I have a set of WCF services with AspNetCompatibility enabled and consume them from jQuery. My web application requires authentication. Using only logic here (as I lack enough knowledge) does that mean WCF will be accessible and limited only to currently logged users? I know one can catch communication data and try to reuse it later (I don't have ssl) but for that he should be logged in.
Right, wrong or just stupid in my own optimism?
Yes, because you have ASP.NET compatibility enabled and because you're using ASP.NET security, as long as you have the proper <authorization> setting for the WCF resource it should be secured by ASP.NET security. At bare minimum this means you should have authorization defined as follows on the WCF resource:
<authorization>
<deny users="?" /> <!-- deny all anonymous users -->
<allow users="*" /> <!-- allow all authenticated users -->
</authorization>
Only if you allowed "*" would your WCF service be inaccessible to non-authenticated users.
You can read more about this here in this MSDN article under the section titled Hosting WCF Services in ASP.NET Compatibility Mode.
Related
On an ASP.NET website hosted on Azure, I need to secure a page so that only certain users can access it. Because of a javascript library used in the page, it will work correctly only when served over HTTP, but the ASP.NET authentication will not allow access unless the page is served over HTTPS.
To limit access to the secure page, I added a Web.config file to the folder containing the page:
<configuration>
<system.web>
<authorization>
<allow roles="Admin" />
<allow roles="Map Viewer" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
The main web.config file sets up forms authentication.
<authentication mode="Forms">
<forms loginUrl="~/account/login/"
requireSSL="true"
timeout="2880" />
</authentication>
This works like a charm if you access the secured page through https (e.g. https://example.com/Map). You are prompted to log in, you enter your credentials, and then you go to the page. As noted above, the page will not work correctly if served over http. However, ASP.NET authentication/authorization won't allow you to access it:
1. If you are not logged in and try to access the page over http, you are redirected to the site home page once you log in.
2. If you are logged in and try to access the page over http, you are shown the log in screen even though you are already logged in.
No other secure pages on the site require HTTP to work correctly, and this form-based authentication process has been working fine for those pages for years.
Set the requireSSL attribute to false, or remove it (requireSSL is false if no value is specified). If requireSSL is set to true, then the server will not accept authentication cookies unless they are sent to the server over an HTTPS connection. When this attribute is removed, the server will accept authentication cookies from both HTTP and HTTPS.
I have an intranet ASP.NET WebAPI application providing a REST API and we want to use Windows authentication to secure the URLs by setting allowed groups in the web.config like:
<authentication mode="Windows"/>
<authorization>
<allow roles = "someGroup1"/>
<allow roles = "Somegroup2"/>
<deny users="*" />
</authorization>
</authentication>
From this page it sounds like this will fit our needs, but there is one issue I am not sure about: If we have an existing 3rd party application (not .NET) that is on the same network that consumes our REST service, will running this application as a user account who is a member of an allowed group allow the application to connect to the REST API successfully? From the asp.net site:
For .NET client applications, the HttpClient class supports Windows authentication:
HttpClientHandler handler = new HttpClientHandler()
{
UseDefaultCredentials = true
};
HttpClient client = new HttpClient(handler);
It looks like you have to take some special steps inside a client application to authenticate using Windows credentials.
Does anybody know if this solution will work or there is a workaround to allow 3rd party applications to authenticate using Windows credentials?
If the application is running on a separate server this won't work unless you are running in a kerberos environment. What you are describing is a two hop scenario that is not supported in the default windows authentication environment. Basically, by default, an application can't take the security credential from one server and go to another server with it. Google two-hop security and you'll find plenty of information on why it doesn't work.
I have an ASP.NET site running on Azure at https://[appname].cloudapp.net. I also have an asmx web service running as a subapp in the same instance at https://[appname].cloudapp.net/WebService.
The root site is protected with passive ADFS authentication. Since the web service inherits settings from the root application's web.config, it is also protected.
My problem is that when I make web service calls, the FedAuth cookie is not getting passed along to the web service and I always receive the STS login page as a response from the web service.
How can I make use of the FedAuth cookie retrieved from signing into the root app to authenticate my web service calls?
You should make the web service anonymous and handle a different type of authentication (assuming the service needs to be secured). You cant "pass" the FedAuth cookie because that lives in the browser. So unless you do the Web service call from the browser using ajax you wont be able to do it. One thing you could do is passing the original ADFS SAML token to the web service and validate it, but that wont be trivial in asmx.
<location path="WebService">
<authorization>
<allow users="*" />
</authorization>
</location>
I'm looking to deny all anonymous access to my login page and only allow people who are in a certain role to be able to view the page or anything under that directory. Is this possible? I have tried to implement this in the web.config but had no joy :(
thanks
This would only be possible in an intranet application where your users would be authenticated against Active directory. See MSDN
Otherwise, how would users log in if they don't have access to the login page?
I would rather implement access control on the actual content pages, or do an additional check when users attempt to log in and let them know that they need to be in a certain role in order to log into the system successfully.
Yes, you can...assuming that your clients are all running Windows workstations that are in the same AD domain as your IIS webservers and are using Internet Explorer (so, intranet only and not over the Internet). You want to configure IIS to only accept Integrated Windows Authentication, which will force the client workstations to use Kerberos to supply authentication information to IIS. Here's a how-to from Microsoft on how to configure this.
In web.config:
<configuration>
<system.web>
<location path="MyLoginPage.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</system.web>
</configuration>
The special keyword ? means anonymous users; which is documented in the element schema:
Attribute: users
A comma-separated list of user names that are denied access to the resource.
A question mark (?) denies anonymous users and an asterisk (*) indicates that all user accounts are denied access.
Basically this is the Microsoft long-winded way of saying:
Location: MyLoginPage.aspx
Deny: anonymous
This means that someone will have to be authenticated using a mechanism other than Form; such as Integrated (aka Kerberos, Windows) authentication, or with Basic authentication. You won't be able to use Forms Authentication, because they won't be able to reach the login page to login.
I am deploying a public ASP.NET website on an IIS7 web farm.
The application runs on 3 web servers and is behind a firewall.
We want to create a single page on the website that is accessible only to internal users. It is primarily used for diagnostics, trigger cache expiry, etc.
/admin/somepage.aspx
What is the best way to control access to this page? We need to:
Prevent all external (public) users from accessing the URL.
Permit specific internal users to access the page, only from certain IPs or networks.
Should this access control be done at the (a) network level, (b) application level, etc.?
I found the best solution was to place an irule on our F5 load balancer.
We created a rule that the load balancer would drop all external requests for the specific directory. Internally, we could still hit the pages by connecting directly to the servers in the farm.
Here is how to secure specific page for specific users and only them
<configuration>
<location path="admin/somepage.aspx">
<system.web>
<authorization>
<allow users="User1,User2" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
To set allowed IP you need to configure web site in IIS via IPv4 Address and Domain Restriction where add a wildcard Deny Entry and specif Allow Entries.
Also you can setup all this programmatically.
A simple implementation would be to set File Security on that File in IIS to Integrated Windows Authentication only.
Then in that file's code behind, check for the user's ID..if they are authenticated, they will have an ID, and let them access the page.
if(!HttpContext.Current.User.Identity.IsAuthenticated)
{
//Direct user to other page or display message.
}
When users go to that page, it will ask them for their network login