Is there a way I can use the session created by ASP.NET to authenticate my silverlight app? All I would need is the userID. Then I can call to my WCF RIA service to get roles, etc. If there is a better way to do this, please tell.
But I want to be able to login using html in asp.net. I'm using forms authentication.
Since the user authentication context resides on the server and the SL resides on browser, you need to create a service layer in WCF to get these details. The WCF service needs to run in aspNetCompatibilityEnabled mode. Check details here. Once you create such WCF service, you can expose methods on it such as GetLoggedInUser(), GetUserRoles() etc. I believe WCF RIA service make this work easier for you, so you can concentrate on main application logic.
If the user id is all you need you can pass it as a custom initialization parameter to the Silverlight plugin. More info on MSDN:
http://msdn.microsoft.com/en-us/library/cc189004%28v=vs.95%29.aspx
Related
First at all thanks to all for sharing all the knowledge with the community.
I currently have a Silverlight application that consumes some WCF services. These WCF services use a custom authorization policy which expect an Identity with roles to authorize or not.
In this application all is working fine. I create a channel with the WCF and the Identity is passed from the client to the server.
The problems come when I tried to consume those WCF services from another ASP Net MVC application. I have tried to replicate the web.config in this new application, to maintain the configuration and try to make it easier.
In this new application when I look in the System.Web.HttpContext.Current.User.Identity variable in my IAuthorizationPolicy class, it is empty and the authorization fails.
So the next test that I did was host the WCF in this new application, to avoid authentication between sites. I perform a FormsAuthentication in the site and I create a cookie to store the user information, when I navigate between pages the System.Web.HttpContext.Current.User.Identity has value in my HttpModule class, but when I call to the WCF service this HTTModule class has not value in the System.Web.HttpContext.Current.User.Identity variable.
I am stuck because I do not understand this behavior.
If in my HttpModule class always return a new fixed GenericIdentity, it works fine when I consume the WCF services hosted in the own application.
If I consume the services hosted in the original application it does not work although I return the new GenericIdentity in the HttpModule.
I've spent some days with this issue so I need your kindly assistance. I read a lot about WCF architecture but I need a clue from someone.
Thanks in advance.
I'm calling a WCF service from an ASP.NET application. From this, I am accessing a WCF service using WSHTTPBinding. I can get the current user from HttpContext.Current.User.Identity.Name. I want to be able to pass this to WCF (not using a custome header - surely there is a proper way to do this.) It must be the identity in HttpContext.Current.User.Identity.Name and not WindowsIdentity.GetCurrent().Name, as this service may be consumed from ASP.nET applications that use Forms or Windows authentication. From what I understand, it should appear in ServiceSecurityContext.Current.PrimaryIdentity.Name. I have search for ages to try to find the answer to this but have not yet found it.
Have a look at Username Authentication :)
http://codebetter.com/petervanooijen/2010/03/22/a-simple-wcf-service-with-username-password-authentication-the-things-they-don-t-tell-you/
I'm using Asp.net c# language programming.
What is the best way for authenticating web methods in a web service?
Is it right having authentication for every web method and verify user name and password for each web method?
Is there a way to authenticate just once not for every web method? something like using sessions and etc?
You might want to look into this one:
http://weblogs.asp.net/cibrax/archive/2006/03/14/implementing-a-secure-token-service-with-wcf.aspx
Edit
If you are bound to only use asmx for some reason, then I would also suggest looking into WSE from MSFT.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=018A09FD-3A74-43C5-8EC1-8D789091255D
You can pass around a token from your client into the web method. The token is encrypted with public/private keys.
For more info here:
http://msdn.microsoft.com/en-us/library/ms996931.aspx
First of all, you should be using WCF for web service development unless you're stuck at .NET 2.0.
Secondly, you can use Windows authentication or Basic authentication over https, but those restrict you to users who are Windows users. If you have a separate set of users, then you will need to do your own authentication.
You can use SOAP Headers so that you don't need a username and password in every web method.
I'm using HttpHandlers to generate PDF report files "on-the-fly" using the authenticated user context.
However, to create the report PDF file I need to call a method on a secure WCF service with the context of the caller (the authenticated user).
I saw plenty of answers for the Windows authentication but I'm using plain old Forms authentication so the answers don't apply.
The authentication on the service side is done using ASP.NET membership (same server that hosts the HttpHandler).
There should (I hope) be a way for me to just pass on the caller context to the service.
I'm afraid I didn't make myself clear enough.
What I have is a WCF service and an HttpHandler. The user is authenticated with the WCF service with ASP membership.
What I want to do is, in the HttpHandler, be able to do
SetContextAsCaller();
myWCFService.MyMethodCall();
and have MyMethodCall() called using the HttpCaller's context to pass on its ASP ticket/username etc.
You could - depending on what binding and thus transport protocol you use - use UserName/Passwort authentication, and instruct the WCF server side to use ASP.NET membership provider for authenticating the incoming callers.
Check out the Fundamentals of WCF Security and this blog post series on WCF security scenarios - they contain a lot of very useful information on how to use and set up WCF security.
Does that help, or do you need additional info? If so: what do you need?
Marc
UPDATE:
OK, after you commented, here are a few more articles that deal specifically with a WCF service impersonating the caller - hope these help:
WCF security guidance - How To Impersonate the original caller
Delegation and Impersonation with WCF
Setting up WCF to Impersonate Client credentials
Caller impersonation for WCF services
My website uses Forms authentication. I did silverlight 3 module which is designed to work in context of asp - authenticated user. Silverlight module talks with WCF hosted by the same asp.net website, but the issue is that it cannot authenticate to WCF service.
I run Fiddler and I see that .ASPXAUTH cookie is not sent to WCF service.
How to force Silverlight to get this cookie from browser and send it to service?
Finally I solved it.
The problem of missing cookie was made by inproper host name.
I was sending asp.net requests to myhostname, but SL was calling WCF using myhostname.mylocaldomainnam.local. This is why there was no .aspauth cookie during WCF calls.
I've used it successfully. First, I make sure that there are is a service endpoint for the WCF AuthorizationService used by ASP.NET. Then use the Silverlight project to generate a "Service Reference" to the AuthorizationService. Finally, in your module, you will use that service reference to login your visitor using their credentials stored within your provider. If you have some more information on how you've built your site, I might be able to offer a more concise answer to your problem.