I built an ASP.Net MVC 4 application which uses forms authentication by means of a custom membership provider inheriting from the Simple Membership.
Everything is working fine, but now I have a new requirement: I need to integrate a JSP application with mine.
This means that it has to authenticate against the same user database of my application and that they should somehow share the session in order to achieve a kind of Single Sign-On among the two applications (if an user is already authenticated in the ASP.Net application, he should be able to access the JSP application without logging in again, and vice-versa).
What architecture do you suggest me to use?
I would like to change as little as possible the ASP.Net application.
Thanks!
If you need to auhtenticate accross different domains:
You can implement your own security token service (like facebook, google does) Here is some ready to use implementation: http://thinktecture.github.io/Thinktecture.IdentityServer.v2/
If the sites are running on the same domain (subdomain), then you can try to share an authentication cookie within these domains.
An explaining article: http://www.codeproject.com/Articles/106439/Single-Sign-On-SSO-for-cross-domain-ASP-NET-applic
Related
I have an ASP.NET web application that is using ASP.NET Identity for login with UseCookieAuthentication in the Startup.
The login site is working fine.
I also have an ASP.NET WebAPI site that I use to gather data. I would like to secure the WebAPI with the same cookie that was created at the Login web site.
The machine keys are identical and the UseCookieAuthentication is using the same CookieName and CookieDomain settings.
I can't seem to find any good articles on how to use Cookie based auth between ASP.NET sites.
Any links or ideas are welcome.
If there are any examples passing ClaimsIdentity between two sites that would be great.
We only choose the UseCookieAuthentication because it was similar to FormsAuthentication but we are not opposed to using Claims Authentication if we could find out how.
Working by adding
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
I would recommend ClaimsIdentity instead of trying to pass around cookies. That way you can "register" the web application with the WebAPI application.
I'm assuming by the description that the web app and the WebAPI app are on different domains or at least different virtual directories on the server. If so, you'll probably want to take a look at CORS as well.
Here are a few relevant articles:
http://www.jayway.com/2014/09/25/securing-asp-net-web-api-endpoints-using-owin-oauth-2-0-and-claims/
http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api
If the web app is the only consumer of the WebAPI code and they can be hosted on the same server, you may consider just adding the WebAPI code to the web app solution. Then you won't have to worry about CORS.
I'm currently in the beginning stages of developing a website using ASP.Net 4.5 and C#. I'm wanting to map out the process flow of user registration and authentication. There's a starter project that uses the WebSecurity framework - with Simple Membership - that includes OAuth integration, allowing users to use Facebook and other logins to access the site.
What special considerations must one consider when using external logins on their website?
--Specialty login and registration pages for each provider used
--Authentication checks -- making sure application access hasn't been revoked during the course of any logged in session
--Re-Authentication screens
--Merging accounts
I'm seeing a bunch of different posts on how to set up ASP.Net and the WebSecurity framework to accept different logins, but not so many on the considerations needed before implementing such functionality
EDIT: This is an MVC site. Updated post to correct this
I need to build a "my account" application for my friend. I plan to use asp.net MVC 3.
I have to use third party API to authenticate users. if this is regular web application, it is easy, I submit the request using third party API, get response back. if this is authorized user, create a session. ON all the protected pages, i just check the session, if it is exist, then show the content, otherwise redirect back to login page.
I probably can do the same on my mvc3 project, but I know that definitely is a wrong approach. MVC3 is very flexiable. there must be a better way to do it. After I get response back from the third party API. What should I do after that? please show me some codes if you can.
Use the ASP.NET membership provider and create a custom provider to hook into your API. This gets a lot of the hard work done for you and you're not "reinventing the wheel". There's a great overview about how to do this with MVC here: http://theintegrity.co.uk/2010/11/asp-net-mvc-2-custom-membership-provider-tutorial-part-1/
Create a new MVC 3 application using the "Internet Application" template when you do file-new project.
All the code is then created for you - in visual studio click on the "ASP.NET Configuration" icon in solution explorer.
create your users and your roles
decorate your controllers and/or action methods with
[Authorize(Roles="Administrators")]
public class MyAdminOnlyController : Controller
{
}
Configure additional features such as forgotten password functionality, password resets, etc. Some additional features will require coding.
Done!
I don't think using MVC3 for authentication is anything different than regular web app. In your controller, you will send the username and password getting from the view to the API,getting the response back.
You can then save it to session and check against it on any page you want to be protected.
MVC is just the way to separate view logic, business logic and data model. The application flow is the same.
ASP.NET already build ASP.NET membership provider. The back end data can be stored in ASP.NET Configuration website, SQL Server database,Active Directory, and another database but you need to custom the authentication provider.
this is the expample for SQLServer Membership provider, for the detail documentation you can read from here
For ASP.NET Configuration management Membership provider, you can read from Music Store ASP.NET MVC tutorial in Membership and Authorization section. If you want to learn about ASP.NET MVC authentication/authorization. Music Store example is a recommended tutorial for exploring ASP.NET MVC3 feature, Entity Framework and Authentication also.
I have an ASP.NET 3.5 site that exposes web services as part of the web project for jQuery HTTP/POST calls to access. The site is using forms authentication. I currently have the web services denied to anonymous users. By using Firebug, I can see the ASPXAUTH cookie coming across on every web service call from jQuery, and I would like to use it to fetch the membership user from my ASP.NET membership database in the web service code. Is this possible? I'm having trouble both finding how to access a cookie on an HTTP/POST in the web service code & how to take that cookie and get the membership user.
Looks like it's a simple as just using Membership.GetUser();! I was having a brain fart and not realizing that it was that simple.
Here's my situation. I have a DotNetNuke application. I want to link to an existing ASP.net website from within the DNN website, and have decided to use DNN's IFrame for that.
The existing ASP.net application uses Forms Authentication for security - only authorized users can access the pages. This asp.net application also requires user roles for authorization to different pages.
I don't want users to have to sign on twice, and I'd like the asp.net page to use the user membership and role data from the DNN application - it shouldn't require it's own membership database.
Is this possible? According to the MSDN website:
"ASP.NET supports forms authentication in a distributed environment, either across applications on a single server or in a Web farm. When forms authentication is enabled across multiple ASP.NET applications, users are not required to re-authenticate when switching between the applications."
Does this apply to DotNetNuke applications linking to asp.net applications? Both are on the same domain, too.
(I tried modifying the config.web of the asp.net page to work with the DNN config.web, matching machine keys and forms settings - but it didn't work. I could be doing something wrong, but before I pursue, I want to know if it's even possible.)
Thanks for any help!
I don't know if what you're talking about is possible within DNN. We're on DNN 4.0 and they do some weird things with the ASP.NET membership tables which may cause trouble.
What I can tell you is an alternative way (assuming you have control over the ASP.NET application). There is a project called MADAM (Mixed Authentication Disposition ASP.NET Modules - I know a bit of a mouthful) that can be used to provide a method other than forms authentication for application logon.
What you could do is set MADAM up on your ASP.NET application and from DNN pass user credentials to the ASP.NET application. The end result appears to the user as single sign on.
If you need me to elaborate on anything, let me know in the comments.
Actually i am displaying some aspx pages in a iframe module present on a dnn page. Now since inside the iFrame i am displaying aspx pages hosted elsewhere but on same server. I am just want to authenticate the dnn logged-in user before loading the page inside iFrame.
Do dnn provide any API which i can call from apsx pages hosted elsewhere in order to restrict access to ony unauthorized user.