Site, MVC ect). I just want to listen on a tcp port, and a way to send a response. etc...
Because each project has its own purpose.
If you want to just listen on a TCP port then you could go learn Microsoft's Katana OWIN (but I highly doubt if this is what you want).
Katana OWIN
Briefly going through each projects purpose:
"Web Application" actually opens up another window and lets you choose from the following:
Web API is for exposing RESTful services or JSON data.
Web Forms is for making web pages that use Web Form components.
(A bit like Windows Forms, but Web)
MVC is for making Model-View-Controller web applications. This is where you build components with a separation of concerns. Model for data. View for what the user sees. Controller for controlling how your page behaves.
Why do I need IIS at all?
IIS is for serving .NET applications.
Without it, it would be quite hard to serve .NET applications.
I'll start with 2 then move on to your first question. IIS will run whatever the .NET web service you need, be it a monstrous WCF service, an ASP.NET application or the most basic http handler.
To my knowledge, ISS is the most straightforward way to use .NET web services. If you are used to PHP, it's basically LAMP or WAMP for .NET, which means it is sort of necessary. There are alternatives, as Mike Goodwin points out, but I have to admit I am not familiar with those third parties. Since replacing a layer for another doesnt mean much, I would stick to the "normal" procedure.
Since you dont want the framework to do a truckload of operations for you, your best bet might be along those lines:
Create a basic ASP.NET projet
Remove the default ASP.Net page because it seems you dont want it
Add a Generic Handler to your project. This will result in a myFile.ashx, which handles http requests and let you build any response you want
Of course, if you dont want to bother with IIS configurations, you'll need someone to setup an URL on IIS and map it against your handler repository.
EDIT:
"Abstraction layers" would be the very definition of frameworks, for good or ill, so you're stucked with it.
Now, since you have a low level background a not-so-intrusive way to work with the .NET web services would probably be the three steps I suggested earlier. You are still stucked with IIS though, in order handles the communications (i.e. manages sockets/requests). That's the way the framework works.
STILL, THERE IS HOPE. If you have complete control over your server (which is not my case, some other IT team manages the web servers), you certainly could build a windows service that listens to some socket and work the requests accordingly. It is a most unusal solution if you want to serve web pages, but would work rather well if you only want to push some data through http requests. If you go down this path, I suggest you take a look at the System.Net namespaces, you'll find some classes like "Socket" there. Combined with a console application or a windows service, you could work something out.
One of my coworkers is former microcontroller designer, I know exactly what kind of feeling you have towards the .NET framework. You'll go through some frustrations at times, but most of the time there are work arrounds. Feel free to request more details if you need some.
I am build a small web app with all HTML controls and have used javascrip and webservices for all my work.
Now i need to add Login Authentication to my App. Normally i would have done this with ease with Server side code.
FormsAuthentication.SetAuthCookie(strUSername, createPersistentCookie)
But i need to achieve this using purely Javascript and Webservice calls.
function Autheticateuser(strUser,strPwd)
{
Webservice.AuthenticateUser(strUser,strPwd,SetAuthentication,FailAuthentication)
}
But since Javascript is not secure, any one can manipulate this on the browser. How can i make this secure and also keep it away from Server side code.
web service calls are lying open in javascript it can be called by any malicious script easily to try combinations of username and pwd to break into the system.
The forms authentication controller is not very different from a web service. It takes a form post from an anonymous user with id/password and returns a cookie. This can be called by a script just as easily. That's why you build safeguards (lockout after several unsuccessful attempts) for the authentication.
You don't want to use cookies with Web API services. The easiest thing to do for you is to look into MVC5 SPA application or Web API 2.0 authentication. These come with Visual Studio 2013 and .NET 4.5. The web services have built in OAuth token support, which is the proper way to do authentication/authorization for web services. You can do it with earlier versions of MVC, but need to get external libraries for OAuth support.
This is a good video to get into web api security.
I'm working on a project using ASP.Net MVC5 which also includes a Web API. The API will be for internal use only. I'm using the OWIN library to provider authentication.
