I was thinking about integrating some instant messaging function into an existing ASP.NET web application, e.g:
the web application can display the online-status of users (are they currently logged in with their IM client)
users can send messages from the web application to the IM client of other users
users can initiate a IM chat from the web application (without having to know the other user's IM identification beforehand)
Does anyone know about some existing libraries, sample applications or other resources that might help implementing such a feature?
Thanks a lot for sharing your knowledge.
You should try Jabber. Demo client avaiable here.
There is an architectural overview, the main concept looks like this:
(source: webta.net)
And some citation from the site:
1. Goal
Create an multi-service instant messaging AJAX-based web application with internal accounting.
2. Main problem
We need to connect to IM servers from HTTP client (browser).
HTTP is a stateless protocol. This means that, theoretically, each HTTP request is being proccessed by separate http daemon proccess.
Once request proccessed (data sent to client), server fogets about client.
All IM services protocols are stateful.
When client connects to IM server, socket connection being created and connection much remain open for succesfull communication.
There's a list on the ASP.net site.
http://www.asp.net/Community/Control-gallery/browse.aspx?category=54
You might want to look at the .net implementation of jabber:
http://code.google.com/p/jabber-net/
Related
I am fairly new to web applications. Could someone explain how I can make an asp.net web app that needs to communicate to another application that only understand XML messages and receives messages via TCP/IP protocol? Do I need to create ASP.NET RestFul API to achieve this.
We currently have a node web server that does authentication of users including oauth2 to google and facebook. We would like for it to handle the serving of web pages while a stateless .NET web api handles the serving of the actual data (which is all requested asynchronously). My question is how to handle authentication to the web api?
I mean should the client even authenticate to the api (and if so how do we do the pass through authentication so that it is authenticated to both once authenticating against the web server) or should the web server authenticate the user and then just forward all api requests to the api along with a user id? What is the standard scheme used for this?
Thanks in advance.
This answer is late, but I'll post my thoughts for the heck of it. I would place a dummy api in your node app, just a simple pass-through for everything that is in your data api (the .net one). Then I'd lock down the data api so only your node server can talk to it. The short answer is that any api that you expose to the internet has to be locked down. If you do the above, you don't have to expose your data api to the internet. You get the added benefit of not having to deal with CORS - you can have a simple /api folder hanging off of your domain. You can also use this pass-through api to aggregate calls to multiple business apis if your solution ever grows. It's a very scalable architecture.
If you don't want to do the above, then you'll need to either place the data api on the same domain as the other site, or setup CORS so javascript/AJAX from one can call into the other. Once your data api can see cookies written by the other site, you'll need to authenticate them, probably very manually, in your .net api, since .net didn't write the auth cookie - node did.
Using SignalR, is it possible to update website clients from my WCF service if the service is not used by these clients directly?
I have a desktop application in .NET which has WCF service used internally using net.TCP protocol. This application changes one of the status fields in database table depending on certain user actions. I want to notify this change to end users who are accessing a different website hosted on the same web server.
I have tried one SignalR sample where notification works fine if it is sent from same website's host to its own client (stock ticker sample). But in my case, the message should go from WCF service to a website client.
IMO you should do an intermediate hop, for example having your website exposing an endpoint (you pick the technology) where you can post whenever you have a change to notify. Your WCF service would post there whenever there's a change, and the web app would process the post by broadcasting info to the target clients (can be all, or can be just some you filter with some logic behind the post). I use this pattern quite frequently, implementing it with HTTP POST. You would have no issues to implement the SignalR infrastructure in the web app, which is where your clients already connect to.
How can I send commands to a WinForms application from an ASPX web page? We have already explored executing the WinForms application with different command line parameters but wanted something more smart.
Thanks.
Create a web server within your application that listens for HTTP GET and/or POST commands and acts appropriately. Then use AJAX to send request, i.e., http://localhost/myapp/?command=print&file=teletubies.jpg
Your web server, which is just a program that listens on port 80 and sends responses according to the very simple HTTP protocol, within your application then parses the requested URL and decides that it should print the file teletubies.jpg based on the query string in the URL.
Web pages (whether running asp.net or a competing platform) are always reactive. They receive commands (requests) and respond. They are not proactive, and don't send commands. This is how the core technology on which the internet is built works.
This means is you want an asp.net page to send a message to a client app, the only way to do it is for the client app to frequently poll the page, possibly using System.Net.WebClient.
I don't know of any way this can be done due to security. I know I wouldn't want people to be able to access the running applications on MY machine from their web app.
Scenario
I have an HTML/javascript website that uses javascriptSOAPClient communicate with an ASP.NET 1.1 web service in order to read/write to a SQL database. (http://www.codeproject.com/KB/ajax/JavaScriptSOAPClient.aspx). The database contains anonymous demographic information--no names, no credit cards, no addresses. Essentially the data collected is for data mining purposes.
The site is live, but we want to introduce a more secure communication between the javascript/ajax client and the wbe service for both this and future projects. Working as contractors in the financial industry, at some point we're going to get nailed with the question: is this website hackable? If we don't have a solution we could be out on our ears.
I am already following best practices such as communicating with the database via command parameters and stored procedures). However, currently anyone could browse to our web service description and figure out how to consume our exposed services.
Questions
With my hybrid solution (i.e. not end-to-end Microsoft) how should I go about authenticating client requests on the web service?
If I start passing a username/password or some other identifiable element into the web service as authentication, should I be concerned about how that key is generated/stored on the client side?
A few suggestions to consider:
List the threats, and compare each to your current setup.
Use SSL / HTTPS. This alleviates a whole class of vulnerabilities.
Use username/password, generated on the server side and sent out of band (in the post or by phone) to the user. (Hope this answers question 2).
Use 2-factor authentication. To do this, you can look at security tokens such as RSA's keyfob-type gizmos or look at Steve Gibson's Perfect Paper Passwords
The easiest solution from a programming standpoint is to use two way HTTPS. That is, the server presents a certificate to the client, and the client presents a certificate to the server. Then only clients with proper certs (issued by you) can connect.
That helps reassure clients that your site is not generally accessible, yet the security is transparent to the application and, once they've signed up and received a cert, to them. The downside is that you have admin overhead in issuing and tracking the user certs -- but that's probably less than you'd have dealing with username/password combos.
There are a few simple options:
SSL + Cookie
If the web app is also ASP.NET and hosted along with your web service, then you should have access to the User/Membership/Session of the web app inside your web service (essentially #1, but you get it without doing any work).
If the web app and web service are not on the same domain, then cookies are out due to cross-domain issues - so you can have the web app embed a GUID into a hidden form field, and use that GUID as a sort of cookie (and it will need to be passed as a parameter on all web service requests).
Can you incorporate a certificate authentication mechanism? So that only clients that have keys you can verify can communicate? That's how the product I work with has its managed devices communicate back to the core.