I have a Webpage made with ASP.Net and another set of tools like a WPF, Windows Forms applications. Is mandatory that the ASP.Net webpage and all the set of applications be authenticated against the same ASP.Net membership provider database.
What I want to know is the best way to authenticate using a WCF service that uses ASP.NET membership provider for the authentication. Is anything made out of the box for authenticate a ASP.NET webpage against a WCF authentication service? I have to implement a Custom Provider? Because the Membership in ASP.NET Webpage fill the IPrinciple User property with user information and I want the same behaviour with a WCF service authentication.
a custom membership provider is how i have done this before. it worked pretty well. my group made the mistake of making the wcf service match the interface of the membership provider, which was unnecessary and messy. if you choose to go this route, i'd recommend making your service contract on your own as you want it and implementing your provider to consume that.
if i was doing it again, though, i wouldn't use wcf at all, but rather just use a membership provider (existing or a custom one, depending on your needs) for the asp.net application that talks directly to the database rather than a wcf layer and have a shared assembly the other tools could use that talks directly to the database. even having common code in a wcf service tier. i don't think using a service really provides a whole lot that you couldn't get by just using a common assembly. the asp.net membership provider is going to be something separate anyway.
this is assuming you are within an environment where you can just have the desktop tools connect to the database. if this is an internet deployed scenario, you probably do need to do this through some kind of service, and wcf is a great candidate for that. it's probably a shorter path, though, to use an existing membership provider and build your wcf service on top of the database that goes with that than to build a membership provider that consumes the wcf service. i don't think it would be a bad choice to do the latter, but you'd probably be better off with the former. this, of course, depends on a lot of factors, though.
Related
I'm having all kinds of trouble understanding this. Every article I read seems to have some unmentioned prerequisite amount of knowledge.
I have written a WCF service that was initially designed to be an intranet service. Now we are moving this service to a cloud hosting solution and it needs to only let authorized users call its methods.
I've since created an ASP.Net MVC 5 website for support purposes. The idea for this is that support staff will login to the mvc site with seeded credentials and add users as they sign up for the service. At the moment, users should not need to enter username or password anywhere. The service client will have username and password knowledge via local settings or configuration file or something and the authorization will be invisible to users. The MVC project seems to be working fine after some changes to the out-of-the-box flow. The database (remote) is created and being populated with new registered user information.
Because the WCF service is in a different project, and to keep a level of portability I have referenced that project in the MVC project. I then added a "wrapper" wcf service to the MVC project that I intend to be the forward facing door to the existing WCF project. In this wrapper wcf service is where the authentication should happen. I don't understand how to tie the ASP.Net Identity authorization used in the new MVC project into the wrapper wcf service. How can I make the wrapping service authorize user credentials against the identity database created and populated using the MVC site?
Thanks,
PS
Transport security is not my issue at the moment so if possible leave those topics out.
I am writing a new web site and am looking at Asp.Net Identity 2.0. Out of the box, it uses Entity Framework for all of its data access. For the rest of the site, we were creating middleware web services for data access. Our original plan for security sake was that the web servers would talk to middleware and middleware would talk to the database via Entity Framework. We had planned on blocking via firewall database access from the web server.
I see that I can create a custom provider for Identity 2.0 and it in turn could use middleware for it's data access.
Here are my questions:
Is it more secure to not allow the web servers to have direct database access?
If it is more secure, why would Microsoft not build it that way out of the box
If you were starting from scratch like we are, would you recommend using entity framework or writing a custom provider that goes through our middleware layer?
Thanks.
1.) It can be secure. I don't see it as a security issue but coupling issue. What if you want to upgrade or change from Entity Framework in the future? What if you want to change from Identity 2.0? What if you want to upgrade one but you can't because the other doesn't support it yet.
2.) Microsoft wanted to promote it products first and foremost. For simplicity sake if your ok with Entity Framework and Identity 2.0 and don't mind how coupled they are it could be perfectly fine solution.
3.) How much time/effort can you afford to spend on the custom provider? It might not be worth the effort to create your own provider.
Asp.NET Identity out-of-the-box is actually Asp.Net Identity on Entity Framework. It generates a database, connection string, the model files, the controllers and a context class for you, which you can redirect to your own database for it to generate the Identity tables within. Everything is very secure, and they've taken care of a lot of the authentication/password hashing for you. I wouldn't say it is worth it to create your own provider, but you can also create your own provider within Identity if you want. Identity 2.0 is great. Very easy to add custom table properties, etc.
I'd like to make an OOB Silverlight app based on the Silverlight Business Application template in Visual Studio. The template uses the default ASP.Net membership provider. I understand how to use that to add users and roles, etc. I've found plenty of tutorials on that. What I'd like to be able to do, is configure the Silverlight template so that it uses an existing ASP.Net membership base. We'd like this app to have a companion website (ASP.Net based).
To clarify: We've been able to setup an ASP.Net website and have created a SQL database with the required tables (aspnet_Users, aspnet_Membership, etc.). I'd like to configure a Silverlight app to access the same users and roles that are in those tables.
Can anyone help me out in terms of what I'd need to put in the Web.config? Do I just need a connection string? I'm new to ASP.Net authentication, but I'd rather use what ASP.Net gives me out of the box than have to write my own authentication service. I feel like this should be really easy, and is just a matter of pointing the Silverlight app in the right direction.
I'd like to use Silverlight 5 and .Net 4.5 if I can but I don't mind using an older version of either if it makes things easier.
You can just point the connection string to the existing database.
From this answer:
You can point your connection string for authentication to a database that all application can access.
So if you have the default database that .NET creates, you can point your other application to that as well for authentication.
I've had a look around on this subject most of the afternoon and still haven't seen a standard way of doing this.
I'm literally wanting a WCF service that connects to a .NET Membership system to be readily available to be called by a .NET site (could be more than one, thus the service) - should be easy enough, right? So...
.NET Site ----> WCF Service (Authenticate against .NET Membership) ----> .NET Site
I've set my SSL up on IIS, and I'm fully aware of WCF / .NET Membership, but my issue is linking the WCF service to the client site, how they're actually aware of each other and how the WCF service recognizes the Membership service?
I've looked at:
http://msdn.microsoft.com/en-us/library/bb398990.aspx
Which goes through the process of what I thought I was after - yet no connection strings are really made in that example, or any reference to the actual membership table. Further more, there's no example of how the client site is then authorised by the service.
Thanks in advance!
In case my comment was the answer will post it as an answer.
The Web Site that hosts Service must implement membership services.
Configuring an ASP.NET Application to Use Membership
Most Real world web applications have at least one dll library behind them. If we use the ASP.NET membership provider, how can we call the Roles.IsInRole method in the dll?
The possibility of referencing HttpContext is not good. Because, we have a few console application tools that use the same dll to complete a few bulk operations.
It sounds like you need to decouple your Membership mechanism from ASP.NET.
There are some good resources here on how to reference the ASP.NET Membership Provider from Windows Forms applications, which would work in the same way for console applications.
The best one is here (in VB.NET).
However, all suffer the same basic problem, which is that a malicious user could change their configuration to use their own authorisation database. (ASP.NET configuration is not available to users so we don't have the same problem there.)
So a better approach would be to either directly query the ASP.NET membership databases from your code in ADO.NET (which isn't hard: they're fairly straightforward) or to roll your own implementation of the underlying Membership Provider interfaces (detailer on MSDN here). You could then have the ASP.NET Membership Provider call your own code to establish if a user is in a role, and use this code in the same way from your console application.