How to protect a WCF Rest service with username and password? - asp.net

I'm new in WCF and I want to know how can I protect a WCF Rest service.
I have an asp.net website, only registered users can access it, the application uses a service hosted on the same IIS server, my question is, how can I restrict the use of this service, for that only registered users may use it, knowing that the service can be used by many clients (Android, iPhone, ...). what type of authentication I can use? to test the service I created a winform and I use an HttpWebRequest.
PS: I cant use https.
Thanks

Simplest way is to use asp.net compatibility mode. The WCF service call will result in the same preprocessing used for ASP.NET pages, including checking the ASP.NET auth and session cookies. You will also be able to check HttpContext, including httpcontext.current.user.identity.isauthenticated. If the user is not authenticated, throw an exception or return an error code. Here is some more information: http://msdn.microsoft.com/en-us/library/aa702682.aspx.
So if you are already using forms auth for your application, and the service should be called after a user has logged in to your application, you are set.
You can also create an authentication service. The service will allow the client to send a username / password, and will use ASP.NET authentication to authenticate the user. It will send back an auth cookie, and then you can check future service calls as above. See http://msdn.microsoft.com/en-us/library/bb386582.aspx.
I believe the authentication service can called using json. See How to Call .NET AuthenticationService from json client without ASP.NET.

Related

ASP.NET Forms Auth For Downstream WCF Authentication and Authorization

Development Environment: Windows 7 Enterprise with
.NET 4.0 with Visual Studio 2010
Production Environment: Windows 2008 Server with IIS 7.0
I'm trying to figure out the best way to authenticate and authorize against a WCF service running on a separate machine in a separate security zone from the ASP .NET web application.
Users log in with a username and password against credentials we have stored in a database. We did not implement Membership Provider, but when the user's credentials pass mustard, we manually create a Forms Auth ticket with the user id.
I did roll my own Role Provider that implements RoleProvider. As a result, we have "standard" ASP .NET roles along with a forms auth ticket working on our ASP .NET web application.
What I need to do is somehow pass these credentials along to the WCF service that's sitting on another machine. Originally, I thought I might use the Windows Identity Foundation and create a custom Security Token Service (STS). Basically, if the user authenticates, then create a token and add in the claims based authorization along with user identity into the token and pass that along to the WCF service.
We are currently using a .NET Remoting service (.NET 1.1 timeframe) that does not authenticate or authorize at all.
That seems like it might be a bit of overkill as there might be a way to simply pass along the information I currently have with the user as when you create the Forms Auth ticket, I know the current IPrinciple is set with the IIdentity set with a "name" property set to the user id on the Thread.CurrentIdentity.
I'm pretty sure IsInRole("WhateverRole") would work correctly at this point too, but all of this is on the Web application side. Nothing gets passed to the .NET Remoting service.
Looking at these two classes:
AuthenticationService Class
ServiceAuthorization Class
I don't think they are what I want. Likewise, I've read through Michele Bustamante's Learning WCF, but I don't really see this particular scenario covered. When I read about Windows Authentication, I keep thinking that needs to be tied into some internal NTLM or Kerberos associated with the internal Windows security situation. None of our users are internal users. They're strictly external.
Now, I know that if the user gets a Forms Auth ticket, they essentially get a valid IPrinciple and the roles should be set, right?
If so, is there a way to pass this along to a WCF service setting on another machine? If I set the WCF clientCredentialType to windows and set the serviceAuthorization principlePermissionMode to "UseAspNetRoles", will these be passed along in the security context from the web application to the WCF service when I make the service call?
Nothing I can find is clear on how this might happen. Thanks.
I think what you want is this:
http://thoughtorientedarchitecture.blogspot.com/2009/10/flowing-aspnet-forms-authentication.html
This isn't super secure, since you're effectively creating your own man-in-the-middle attack, but it's probably secure enough for most needs.
Essentially this boils down to this:
Configure both servers with the same MachineKey
Grab the FormsAuthentication cookie from the user request
Attach the cookie to the outgoing WCF service call
???
Profit

