NET web application and a WCF Application that share the same ASP.NET membership database.
They are both sharing the same ASP.NET membership database.
It is basically like:
WCF: is https://ServerName/Services.svc
ASP.NET: is https://ServerName/Default.aspx
(both are two virtual folders in the same web application and both are using the same ASP.NET membership database).
The user logs on to the ASP.NET application and can then decide to call the WCF service.
What are my options for setting the security for the call between the ASP.NET and the WCF service that make the call using the credentials supplied by the user when logging to the ASP.NET application?
If you run you application in ASP.Net Compatibility mode. You will get all the security features available with ASP.Net. Things such as HttpContext.Current.User will point to the logged in user.
For the fastest implementation (by fastest I mean to get up and running) get Juval Lowy`s ServiceModelEx library from http://www.idesign.net and use his declarative security library.
I have used this library a lot and it works well.
Related
I have been tasked to set up Single Signon for asp.net application (SAAS) using IIS server with a client who has ADFS3.0 for providing identity credentials. the users authenticated will be allowed to log in to the web application but i have been going through a lot of information as how to set up service provider files as the application is already running.
what settings and where do i need to configure them. any help will be greatly appreciated.
The "modern" way to do this is by using OWIN.
You will have to change your application as per Use the OWIN Security Components in ASP.NET to Implement Web Sign On with ADFS.
Then add your RP to ADFS and you are good to go.
For completeness. the "old" way to do this is to use WIF as in How To: Build Claims-Aware ASP.NET MVC Web Application Using WIF.
I am starting a new MVC project for one of my clients. They already have an iPhone app which is having most of the functionalities that I intend to do. And a web service exists. I do not have any database side work. My question is, I want to use the web service calls for authentication. But asp.net MVC is using Identity as default authentication. How do I tackle to use Identity with out much effort to call the web service for authentication?
I'm having all kinds of trouble understanding this. Every article I read seems to have some unmentioned prerequisite amount of knowledge.
I have written a WCF service that was initially designed to be an intranet service. Now we are moving this service to a cloud hosting solution and it needs to only let authorized users call its methods.
I've since created an ASP.Net MVC 5 website for support purposes. The idea for this is that support staff will login to the mvc site with seeded credentials and add users as they sign up for the service. At the moment, users should not need to enter username or password anywhere. The service client will have username and password knowledge via local settings or configuration file or something and the authorization will be invisible to users. The MVC project seems to be working fine after some changes to the out-of-the-box flow. The database (remote) is created and being populated with new registered user information.
Because the WCF service is in a different project, and to keep a level of portability I have referenced that project in the MVC project. I then added a "wrapper" wcf service to the MVC project that I intend to be the forward facing door to the existing WCF project. In this wrapper wcf service is where the authentication should happen. I don't understand how to tie the ASP.Net Identity authorization used in the new MVC project into the wrapper wcf service. How can I make the wrapping service authorize user credentials against the identity database created and populated using the MVC site?
Thanks,
PS
Transport security is not my issue at the moment so if possible leave those topics out.
I have a Webpage made with ASP.Net and another set of tools like a WPF, Windows Forms applications. Is mandatory that the ASP.Net webpage and all the set of applications be authenticated against the same ASP.Net membership provider database.
What I want to know is the best way to authenticate using a WCF service that uses ASP.NET membership provider for the authentication. Is anything made out of the box for authenticate a ASP.NET webpage against a WCF authentication service? I have to implement a Custom Provider? Because the Membership in ASP.NET Webpage fill the IPrinciple User property with user information and I want the same behaviour with a WCF service authentication.
a custom membership provider is how i have done this before. it worked pretty well. my group made the mistake of making the wcf service match the interface of the membership provider, which was unnecessary and messy. if you choose to go this route, i'd recommend making your service contract on your own as you want it and implementing your provider to consume that.
if i was doing it again, though, i wouldn't use wcf at all, but rather just use a membership provider (existing or a custom one, depending on your needs) for the asp.net application that talks directly to the database rather than a wcf layer and have a shared assembly the other tools could use that talks directly to the database. even having common code in a wcf service tier. i don't think using a service really provides a whole lot that you couldn't get by just using a common assembly. the asp.net membership provider is going to be something separate anyway.
this is assuming you are within an environment where you can just have the desktop tools connect to the database. if this is an internet deployed scenario, you probably do need to do this through some kind of service, and wcf is a great candidate for that. it's probably a shorter path, though, to use an existing membership provider and build your wcf service on top of the database that goes with that than to build a membership provider that consumes the wcf service. i don't think it would be a bad choice to do the latter, but you'd probably be better off with the former. this, of course, depends on a lot of factors, though.
We have an ASP.NET MVC application that is not part of SharePoint. However, it'd be preferable to leverage SharePoint's security framework. For instance, when the user enters username/password in the non-SharePoint app, could it call a SharePoint webservice to authenticate the user? Or is there any other way to achieve this?
It all depends, if SharePoint uses AD then I see no added value in authenticating with SharePoint. If SharePoint uses forms-based authentication, I would create a custom web service running on the SharePoint server that allows you to authenticate users. That way if you ever need it again for another application you can use that webservice / wcf service.
To use the SharePoint Security framework you will have to run your application inside the context of the SharePoint. One quick solution to achieve this is to create a Virtual Directory under the SharePoint web application and place your code there and you will have the full sharepoint context.