I have two static websites located in two separate local directories.
I also have a secured web app with spring mvc. There are two users, each user is related to a different website.
I want to serve the relevant website/pages for each authenticated user from the same url.
How can i do that? Can i use custom Servlet/Controller?
I think your requirements are like you have a Web app for authentication and after authentication and authorisation you want to redirect to another application which is hosted in another server. You could use controller for that in spring and depends upon the logic you can have different views
Related
I built an ASP.Net MVC 4 application which uses forms authentication by means of a custom membership provider inheriting from the Simple Membership.
Everything is working fine, but now I have a new requirement: I need to integrate a JSP application with mine.
This means that it has to authenticate against the same user database of my application and that they should somehow share the session in order to achieve a kind of Single Sign-On among the two applications (if an user is already authenticated in the ASP.Net application, he should be able to access the JSP application without logging in again, and vice-versa).
What architecture do you suggest me to use?
I would like to change as little as possible the ASP.Net application.
Thanks!
If you need to auhtenticate accross different domains:
You can implement your own security token service (like facebook, google does) Here is some ready to use implementation: http://thinktecture.github.io/Thinktecture.IdentityServer.v2/
If the sites are running on the same domain (subdomain), then you can try to share an authentication cookie within these domains.
An explaining article: http://www.codeproject.com/Articles/106439/Single-Sign-On-SSO-for-cross-domain-ASP-NET-applic
We have a ASP.NET MVC4 WebAPI Portal RIA (a mouthful, I know). The Portal UI is implemented using extjs and static html (ie no views), and all dynamic behavior is driven via RESTful JSON service end points implemented via the System.Web.Http.ApiController. Currently, the website is deployed in production as a single site with two site bindings (ie two different URLs) in IIS: one URL is internal and provides access to the full portal, the other is HTTPS and is intended to provide external authorized users access to the RESTful JSON API portion of the site. Effectively, this means that while the internal URL allows full access to the site, ideally, the external URL should:
Only allow respond to JSON requests
Not allow access to the default page (eg index.htm)
What is the best way to accomplish this goal in IIS or otherwise? Is there a better alternative to the shared site with multiple site binding configuration we are currently using? Any insight would be deeply appreciated.
Probably the easiest solution (from all those that involve coding your own solution) would be to implement an HTTP Module that intercepts all calls and do all the filtering logic in your code based on the domain name or IP.
Here is a very simple example of how you can do that: Using ASP.NET HTTP Modules to restrict access by IP address
I am not aware of any way to accomplish your task purely by changing a configuration.
I have some code code in App_Code that I want to expose via standard ASP pages/Forms authentication, as well as Web Services/Basic Authentication. Currently the folder layout is something like
MySite
MyPage.aspx
App_Code
-> Mycode.cs
Services
-> MyWebService.asmx
I understand that if I want Basic authentication for the web service, and forms for the normal pages, I need to convert the "Services" directory to an application in IIS. But once that's done how to I add a reference to the Web Service back to all the code in the root App_Code folder? (without it, I just get missing reference errors when connecting to the asmx page)
The only way that I've found to get this to work is to copy the App_Code & bin directories into the Services application. However, that causes problems for my app, and seems like a big hack to be honest.
I've decided to go a different route and write a single custom authentication module that combines Forms authentication and Basic authentication. That way I dont need to split the application, and I can have fine-grained control over which pages/directories I want to accept Basic, and which I want to accept Forms.
More info here: Combining Forms Authentication and Basic Authentication
I have a question related to my ASP.net MVC 3 application. My web app allows users to upload files to Amazon S3 and other members to access them. I wish to have control over who can access these file. To do this I dont want to expose the URI's of the files and I would perfer not to have the server proxy the file.
Can someone suggest the best ways to achieve this?
S3 allows you to create a signed url which has a time expiration. This appears to have been covered completely here: Creating expiring links to S3 or Cloudfront hosted content with ASP .Net
One way would be to use the AWS SDK for .NET and call the GetPreSignedURL method which will generate a temporary url with querystring authorization. Another option would be to point your images to a secured MVC route which does a 301/302 redirect to the image url (could also be a presigned url).
I have a site where the vast majority of the content will be secured using Forms Authentication. However there is one sub folder that will be used internally by the administrative staff. I would like to secure this folder using Windows Authentication. Is that possible? Would I have to make the admin folder a virtual directory?
CLARIFICATION: There is no need for the administrative staff to access the main site. They are really two separate sites/apps. Regular users will access the main application via Forms Authentication (and never access the admin folder). And admin users will access the admin application via Windows Authentication (and never access the main site).
Thanks,
Corey
Yes, it's possible but you have to build a custom membership provider or an interface to allow for it. It is not possible to specify individual authentication methods on sub-folders unless they are in completely separate projects/application domains.
One method to accomplish this would be to use an LDAP membership provider and change the ldap connection based on the username (if there is a discernible method of doing this).
One other method would be to provide a separate website that uses the Windows authentication to perform the login and then constructs a custom cookie for the user and transfers them back to the original website identifying the individual as a member of the administrative staff.
Then the folder could be secured using the <location> elements in the web.config.
If I was going to build a site with Mixed authentication, I would setup the site to use webforms. I would then setup a virtual application inside of this application that consisted of the same forms auth web.config information but set to use Windows Auth.
On the login page of the windows auth site after you validate their credentials I would then manually call FormsAuthentication to create the auth token. At this point you can then redirect the user to the Forms Auth site and they should be logged in (as long as all the forms auth cookie information is the same for both sites, this might also include needing to setup the same machine keys for both applications).
I haven't done this specifically but this should definitely be a viable (and probably one of the most optimal) solutions.
It may be as simple as right-clicking on the admin folder in Windows Explorer and setting the rights in the Security tab.
Put the administration site in its own application - by right clicking on the folder in IIS manager and and choose convert to application.
Once that's done you can adjust the authentication method on the application by highlighting the application folder in IIS manager and then choosing authentication and adjusting them (or you can do it the hard way via web.config if you can't remote into the machine).