So, I have a website (lets called it MySite). And we have implemented it primarily using .NET. Recently angular JS was introduced and we have created aspx pages that consumes the angular JS libraries.
Recently there was a requirement wherein we had to develop a login module on a virtual directory (lets call this MyVirtualDirectory) within the web site. Please note that the website already uses a login method (which is handled via button click event handler in .NET). The idea was, upon entering the username and password on the MyVirtualDirectory login module, to call the existing authenticate login method (that is currently consumed by the website). So, for this, we wrote a web method and we are calling the login method from within this web method. And this web method is invoked from the angular code. Everything works as expected and the login web method returns a true or false
Although functionally things work as expected, I am not too happy about the security aspects. One of the security constraints was, the web method that we wrote should be invoked only from within the web site. We thought about couple of options
One was to have a cookie on the load of the virtual directory home page. And when the web method is invoked, check for this cookie. Obviously, this has its own set of issues because the cookie could be set by anyone
The next was to have a session variable on the page load of the virtual directory home page. And check for this session variable when the web method is invoked. This was more secure than the first option, but still i felt it was slightly vulnerable
Any other thoughts/ consideration - To summarize, my question is, how to securely invoke a web method and ensure that the call is made only from within the website?
Thanks in advance
Related
Can I have a ribbon button launch an aspx ( asp.net ) page? The aspx page needs to inherit authentication and authorization as the logged in Dynamics user.
You can execute custom JavaScript from a ribbon button allowing you to spin up a new browser window pointing at whatever you like.
To inherit security credentials you need to look at setting up federated authentication across both the CRM server and the custom website hosting the ASPX. As you can probably imagine this isn't a trivial task.
You could also look at dropping your website into the custom ISV folder as was the case with CRM 4. However, this approach has been deprecated in CRM 2011 and AFAIK is therefore no longer supported.
As #Konrad pointed out you won't be able to use the Data Service REST API (OData) from your custom web pages as the service is only accessible from web resources hosted within the CRM environment. Server-side you'll be fine against the Org Service.
If you can get away with doing what you need in a web resource I'd highly recommend it as it's a whole lot less work.
I'm not sure you can do that. A while ago, I put in an iframe that I linked to an outside web page and it worked as supposed to except for connecting to the organization data. I just couldn't make that work (I got impatient, to be honest and didn't try all too hard).
The resolution I deployed in the end was to run a web resource, which was run internally on the server, that communicated the data to an outside service.
I'm assuming that the same behavior will follow if you try to open windows/convey data in to/out from the CRM.
I've a wcf ajax enabled hosted in a web site (it's a web chat).
For some reason, when I need to execute a postback, my wcf service works in unexpectedly way (such as big delay in a call, work off, and so on..).
The oddity occurs when I try to call some wcf function through javascript from protected page too (Many page are protected by web config with authentication mode=form).
Are the above issue caused from the same reason? But which can it be the reason?
EDIT:
I notice that the above problems occurs only when my web site contains global asax file with sessionStart and SessionEnd event handlers (it's true even when those event handlers are empty, namely without any instrunction).
#EDIT:
Ok, issue about postback is due to devExpress control (captcha). If I use a simple button for doing some postabck all works fine. Maybe that component injects some bad script in my page, I've not idea.
So, remain questione about access to protected page by login only. It's important to know that login issue occurs only on production site where login page is placed on internal (nested) application, while on test site where login mechanism is on the same application all works fine.
However, in this moment I solved by changing login logic for chat access. I've removed the protection in web config for that chat admin page and I check user credential on its init event. If it's not logged, then I execute a simple redirect to login page and all works correctly.
##EDIT
Well, I found the exact cause and solved it. Please, take a look here: http://blogs.msdn.com/b/silverlightws/archive/2009/09/30/having-a-pollingduplex-service-and-any-other-wcf-service-in-the-same-website-causes-silverlight-calls-to-be-slow.aspx
I'm working on adding a new webapp to an existing website. I've been directed to write the webapp in ASP.NET. The existing website is written in ColdFusion. For the most part, the ASP.NET webapp is completely stand-alone, but it needs to interact with the ColdFusion code in one important way - if somebody logs in to the ColdFusion site, we don't want them to have to log in again when visiting an ASP.NET page.
