I am trying to "behind the scenes" log myself into a website, from the VB code behind my ASP.NET website. But I am dumbfounded as to how to do this.
As far as I know I should be using the WebRequest or Webclient class. That is about as much as I know. I am not sure how to use the class.
I want to click a button on my website and have its Click event send a username and password to another website. This other site isot affiliated with mine. I realize the concept may seem stupid, but I plan on taking this further later, but Just need to know this now.
If anyone could give me some code example with explanation or direct me to a good tutorial that would be greatly appreciated!
If it helps at all, the website I am trying to log into is www.Lockerz.com
Thanks!
If the client site uses basic authentication you can add credentials like this:
WebRequest myReq = WebRequest.Create(url);
CredentialCache mycache = new CredentialCache();
mycache.Add(new Uri(url), "Basic", new NetworkCredential(username, password));
myReq.Credentials = mycache;
If it uses form login, you can use Fiddler to sniff the data posted on a login, and perform the same request from a HttpWebRequest object. You might want to handle cookies as well if you have to perform multiple requests with the logged in user.
Reference:
Cookies: Automatic Cookie Handling C#/.NET HttpWebRequest+HttpWebResponse
Cookies and POST: HttpWebRequest POST and Cookies
Download class: Characters in string changed after downloading HTML from the internet
Related
I have a WebApi using Basic Auth nicely. And I have an MVC site using Forms Auth nicely. But here's the catch:
Client X has a dedicated database with any number of Contacts and Products. The MVC site is a dedicated site for them (via {clientId} routing), which allows their Contacts to log in (via Forms Auth) and place orders for their products. The Contact must be Form-ly logged in to place an order.
The product orders (need to) hit the WebApi to be recorded in the Client's database.
But since the WebApi uses Basic Auth to validate the Client, not the Contacts who placed the orders, every request comes back is 401 - Unauthorized.
I've checked out ThinkTecture as suggested by a number of posts here on SO, however it doesn't get me what I need because I'm not looking to allow Forms Auth in the WebApi. I don't want to authenticate the Contact from the Client's database in the WebApi, I want to authenticate the Client in the WebApi.
Has anyone come across a similar scenario and am I missing something glaringly obvious? Perhaps I need to implement both Forms and Basic on the site?
The very standard Api call I'm making from the site (where the UserName and Password are the Client's, not the Contact's):
var clientId = new Guid(RouteData.Values["clientId"].ToString());
var baseUrl = ConfigurationManager.AppSettings["ApiBaseAddress"];
var authHeader = Convert.ToBase64String(Encoding.ASCII.GetBytes(String.Format("{0}:{1}", _shoppingCartSettings.UserName, _shoppingCartSettings.Password)));
var requestUrl = String.Format("api/{0}/inventory", clientId.ToString());
var httpWebRequest = WebRequest.Create(baseUrl + requestUrl);
httpWebRequest.Headers.Add(HttpRequestHeader.Authorization, "Basic " + authHeader);
httpWebRequest.Method = "GET";
httpWebRequest.Accept = "application/json";
httpWebRequest.ContentType = "application/json";
try
{
using (var httpWebResponse = httpWebRequest.GetResponse())
{
// we never get here because of a 401
}
}
catch (WebException ex)
{
using (var httpWebResponse = ex.Response)
{
// we always get here
}
}
If I set up a separate test client and make the same call, it works great :/
Is your Web API under the same virtual directory and configuration as the MVC site? It looks like the Forms Auth HTTP module kicks in for your API, which you don't want. As long as you don't plan to call the API directly from the browser, move it to a separate virtual directory that is set up exclusively for basic auth, no forms auth module in the web.config for the API.
Why not have one login for your MVC site that has the ability to submit orders for every Client? It makes sense for your WebAPI to only allow Clients to submit orders for themselves. But I don't think it makes sense to have your MVC site authenticate as different Clients based on the Contact. Your MVC site would have to store the passwords for each Client.
Instead, create one login for the MVC site and give it the ability to submit an order for any Client.
After much banging of head against the not-so-proverbial wall, and a much needed shove by #0leg, I've discovered the cause.
In the Properties of my WebApi project file under Web > Servers, the Visual Studio Development Server was being used with a Virtual Path of "/", whereas my MVC project file was set up to use the Local IIS Web Server. The MVC project also had the Apply server settings to all users (store in project file) option checked.
Setting both to use the local IIS server resolved it.
Upon further contemplation, this now seems logical since they were essentially running on different servers.
Posting this for posterity's sake.
