WCF Authentication Flow - asp.net

I'm calling a WCF service from an ASP.NET application. From this, I am accessing a WCF service using WSHTTPBinding. I can get the current user from HttpContext.Current.User.Identity.Name. I want to be able to pass this to WCF (not using a custome header - surely there is a proper way to do this.) It must be the identity in HttpContext.Current.User.Identity.Name and not WindowsIdentity.GetCurrent().Name, as this service may be consumed from ASP.nET applications that use Forms or Windows authentication. From what I understand, it should appear in ServiceSecurityContext.Current.PrimaryIdentity.Name. I have search for ages to try to find the answer to this but have not yet found it.

Have a look at Username Authentication :)
http://codebetter.com/petervanooijen/2010/03/22/a-simple-wcf-service-with-username-password-authentication-the-things-they-don-t-tell-you/

Related

Using login session from asp.net in silverlight

Is there a way I can use the session created by ASP.NET to authenticate my silverlight app? All I would need is the userID. Then I can call to my WCF RIA service to get roles, etc. If there is a better way to do this, please tell.
But I want to be able to login using html in asp.net. I'm using forms authentication.
Since the user authentication context resides on the server and the SL resides on browser, you need to create a service layer in WCF to get these details. The WCF service needs to run in aspNetCompatibilityEnabled mode. Check details here. Once you create such WCF service, you can expose methods on it such as GetLoggedInUser(), GetUserRoles() etc. I believe WCF RIA service make this work easier for you, so you can concentrate on main application logic.
If the user id is all you need you can pass it as a custom initialization parameter to the Silverlight plugin. More info on MSDN:
http://msdn.microsoft.com/en-us/library/cc189004%28v=vs.95%29.aspx

How authenticate web methods in a web service?

I'm using Asp.net c# language programming.
What is the best way for authenticating web methods in a web service?
Is it right having authentication for every web method and verify user name and password for each web method?
Is there a way to authenticate just once not for every web method? something like using sessions and etc?
You might want to look into this one:
http://weblogs.asp.net/cibrax/archive/2006/03/14/implementing-a-secure-token-service-with-wcf.aspx
Edit
If you are bound to only use asmx for some reason, then I would also suggest looking into WSE from MSFT.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=018A09FD-3A74-43C5-8EC1-8D789091255D
You can pass around a token from your client into the web method. The token is encrypted with public/private keys.
For more info here:
http://msdn.microsoft.com/en-us/library/ms996931.aspx
First of all, you should be using WCF for web service development unless you're stuck at .NET 2.0.
Secondly, you can use Windows authentication or Basic authentication over https, but those restrict you to users who are Windows users. If you have a separate set of users, then you will need to do your own authentication.
You can use SOAP Headers so that you don't need a username and password in every web method.

Impersonate FormsAuthenticated user in HttpHandler for WCF call

I'm using HttpHandlers to generate PDF report files "on-the-fly" using the authenticated user context.
However, to create the report PDF file I need to call a method on a secure WCF service with the context of the caller (the authenticated user).
I saw plenty of answers for the Windows authentication but I'm using plain old Forms authentication so the answers don't apply.
The authentication on the service side is done using ASP.NET membership (same server that hosts the HttpHandler).
There should (I hope) be a way for me to just pass on the caller context to the service.
I'm afraid I didn't make myself clear enough.
What I have is a WCF service and an HttpHandler. The user is authenticated with the WCF service with ASP membership.
What I want to do is, in the HttpHandler, be able to do
SetContextAsCaller();
myWCFService.MyMethodCall();
and have MyMethodCall() called using the HttpCaller's context to pass on its ASP ticket/username etc.
You could - depending on what binding and thus transport protocol you use - use UserName/Passwort authentication, and instruct the WCF server side to use ASP.NET membership provider for authenticating the incoming callers.
Check out the Fundamentals of WCF Security and this blog post series on WCF security scenarios - they contain a lot of very useful information on how to use and set up WCF security.
Does that help, or do you need additional info? If so: what do you need?
Marc
UPDATE:
OK, after you commented, here are a few more articles that deal specifically with a WCF service impersonating the caller - hope these help:
WCF security guidance - How To Impersonate the original caller
Delegation and Impersonation with WCF
Setting up WCF to Impersonate Client credentials
Caller impersonation for WCF services

Silverlight and ASP.NET authorization

My website uses Forms authentication. I did silverlight 3 module which is designed to work in context of asp - authenticated user. Silverlight module talks with WCF hosted by the same asp.net website, but the issue is that it cannot authenticate to WCF service.
I run Fiddler and I see that .ASPXAUTH cookie is not sent to WCF service.
How to force Silverlight to get this cookie from browser and send it to service?
Finally I solved it.
The problem of missing cookie was made by inproper host name.
I was sending asp.net requests to myhostname, but SL was calling WCF using myhostname.mylocaldomainnam.local. This is why there was no .aspauth cookie during WCF calls.
I've used it successfully. First, I make sure that there are is a service endpoint for the WCF AuthorizationService used by ASP.NET. Then use the Silverlight project to generate a "Service Reference" to the AuthorizationService. Finally, in your module, you will use that service reference to login your visitor using their credentials stored within your provider. If you have some more information on how you've built your site, I might be able to offer a more concise answer to your problem.

Accessing .NET Web Service securely from Flex 3

We can successfully consume a .NET 2.0 web service from a Flex/AS3 application. Aside from SSL, how else can we make the security more robust (i.e., authentication)?
You can leverage ASP.Net's built in session management by decorating your webmethods with
<EnableSession()>
Then, inside your method, you can check that the user still has a valid session.
If you're talking about securing the information going over the wire, you can use Web Service Extensions (WSE) to encrypt the body of the soap message so that you don't have to secure the channel. This way the message can get passed around from more than one endpoint (ie. it can get forwarded) and you don't need multiple https certs.
If you're talking abut autentication then you could do forms auth with either a password in the body or in the soap headers (once again either encrypt the body or the channel). Or one of the easiest ways to secure a webservice (if it's an internal set of services) is have IIS do it, turn on NTLM and do authentication there. You can do authorization later on in the pipeline with an HTTPModule that checks peoples credential against the code they're trying to call.
Consider using WebOrb to communicate with your service. Here is some information on WebOrb's authentication mecahnism. There is also an article on Adobe's developer site on using WebOrb and .Net for authentication.
You should be able to use asp.net's authentication (such as forms authentication) without much extra effort. Securing an asmx file is just like securing an aspx file. There's a ton of information on forms authentication out there, just search for 'asp.net forms authentication'
If you are using Microsoft technologies you could build a little Asp.Net/C# application that would ask for credentials before redirecting to the correct swf.
That way you could restrict the access and have different swf file depending on the user.

Resources