I have an Asp.Net Web Api 2.0 based web services which provides functionality such as customer login and access to their information after login. I am using Bearer token authentication for customer login.
Now, lets say I want to restrict access to my web services to only some specific third party vendors who build mobile applications. What are some of the patterns to achieve such restriction?
Its all built in already in the aspnet membership db.. User and roles table are already there.... you just gotta fill them and use authorize tag.. you did not search on google right?
// Restricted by user
Authorize(Users="smith")]
public class ValuesController : ApiController
{
}
// Restricted by Role
[Authorize(Roles="admin")]
public class ValuesController : ApiController
{
}
http://www.c-sharpcorner.com/UploadFile/2b481f/Asp-Net-web-api-authorization-and-authontication/
Related
I am using structureMap for injecting dependencies, I'd like to know
Which implementation should I provide for IIdentity in SignalR?
Basically, SignalR uses the already existing authentication, so you just authenticate users as you would normally in an ASP.NET application, and you can have hubs or specific hub methods that have the Authorize attribute.
http://www.asp.net/signalr/overview/security/hub-authorization
SignalR does not provide any features for authenticating users. Instead, you integrate the SignalR features into the existing authentication structure for an application. You authenticate users as you would normally in your application, and work with the results of the authentication in your SignalR code. For example, you might authenticate your users with ASP.NET forms authentication, and then in your hub, enforce which users or roles are authorized to call a method. In your hub, you can also pass authentication information, such as user name or whether a user belongs to a role, to the client.
Hope this helps! Good luck!
I have an internal use web site that will be exposed over the Internet for ease of use on mobile devices. The web site is MVC 5 and will communicate with a Web API on a different server. The user will enter their Windows account information on the login page which will be authenticated against our Active Directory service. Once authenticated I would like to create an authentication token for use for subsequent calls to the MVC site as well as calls to the various other Web APIs.
At first we were just going to use Basic authentication since all channels of communication are over SSL however we have one Web API that will not have access to our AD but will have access to a central database that may contain token information.
Any examples or documentation about how to secure enterprise Web APIs would be fantastic. I can't find much information about this topic.
A way to do this would be to create a custom ActionFilterAttribute and override the OnActionExecuting method.
public class AuthenticateAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(HttpActionContext actionContext)
{
//grab token from httprequest in the actionContext
//and authenticate it against the token in the database
if(/*token is NOT authenticated*/)
{
//set unauthorised response
var response = actionContext.ControllerContext.Request.CreateResponse(HttpStatusCode.Unauthorized);
//and set the httpresponse in the actionContext to the unauthorised response
actionContext.Response = response;
//then return
return;
}
}
}
You can then apply this attribute to any actions or methods in your api you wish to authenticate.
We ended up using thinktecture's IdentityServer.
https://github.com/thinktecture/Thinktecture.IdentityServer.v3
v3 Beta 1 was just released. Looks promising.
Support for OpenID Connect and OAuth2.0.
They have several client samples that you can download from a different repository.
https://github.com/thinktecture/Thinktecture.IdentityServer.v3.Samples/tree/master/source/Clients
I am working on Asp.net MVC5 app and a Web APi2 ,The API is to be used across multiple sites and to be used to authenticate the user as well.
I have created the MVC5 and Web API project in VS 2013,The default template for the authorization server comes whith grant_type=password,but I am looking for implemantation using Code authorization flow.
I have created the Login view in my WebAPI+MVC project which should be called by the client application
I should validate the user using username and password
If user is valid then pass the Authorize code to the client application using redirect Uri
I am getting confused in integrating above flow using owin "OAuthAuthorizationServer"
or what exactly I should override in below method
public override Task GrantAuthorizationCode(OAuthGrantAuthorizationCodeContext context)
{
return base.GrantAuthorizationCode(context);
}
I will be thankful if any one can guide me with the implementation.
I'm writing an admin panel in ASP.NET for an existing set of web service calls. My goal is to use some of the existing login stuff (locking out pages if your not logged in) etc but using my login mechanism. This works by hitting an http post request with a username and password, if you're good you get a session id back, if not you get a 401. Here is the WCF for that:
[WebInvoke(UriTemplate = "/Login/", Method = "POST")]
public String Login(User user)
{
// If we are good return sessiond id
// Otherwise throw 401 etc
So to get this working in ASP.Net what is needed?
I think this:
Implement a user that overrides MembershipUser and has a session id in it.
Implement a membership provider that overrides MembershipProvider and does all the WCF calls etc.
In the Web.Config set up a custom membership provider.
Is this correct or am I missing something major?
Rather than do this yourself, you might want to take a look at the WCF Authentication Services.
Before you go down this route, be aware that the authentication services supports login and logout, but that is about it. The usual Membership methods such as CreateUser aren't available. If you need them, you'll need to create three projects:
A WCF Service Application with a single service called WCFMembershipService that wraps the core Membership Provider requirements, i.e. calling Membership.Provider.Method(). Configure the standard SQLMembershipProvider in the web.config, and
A custom membership provider to be used in the ASP.NET application that calls your WCF service from step 1, and
An ASP.NET Application with the custom membership provider configured
You will find that the Membership and Role providers are extremely easy, but the Profile provider is more challenging, because you cannot serialize the default properties that the provider requires, such as SettingsPropertyValueCollection.
In this case, you would need to convert the SettingsPropertyValueCollection into a serializable type first, and then reconstruct it at the other end. Probably a Dictionary<string, string>() would suffice.
I have found a lot of material on the web about using the ASP.NET Membership Provider with the wsHttpBindings, but I haven't seen any reference to using it with webHttpBindings.
I am looking for a system that will work in two scenarios:
The user is logged into an asp.net website and the website is making calls to the service.
The user accesses the service directly via REST.
Is this possible using the built in framework (i.e. just through configuration)? If so how do I configure the service? And how does the user pass the credentials to the REST service?
The best source I've found is here: http://www.leastprivilege.com/FinallyUsernamesOverTransportAuthenticationInWCF.aspx
The site also has tons of other information about setting up HTTP Modules to handle basic authentication (which I'm guessing you'll be using since it is kind of the standard).
The HTTP Module authentication method is located on Codeplex with sample code and everything here: http://www.codeplex.com/CustomBasicAuth
ADO.NET Data Services you mean?
You can build a QueryInterceptor for an entity and limit the access to it.
For example:
[QueryInterceptor("foo_entity")]
public Expression<Func<foo_entity, bool>> FilterMembership()
{
MembershipUser user = Membership.GetUser();
Guid userGuid = (Guid)user.ProviderUserKey;
return c => c.UserId == userGuid;
}