ASP.NET Membership in a custom non-ASP.NET application - asp.net

I am in the process of building an application where clients (WPF) will be calling a web service to send data.
These clients will have different roles: Employees, Managers, etc. and each client needs to send their username/password when calling the web service for authentication.
Can I use the ASP.NET membership provider for authentication/authorization in a class library that is wrapped by web services?
Or this API should be used "only" in Asp.NET applications?
what other options do I have?

I have written command line tools to do maintenance on ASP.NET membership databases without any problem, so at a basic level there's no problem with non-ASP.NET applications calling into the ASP.NET membership methods.
Since you'd be doing without the ASP.NET controls that automate most of the membership handling, you'd have to write your own code to check passwords and roles. The following methods will probably help do this:
SqlMembershipProvider.FindUsersByName
SqlMembershipProvider.GetPassword (for this to work you must configure the membership provider to store encrypted passwords instead of hashed password)
SqlRoleProvider.IsUserInRole
So I think it's possible to make it all work. BUT there's no promise that at some point there won't be an awkward obstacle that will stop this working outside of ASP.NET, so prototype it first before committing a big project!

Related

ASP.NET and WCF Authentication Options

What are the authentication options for having a ASP.NET web application communicating with a WCF service?
The scenario:
User enters their username and password in an ASP.NET form.
ASP.NET needs to pass this to WCF to authenticate the user.
If authenticated, the user can perform actions on the website. Each action would require sending data to different WCF operations. WCF needs to know who the user is on each call.
The easiest solution would be to store the username/password in the ASP.NET session state. However, this is insecure because the password is stored in memory on the server.
I would rather not use a certificate to authenticate the ASP.NET "client" to the service because there's a possibility that this WCF could be consumed by another client in addition to ASP.NET.
The best suggestion I've seen so far is to use Windows Identity Foundation (WIF). It appears that this requires an STS. According to MSDN, Microsoft does not seem to recommend setting up an STS through Visual Studio. There's no guarantee that an STS would be available in the deployment environment as some environments may use Active Directory and other environments may have a custom user store. Is it possible to setup a custom STS to authenticate against a custom user store? I'm having trouble finding documentation on doing this.
Are there any other options besides using WIF? What about a custom WCF authentication service that returns a token that can be used for authenticating against a primary WCF service?
The standard way of doing this is by using WIF with Microsoft's STS viz. Active Directory Federation Services v2.0 (ADFS).
There are a number of custom STS available e.g. Identity Server. This use a SQL DB as an attribute store. It's open source so could be adapted to whatever you require.
You can create your own custom attribute store: AD FS 2.0 Attribute Store Overview.
TechNet WIF / WCF: WIF and WCF.

sharing Data between several websites

If i had two different application running under the same solution but using different Databases can i share User credentials between those applications ?? any solution other Than The SSO and the Machine key in the web.config where the authentication is based on the default Asp.net Database ( i guess it's called the membership database )
if their is a solution could You please help
Are it two seperate IIS websites? And what are the real requirements you have? Just share some variables or move data from one application to another?
I'd think you'd probably better look into creating a service layer to receive and send information between sites. This way you can eventually seperate the two applications on different web front ends without problems.
This service layer can be implemented using different techniques like XML Web Services, WCF, or maybe you could look at the new ASP.NET Web API http://www.asp.net/web-api
edit:
Ok clear from the comments I got some more info:
Imho you could do two things: schedule a synchronisation using some mechanism (could be xml export / import) every day or so. But if you'd want realtime SSO, you could simply create a service on the webserver connected to the authentication database where the only functionality is to authenticate users. Something like a: bool validatecredentials(string username, string passwordHash). If you're not talking about thousands of authentication requests this will perform quite good using standard WCF or some other service technology. If you are talking about larger systems or implementations you should look at Claims based authentication, .NET has a technique called WIF to implement that. It works using a seperate STS (Security Token Service) to issue tokens with claims who a user is and what he is allowed to do, etc.