I'm having a difficult time figuring out how to correctly implement authentication through the API. I was planning on using OAuth 2.0 but the problem with OAuth is that the user needs to login through a browser page instead of a native login screen. So I was wondering if it is possible to somehow skip the browser.
I've found this example which creates it's own OAuth Authorization Server. But it doesn't show how to make the login native.
If it's a highly trusted client, then you can use the OAuth2 resource owner password flow. You can look at the VS2013 SPA template and/or read on this post:
http://leastprivilege.com/2013/11/13/embedding-a-simple-usernamepassword-authorization-server-in-web-api-v2/
You could use Thinktecture.IdentityServer v2 as a light-weight security token service.
https://github.com/thinktecture/Thinktecture.IdentityServer.v2
You will need to create a WOPI host, which is basically a software solution that can take advantage of the browser-based Office(office web).
Create a custom WOPI host and configure it to use Office Web Apps Server to provide the browser-based file viewing and editing for Office files.
Nice sample on Microsoft MSDN
We are planning to receive a SAML assertion from another website into ours (ASP.NET). No one here has ever worked with SAML. We simply need to verify the signed assertion, decrypt the token containing a user id and if we can verify it, log them into our site (authenticate/authorize). We are using Forms Authentication for all other authentication. I would like to avoid installing WIF if possible because my understanding is we'd have to install the runtime on all the developers machines and servers. Our machines are locked down by policy such that it would be a lot of paper work to get it installed. Are there alternatives to WIF and are they realistic to use in an enterprise environment? If so, can someone point me in the right direction, a good tutorial, video, book or anything with examples would be helpful? I looked at some third party components but I'd have the same issue as with WIF on our servers (not to mention dealing with procurement).
Thanks
Is this internal or an external facing application? You may want to checkout PingOne.com Application Provider Services (APS) [Note: I work for Ping]. PingOne handles all the SAML protocol stuff for you and provides self-service capabilities, reporting, etc. No need to install WIF... just a few lines of .NET code (or whatever) to integrate with the RESTful service that PingOne provides.
HTH - Ian
I have to write an app for iPad that would take data from SQL Server and post it to the iPad. I looked up on this over the Internet and found that i have to write a web service to expose the data from SQL server using ASP.NET. I did an app previously in android that would take data from my dropbox a/c and display it to the user. I made use of the drop-box api available. I was wondering if anything like that exists for SQL? Also, i have to code in Obj-C for the iPad, so how will
i write ASP.NET code? I have more doubts.
Thanks in advance.
There are many options for web services. If you are developing in ASP.NET and don't want to invest to much time in just accessing the data I would suggest some software that will help you generate the source code.
WSSF (Web Service Software Factory) is software that will assist you in creating a SOAP web service and it generates source code for you. I do recommend however working through a tutorial first before just jumping into using this. WSSF uses visual studio as well.
Once you have a web service that packages your SQL data for communication through http requests. You will need to parse the data communicated in Objective-C. For this you'll find SudzC to be very helpful.
SudzC generates all the source code for accessing your web service in Objective-C, given the WSDL.xml file of your web service (a file that lays out the design of your web service).
Although these software will save you a lot of coding, I wish I could tell you that this will be a short and easy process. However this is vary rarely the case, developing this will take you a couple of days.
I do know that people often use RESTful web services when dealing with the iOS enviroment, although I do not have the same kind of experience with them as I do SOAP web services. I hope that this information is helpful to you.
I've done this. The best way is to use .NET 3.5 or higher to create a WCF (Windows Communication Foundation) project. These projects will let you communicate with your mobile application using REST or SOAP. They also let you send data in XML or JSON format. You will then need to create a REST or SOAP client in your IPad application to communicate with the server.
Use OData. See Creating an OData API for StackOverflow including XML and JSON in 30 minutes for how to publish your SQL Server data as an OData service. See Consuming OData using Objective-C for how to consume the OData service from your iPhone app.