I've got an self-hosted SignalR instance, using OWIN. I'd like to implement authorization. My users will already have logged into an ASP.NET MVC application, using Forms Authentication.
Since the two applications will be available at the same URL, the cookies will be shared between the two. How do I accept a Forms Authentication cookie in a self-hosted SignalR application?
Clarification: I'm talking about a browser accessing a self-hosted SignalR hub using the same credentials that were used to log into a separate (but related, and installed on the same host) IIS application.
So, the question is: how do I hook into the SignalR server pipeline to capture the .ASPXAUTH cookie and use it to set the current principal before calling the hub?
If it helps, I can throw some Nancy into the mix.
If your user is already authenticated and logged in, you can check the following within your SignalR hub:
Context.User.Identity.IsAuthenticated
Assure this property is set to true. You can place this check within the constructor of your hub to block/remove their connection. If false, you can redirect them to another page.
Related
I have this legacy intranet app using an AngularJS SPA consuming an an ASP.NET Web API (on .NET 4.6.1) and I can't manage to get the user authenticated on the domain inside the API, when calls are made by AngularJs.
Inside the API I have situations where I need to get the domain authenticated user. I have tried several combinations inside IIS to set both the AngularJS app and the API with Windows authentication, Impersonation, Authorization Rules. I've read several questions in Stackoverflow and other forums and also searched through several articles but I can't manage to find a solution, I'm feeling helpless in this one.
When I make a direct call to the API using a tool like Postman or through Swagger, System.Web.HttpContext.Current.Request.LogonUserIdentity.Name shows the correct authenticated user.
When I make the very same call to the API but through the client, like loading a page that requests data from the API, the user shown in LogonUserIdentity, is the one set on the app pool.
The authentication between the client and the API uses bearer token.
Here's my current scenario:
IIS:
Windows authentication enabled for both the client and the API, Impersonation enabled for both the client and the API
Authorization rules for ASP.NET and IIS set with allow all users for both Client and API
Session state in-proc, using cookies and with UseHostingIdentity set to false on both Client and API
Both the client and the API are using the same AppPool, with integrated Pipeline, .NET CLR v4.0,
If there's more info to supply please let me know, I'll update the question with the required info.
Seems like SignalR only accepts Bearer/JWT tokens. Is there support for SAML?
If you implement SAML in your webapp, the webapp will issue a cookie based on successful authentication. SignalR will piggyback on that:
In a browser-based app, cookie authentication allows your existing
user credentials to automatically flow to SignalR connections. When
using the browser client, no additional configuration is needed. If
the user is logged in to your app, the SignalR connection
automatically inherits this authentication.
I'm new in WCF and I want to know how can I protect a WCF Rest service.
I have an asp.net website, only registered users can access it, the application uses a service hosted on the same IIS server, my question is, how can I restrict the use of this service, for that only registered users may use it, knowing that the service can be used by many clients (Android, iPhone, ...). what type of authentication I can use? to test the service I created a winform and I use an HttpWebRequest.
PS: I cant use https.
Thanks
Simplest way is to use asp.net compatibility mode. The WCF service call will result in the same preprocessing used for ASP.NET pages, including checking the ASP.NET auth and session cookies. You will also be able to check HttpContext, including httpcontext.current.user.identity.isauthenticated. If the user is not authenticated, throw an exception or return an error code. Here is some more information: http://msdn.microsoft.com/en-us/library/aa702682.aspx.
So if you are already using forms auth for your application, and the service should be called after a user has logged in to your application, you are set.
You can also create an authentication service. The service will allow the client to send a username / password, and will use ASP.NET authentication to authenticate the user. It will send back an auth cookie, and then you can check future service calls as above. See http://msdn.microsoft.com/en-us/library/bb386582.aspx.
I believe the authentication service can called using json. See How to Call .NET AuthenticationService from json client without ASP.NET.
I have a java app with a .net application running in the java applications embedded browser.
I want the java application to call a .net WCF or web service with a username and password.
The wcf will set the user to authorized in forms authentication.
In the java desktop application I will then load a .aspx page that was protected via forms authentication.
How can I accomplish this? Is it even possible...?
You will need to enable ASP.NET compatibility mode on the WCF service in order to enable forms authentication.
The Java client application could send username and password over a secure connection and your WCF service authenticates the user via FormsAuthentication.Authenticate(username, password) or FormsAuthentication.SetAuthCookie.
You will then need to use a cookie store on the Java client side in order to pass the authentication cookie on every consecutive request (and update it when it gets refreshed), but this should be a built-in feature of your HTTP-client.
The .aspx page must run on a server with the same machine key as the WCF service.
Conclusion: Yes, it is possible, but for me it is not clear to which ".NET application" you refer to?
Edit: I think its clear now, you will need to be able to set the browser cookies. If you cant do this directly from your java application, a workaround would be to let the WCF service communicate that the user is authenticated and then set the cookie on the .aspx site request.
My website uses Forms authentication. I did silverlight 3 module which is designed to work in context of asp - authenticated user. Silverlight module talks with WCF hosted by the same asp.net website, but the issue is that it cannot authenticate to WCF service.
I run Fiddler and I see that .ASPXAUTH cookie is not sent to WCF service.
How to force Silverlight to get this cookie from browser and send it to service?
Finally I solved it.
The problem of missing cookie was made by inproper host name.
I was sending asp.net requests to myhostname, but SL was calling WCF using myhostname.mylocaldomainnam.local. This is why there was no .aspauth cookie during WCF calls.
I've used it successfully. First, I make sure that there are is a service endpoint for the WCF AuthorizationService used by ASP.NET. Then use the Silverlight project to generate a "Service Reference" to the AuthorizationService. Finally, in your module, you will use that service reference to login your visitor using their credentials stored within your provider. If you have some more information on how you've built your site, I might be able to offer a more concise answer to your problem.