How authenticate web methods in a web service?

I'm using Asp.net c# language programming.
What is the best way for authenticating web methods in a web service?
Is it right having authentication for every web method and verify user name and password for each web method?
Is there a way to authenticate just once not for every web method? something like using sessions and etc?
You might want to look into this one:
http://weblogs.asp.net/cibrax/archive/2006/03/14/implementing-a-secure-token-service-with-wcf.aspx
Edit
If you are bound to only use asmx for some reason, then I would also suggest looking into WSE from MSFT.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=018A09FD-3A74-43C5-8EC1-8D789091255D
You can pass around a token from your client into the web method. The token is encrypted with public/private keys.
For more info here:
http://msdn.microsoft.com/en-us/library/ms996931.aspx
First of all, you should be using WCF for web service development unless you're stuck at .NET 2.0.
Secondly, you can use Windows authentication or Basic authentication over https, but those restrict you to users who are Windows users. If you have a separate set of users, then you will need to do your own authentication.
You can use SOAP Headers so that you don't need a username and password in every web method.

session sharing between silverlight and asp.net

I have a silverlight application that uses wcf service. This application is shown from a link in an existing project of asp.net web application type. There is a userid session found in the project that i want to transfer it to the silverlight application. I thought of query string but its not a secure thing to do it. so is there a way to transfer the asp session object to the wcf application which the silverlight application communicate with?
You could write a web service that you could use in Silverlight and with which you could get and set single values from and to the current session.
If you want to transfer the whole session to Silverlight, this is of course also possible by a query parameter or the like.
Concerning security, it depends on your scenario. There is no way around that, you do have to send the data over the wire to the client in some way. You can encrypt it, but the Silverlight client will have to know how to decrypt it. Silverlight client code can of course always be inspected in reflector by anyone who has access to the application.
What you can do is set everything up to use SSL for communication, it might be sufficient for your scenario if you never send more information to a client than a client is allowed to know.
If you can run WCF services in ASP.Net compatibility mode then you would be able to share all of the ASP.Net Runtime Objects such as Session, Cache etc.

Need recommendations and help with ASP.NET + WCF + Security

i'd like to recieve comments on the way i'm trying to build an asp.net web application which uses a WCF service that is hosted in another asp.net application. Both applications will live on the same machine, but the app with the WCF service will not be accessible from the outside. there will be two web servers sharing the load behind a load balancer.
The app pool of both applications will use the same local user account (web server is not part of a domain) and so i was thinking to use WsHttpBinding with windows security for communication between client and internal wcf service.
The fron-end asp.net app uses forms authentication through a custom membership/role provider to athenticate and authorize users. The user database is in a sql server database.
i need to somehow pass to the wcf service the user details (username + roles) so that in the wcf it will be possible to validate and authorize according to the roles of who is logged in the front-end. I read i need to use "support tokens", but i haven't figured out how to use this.
I read also something about claims and WIF, which seems interesting but have no idea how i could use these in my scenario.
is there anyone who can give me recommendations about the architecture and maybe also show me how to pass the username to the wcf service and also show me if possible to use claims based authorization?
First of all, if both servers are behind the corporate firewall on a corporate LAN, I would strongly suggest using netTcpBinding instead of any http based binding. NetTcpBinding is much faster due to encoding the message in a binary format.
As for username / password: your ASP.NET front-end server could set the client credentials for the user calling for the WCF service - after all, the ASP.NET servers do have access to the ASP.NET membership database, don't they?
Or if you cannot pass on the user's credentials, you could pass on some headers to your WCF service that would describe the user - actually, you probably only ever need the user's unique ID - since the WCF service could fish out the rest of the info from the ASP.NET user database again, if really needed.
As for claims - I don't think they'd be a good idea here - you don't really have to deal with a multitude of different authorization schemes, and you're not using any federation (e.g. allowing users from a different company or domain to use your services) - so those obvious benefits probably won't really be applicable to your case.

Resources