I got two website, domain1.com and domain2.com, on domain1.com I have a generichandler that will write a response which tells whether or not the user is authenticated using:
string json = "{\"status\":\"" + HttpContext.Current.User.Identity.IsAuthenticated + "\"}";
HttpContext.Response.Clear();
HttpContext.Response.ContentType = "application/jsonp"
HttpContext.Response.Write(json);
now if I view the generichandler using my browser everything works fine, if the user is logged in it will return "status":"true" otherwise "status":"false"
the problem starts when I send a request from domain2.com to this generichandler using $.get(), the result will always be "status":"false" regardless whether or not the user is logged in. Is this because there are some kind of cross domain violations? I really dont understand this, please help me, thank you.
When you use ASP.NET Forms Authentication a ASPXAUTH cookie is created for that domain.
Cookies are sent with each request so ASP.NET will look for the ASPXAUTH cookie (which doesn't exist in domain2.com) and determine that the user is not authenticated.
You might have to look into a cross domain SSO solution that fits your needs. Have a look here: http://www.codeproject.com/Articles/106439/Single-Sign-On-SSO-for-cross-domain-ASP-NET-applic
I have a admin page in asp.net that adds data to a database. This database is available as a JSON string to external websites, however, since it's a lot of data, the external websites cache this data locally.
I want to be able to ping the external websites to let them know the data has changed so they can referesh their cache. I figure I can setup an ASHX handler that receives a parameter telling them what data has changed, so they can both delete that data and refresh it.
The only part I'm not sure about is the best way to call this external page from my admin page. Do I just do a regular WebRequest and discard the result? or is there a simpler way to call a page from code when you don't need the response?
Basically I just want to "ping" this page, so it knows it needs to refresh.
thanks!
If you just want to call the remote page, you can use the WebRequest class.
http://msdn.microsoft.com/en-us/library/debx8sh9.aspx
WebRequest request = WebRequest.Create("http://my.domain.ext/page.ashx");
using(WebResponse response = request.GetResponse()) {
response.Close();
}
If you want to do more advanced stuff a webservice would be more appropriate.
You could have a flag set up in the database. That would turn this into a much simpler task.
If no alternative exists you can use the WebClient class:
using (var wc = new WebClient())
{
wc.DownloadString(address);
}
I'd like to use ASP.NET MVC's views as mail template engine. For that, I am calling one controller action from another controller action using a System.ComponentModel.Component.WebClient, parse the returned web page and send it via e-mail.
In this scenario, is it possible to forward the current user's login credentials (I am using FormsAuthentication) to the controller action requested by the WebClient? User passwords are encrypted, so I can't just create a new NetworkCredentials instance with his user name and password.
Yes, you can just copy the .ASPXAUTH cookie from your current Request object to the WebClient
EDIT: I haven't actually tried this myself, so maybe the .ASPXAUTH cookie is removed from the Request object for security reasons.
But since you have access to the machine key, you can create your own cookies on the fly. Here's the code that should do it (I can't find the project where I actually did that)
var ticket = new FormsAuthenticationTicket(User.Identity.Name, true, 5);
string aspxAuthCookieValue = FormsAuthentication.Encrypt(ticket);
This code creates a forms authentication cookie for your current user name and with an expiration time of 5 minutes.
Instead of performing a http request, aren't you looking for something like "rendering a view to a string"
When accessing my site, the user has to enter his credentials. They are basically plain directory access credentials.
At a certain point I check if a certain file they want to download exists by calling
WebRequest req = HttpWebRequest.Create(checkUri.AbsoluteUri);
WebResponse res = req.GetResponse();
Although I can access the checkUri from the browser, I get a 401 when doing the above check. I think I have to set the
req.Credentials
But I don't know where the current credentials are stored...
Any ideas?
--Update--
Integrated Windows Authentication: No
Allow Anonymous: Off
Caler: Link on page of same site (GET)
Impersonation: default is off (don't even know how to enable it in asp.net mvc)
I was having a similar problem on a site where I'm using forms authentication, I was able to solve this problem by using the code provided here as the second reply in the thread.
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(uri);
// Add the current authentication cookie to the request
HttpCookie cookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
Cookie authenticationCookie = new Cookie(
FormsAuthentication.FormsCookieName,
cookie.Value,
cookie.Path,
HttpContext.Current.Request.Url.Authority);
req.CookieContainer = new CookieContainer();
req.CookieContainer.Add(authenticationCookie);
WebResponse res = req.GetResponse();
I think you want this:
req.Credentials = CredentialCache.DefaultCredentials;
You're going to need to enable Integrated Windows Authentication.
I don't know what happens in ASP.NET MVC, but in ASP.NET Web Forms impersonation is turned on by:
<identity impersonate="true">
in web.config.