ASP.Net Mvc 3 webservice repository authentication

We are starting with a new application build with Asp.net. It should connect to a webservice which is already available to retrieve data to present to the user. We've created a repository which communicates with the webservice.
The webservice needs authorization with the same user credentials which the user uses to logon to the web application. The user is authorized with Forms Authentication with cookie support.
The problem is that we cannot retrieve the password from the user on new requests when the user is once authorized and automatically logged on. This password is needed to logon to the webservice from the repository classes.
Any ideas on how to implement this the best and safest way ?
You can try using Client Application Services to get and set the cookie. Or you can manually get and set the cookie using the sample code on this post. The example shows both methods and is geared specifically to passing a forms authentication cookie from an MVC application to an OData WCF feed:
http://blogs.msdn.com/b/astoriateam/archive/2010/07/21/odata-and-authentication-part-7-forms-authentication.aspx
Also, here is a similar example that is trimmed down in scope:
http://www.codeproject.com/Articles/190806/Send-Cookies-When-Making-WCF-Service-Calls

Silverlight and ASP.NET AuthenticationService with self-hosted WCF Service?

I have an internal LOB Silverlight client that uses business logic in a self-hosted WCF service (cross domain).
I'm thinking of using ASP.NET AuthenticationServices. How would I set this up with my self-hosted WCF service?
Call ASP.NET AuthenticationService from Silverlight to authenticate user? But this would not protect my self-hosted service...
Send username/password in every request from Silverlight and in my self-hosted service call ASP.NET Authentication Services? (Feels a bit backwards?)
Call ASP.NET AuthenticationService from Silverlight to authenticate user, send username/password in every request from Silverlight to allow logging etc, and use some other means to protect my service?
Is there some way to glue this together or is ASP.NET AuthenticationService not meant to be used when having a self-hosted WCF service?
All of the research I've done on the WCF Authentication Service indicates it's usage is for same-domain (RIA-like) applications. It sets the HttpContext.Current.User and creates a user session, so you can restrict your other WCF endpoint in some subfolder of the hosting website and control access via the web.config file. In this scenario, you can use the log the HttpContext user. If you plan to do things cross-domain, I think you'll find you need to use a combination of Transport (HTTPS) and Message security in the WCF binding configuration. This basically means your 2nd bullet point is true and you'll need to set the Username/Pw on the service client credentials (using Windows Auth or forms auth) and all WCF to send them across the wire with each message...

Impersonate user in WCF from multiple callers

I'm using WCF services ensuring that UserName/Password must be provided for each request. I need use same service from many clients, but I need impersonate the call to access the appropriate resources for each client. When I call the service directly from the client there is no problem, because I use for each client a pair UserName/Password defined in theirs web.config. The problem came when I need to call a second Web service from a call to the first-one using the same identity. This second Web service requires UserName/Password, but I only know who is the caller (UserName) but not the password.
How I can impersonate this second call without knowing the password for the corresponding username?
EDIT: The app (Web App and Services) is running in a shared hosting environment where I can't use Windows Authentication to configure Kerberos for Delegation. I have defined a UserNameValidator to process on each call the pair UserName/Password against a custom SQLServer database. Moreover, the intended customers of this app will use it from Internet, without requiring a windows account, that is because I need a more flexible, SQL-based, authentication schema.
You need to look at using Kerberos to handle the passing of authentication onwards to other services from your first WCF service.
Have you taken a look at the declarative security options? The linked article by Juval Lowy includes an internet application scenario as well.

Authenticating a user via wcf

I have a java app with a .net application running in the java applications embedded browser.
I want the java application to call a .net WCF or web service with a username and password.
The wcf will set the user to authorized in forms authentication.
In the java desktop application I will then load a .aspx page that was protected via forms authentication.
How can I accomplish this? Is it even possible...?
You will need to enable ASP.NET compatibility mode on the WCF service in order to enable forms authentication.
The Java client application could send username and password over a secure connection and your WCF service authenticates the user via FormsAuthentication.Authenticate(username, password) or FormsAuthentication.SetAuthCookie.
You will then need to use a cookie store on the Java client side in order to pass the authentication cookie on every consecutive request (and update it when it gets refreshed), but this should be a built-in feature of your HTTP-client.
The .aspx page must run on a server with the same machine key as the WCF service.
Conclusion: Yes, it is possible, but for me it is not clear to which ".NET application" you refer to?
Edit: I think its clear now, you will need to be able to set the browser cookies. If you cant do this directly from your java application, a workaround would be to let the WCF service communicate that the user is authenticated and then set the cookie on the .aspx site request.

Resources