I have an ASP.NET 3.5 site that exposes web services as part of the web project for jQuery HTTP/POST calls to access. The site is using forms authentication. I currently have the web services denied to anonymous users. By using Firebug, I can see the ASPXAUTH cookie coming across on every web service call from jQuery, and I would like to use it to fetch the membership user from my ASP.NET membership database in the web service code. Is this possible? I'm having trouble both finding how to access a cookie on an HTTP/POST in the web service code & how to take that cookie and get the membership user.
Looks like it's a simple as just using Membership.GetUser();! I was having a brain fart and not realizing that it was that simple.
Related
I have an ASP.NET web application that is using ASP.NET Identity for login with UseCookieAuthentication in the Startup.
The login site is working fine.
I also have an ASP.NET WebAPI site that I use to gather data. I would like to secure the WebAPI with the same cookie that was created at the Login web site.
The machine keys are identical and the UseCookieAuthentication is using the same CookieName and CookieDomain settings.
I can't seem to find any good articles on how to use Cookie based auth between ASP.NET sites.
Any links or ideas are welcome.
If there are any examples passing ClaimsIdentity between two sites that would be great.
We only choose the UseCookieAuthentication because it was similar to FormsAuthentication but we are not opposed to using Claims Authentication if we could find out how.
Working by adding
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
I would recommend ClaimsIdentity instead of trying to pass around cookies. That way you can "register" the web application with the WebAPI application.
I'm assuming by the description that the web app and the WebAPI app are on different domains or at least different virtual directories on the server. If so, you'll probably want to take a look at CORS as well.
Here are a few relevant articles:
http://www.jayway.com/2014/09/25/securing-asp-net-web-api-endpoints-using-owin-oauth-2-0-and-claims/
http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api
If the web app is the only consumer of the WebAPI code and they can be hosted on the same server, you may consider just adding the WebAPI code to the web app solution. Then you won't have to worry about CORS.
I built an ASP.Net MVC 4 application which uses forms authentication by means of a custom membership provider inheriting from the Simple Membership.
Everything is working fine, but now I have a new requirement: I need to integrate a JSP application with mine.
This means that it has to authenticate against the same user database of my application and that they should somehow share the session in order to achieve a kind of Single Sign-On among the two applications (if an user is already authenticated in the ASP.Net application, he should be able to access the JSP application without logging in again, and vice-versa).
What architecture do you suggest me to use?
I would like to change as little as possible the ASP.Net application.
Thanks!
If you need to auhtenticate accross different domains:
You can implement your own security token service (like facebook, google does) Here is some ready to use implementation: http://thinktecture.github.io/Thinktecture.IdentityServer.v2/
If the sites are running on the same domain (subdomain), then you can try to share an authentication cookie within these domains.
An explaining article: http://www.codeproject.com/Articles/106439/Single-Sign-On-SSO-for-cross-domain-ASP-NET-applic
Is it possible share authentication between Asp.NET web applications and silverlight business application?
Scenario:
When uses logged in on either SL application or Asp.NET application using same browser, I want them to used active authentication. I have seen OpenId authentication can do such, But wondering can asp.net authentication is also able to do such.
Yes the authentication infrastructure can be shared between ASP.Net and SilverLight. If both the sites are under one domain, we can implement the standard authentication using ASP.Net Membership and role provider.
You can then use the WCF Authentication Service to and authorize user. This authentication is is good only for any server side functionality. If you want to authorize on client side (SilverLight) application you need to build your own infrastructure. Role and Membership provider data available can help you in that.
You can host your SL application in ASP.NET page and when somebody comes on this page do authentication. For instance, you can use FormAuthentication on the site, so when you are navigating from some page to page with Silverlight - access will be hovered by very FormAuthentication. OpenId you can use if ASP.NET app and Silverlight on different sites (domains), but if the Silverlight app is hosted on asp.net page you can also authenticate using asp.net infrastructure on server side.
I have a web site and web service on the same server. The users log into the web site, which calls the web service to perform processing. The web service must ensure that only authenticated users access it. I thought that the easiest way to do this would be to share forms authentication between the two applications, since the user is already logged into the web site, but it does not work. The web service never sees the authenticated user. I tested creating another web site and sharing forms authentication between the two web sites and it worked fine, so I know the problem is specific to the web service.
Is it possible to share forms authentication between a web site and web service?
If not, what would be the best way of accomplishing the same end result, keeping in mind that I only have access to the user's password when they log into the web site.
Here's my situation. I have a DotNetNuke application. I want to link to an existing ASP.net website from within the DNN website, and have decided to use DNN's IFrame for that.
The existing ASP.net application uses Forms Authentication for security - only authorized users can access the pages. This asp.net application also requires user roles for authorization to different pages.
I don't want users to have to sign on twice, and I'd like the asp.net page to use the user membership and role data from the DNN application - it shouldn't require it's own membership database.
Is this possible? According to the MSDN website:
"ASP.NET supports forms authentication in a distributed environment, either across applications on a single server or in a Web farm. When forms authentication is enabled across multiple ASP.NET applications, users are not required to re-authenticate when switching between the applications."
Does this apply to DotNetNuke applications linking to asp.net applications? Both are on the same domain, too.
(I tried modifying the config.web of the asp.net page to work with the DNN config.web, matching machine keys and forms settings - but it didn't work. I could be doing something wrong, but before I pursue, I want to know if it's even possible.)
Thanks for any help!
I don't know if what you're talking about is possible within DNN. We're on DNN 4.0 and they do some weird things with the ASP.NET membership tables which may cause trouble.
What I can tell you is an alternative way (assuming you have control over the ASP.NET application). There is a project called MADAM (Mixed Authentication Disposition ASP.NET Modules - I know a bit of a mouthful) that can be used to provide a method other than forms authentication for application logon.
What you could do is set MADAM up on your ASP.NET application and from DNN pass user credentials to the ASP.NET application. The end result appears to the user as single sign on.
If you need me to elaborate on anything, let me know in the comments.
Actually i am displaying some aspx pages in a iframe module present on a dnn page. Now since inside the iFrame i am displaying aspx pages hosted elsewhere but on same server. I am just want to authenticate the dnn logged-in user before loading the page inside iFrame.
Do dnn provide any API which i can call from apsx pages hosted elsewhere in order to restrict access to ony unauthorized user.