When someone logs in to the ColdFusion site, their username is stored in a cookie, along with a login token that can be looked up in our database. My .NET is a little rusty, so I'm having trouble visualizing how the ASP.NET code should use this data. I've already written a simple MembershipProvider that can be used to log in/out out the ASP.NET app using the data in our existing database tables, which are shared with the ColdFusion code.
What I'd like to know is - how can I make sure the ASP.NET app detects the cookies set by the ColdFusion app (I imagine they'd be sent to the ASP.NET pages, since everything is hosted on one domain), and automatically logs the user in using the MembershipProvider and Forms Authentication, using the credentials supplied in the cookie? I'm thinking that putting some kind of cookie check and log in function in the Global.asax file, set to run every page load for every page... but that seems kind of clunky. Also, do people still use the Global.asax file anyway? I had thought there was a more modern method.... Also, how can I manually log someone in using Forms Authentication and a custom membership provider? Currently my code allows the user to log in using the provided login control, but I'm not sure how to log the user in without them having to do anything.
Thanks in advance for any help. Looking over the MembershipProvider tutorials and the MSDN documentation it seems to me like the answer should be staring me in the face, but for some reason I just can't see it. Maybe not enough coffee....
Not sure if this is what you're looking for:
FormsAuthentication.SetAuthCookie("the username goes here",false);
Reference
I'm a CF developer ususally, but we had to do some integration with a .NET application recently and the way we approached it was to keep the CF and .NET sessions separate but ensure that login happened on both so when the user moved from one to the other they were still logged in.
So is there perhaps a way for you to hit your ASP.NET application with a request to login a user when you login using the CF application? Perhaps you could have an iframe on the page that you can load when the CF login is complete that holds a login service for the .NET app?
This way you would not need to worry about one app server reading the other app server's cookies, instead there would be two sets of cookies, one for ASP and one for CF.
Hope that helps!
The way I would approach it, is I would have a specific page that acts as a liaison between the CF and .NET layer. That page would implement your business layer and just check to see if the Cookie is there, if so read it in, do the lookup and login the user or whatever business logic that needs to be done. How would you accomplish the login/authentication, well that’s all based on your login/authentication code.
The only link I can offer is the basic of cookies in ASP.net
http://msdn.microsoft.com/en-us/library/aa289495(v=vs.71).aspx
Edit: found another link that might be helpful.
http://www.aspnettutorials.com/tutorials/network/cookies-csharp.aspx
I have a Mono web application with an included setup form. In order to detect if the application is installed or not, I create a marker file _INSTALL_LOCKFILE_ that, if exists, is able to tell that the program is installed (and so Setup will refuse to run again).
My question is: how do I redirect the user to the setup script ("~/Setup/Default.aspx") the first time he accesses the web application? If user attemts to run the "empty" application he will definitely get unreadable exceptions.
I have thought about using HttpApplication.BeginRequest event in Global.asax, or other request-related events, to choose if redirecting or not.
My doubts are
If I say "redirect every request but all that were directed to /Setup/* I will surely be unable to download CSS and images, stored in App_Themes
I would not like to enumerate all pages in my web application to write the redirect rules
So, my question is
How would you redirect the user to a setup script in ASP.NET when you detect that the web application has not been configured yet?
Looking at the life cycle of an application, I think I'd prefer to put such a method in the Application_Start method
http://msdn.microsoft.com/en-us/library/ms178473.aspx
protected void Application_Start()
{
if (!MyLockedFileExists()) {
HttpContext.Current.Response.Status = “302 Found”;
HttpContext.Current.Response.AddHeader(“Location”, “http://www.newlocation.com/newwebpage.aspx”);
}
}
note: MyLockedFileExists would be a custom bool method that checks for your lock file
I have a Silverlight application hosted inside an asp.net website. In my silverlight applicaiton, if I select a theme. Then, theme changes will gets fired. I want to get notified in asp.net web page, when the theme changed event is fired inside the silverlight application.
Note: Also, I don't want to use a data base to maintain the state of the application.
You can't easily raise an asp.net application event from your Silverlight App. It should be possible, but would require your SL app to do a POST request on the server with POST parameters interfacing well with the ASP.NET plumbing. It's hacking, I would say that's not the recommended way to do it and if you do it asynchronously (without reloading the page), it could do weird things with your viewstate.
You can however call a web service from the SL app when the user change the theme. (the webservice could be something as simple as a request handler or an aspx page with get parameters or maybe a WCF service)
You could then store values about the selected theme in the user session.