I am trying to return the Client UserName back into Silverlight by using HttpContext.Current.User.Identity.Name in the .aspx page that starts the application.
I have this hooked up to InitParams working fine passing it into silverlight with the ASP.Net Development Server but when I change to an IIS Web site it returns an empty string.
All of our users will be on the same IP subnet with different domains. This is a intranet app. I need to know who they are, preferably without authenticating, in order to load the proper interface. I do not have any Windows or Forms authentication established in the app yet.
....is it possible?
Without authentication on the server-side, I believe this is not possible. You'll have to have the ASP.NET page authenticate in order for it to write the client's username into that init param.
The test web server's process is running as the local developer, it probably appears to be working since both the client and server are running as the same user.
Suggestion:
Enable Windows authentication in IIS for that application folder that hoses the ASP.Net page. Disable anonymous. This should (in theory) be fine for the intranet. At this point I think you should be able to get Authenticated user from HTTP context. We use Thread.CurrentPrincipal.Identity.Name since we're doing this in a WCF web service.
Not all browsers support Windows authentication. IE and Chrome seem to work the best. Firefox requires you to enable this per-site (look up the "trusted-uris" settings, note that Negotiate and NTLM are separate settings). Safari and Opera as well as non-windows clients, I'm not sure any more.
To get more consistent support across browsers look into the "alternative" client HTTP in Silverlight. However, I guess this wouldn't work with setting init params in the asp page. If you could make an additional request to another ASP page (or a web service) to get the user after loading you could choose to use this other http stack. I found it supports authentication itself, regardless of the browser.
Related
I am using tomcat server and angularJS to build a site that uses an API to bring data from the server by using an HTTP requests. when running on local machine tomcat is on ,i can see the full functionality of the site but when i'm connecting to my localhost from my phone (through WiFi) the site i see is not really functioning ,as if the HTTP requests can't be sent. is there a way to make the site work fully when viewed from my phone ?
note: my site basically uses the API to send a GET request and update a table on screen with the data, and POST/DELETE requests to update,delete,create data and of course dynamically update the table.
i'm working with Windows 7 if it matters.
another note: i used this answer to be able to connect with my phone. maybe i should use another way ?
Thanks
Sivan
why not use https://ngrok.com/ to tunnel your localhost to an private url.
(this is just for mobile testing right?)
The Application
In short, the application surfaces data from a backend onto a web page. The client application is a Single Page Application made using AngularJS. It calls an ASP.NET Web API service located on a different domain to retrieve the data. I utilize BreezeJS on both the client application and the web service to manage this data. The client is hosted on a SharePoint Online site, and the service is hosted on IIS7.
The Error
I encounter an "Access is Denied" error when AngularJS attempts to make an XMLHttpRequest.open() call targeting this web service. However, though this seems like a simple CORS issue, it has some peculiarities which have me stumped:
Foremost, this error only occurs when using Internet Explorer 11 (or a previous version). When the application is viewed in Chrome or Firefox, it can connect and retrieve data from the service.
The web service is configured to accept the calling origin.
No network traffic is detected either by the native IE development tools or by Fiddler.
Specifically, the line: xhr.open(method, url, true); of the angular.js file throws this error.
Does anyone have any insight as to why this error occurs?
Also, if more specific details are needed I certainly can provide them. I'm not even sure where the issue might be coming from and I don't want to dump tons of irrelevant lines of code.
I think that this is due to using "localHost", i.e when attempting to access a resource in the "Local intranet" zone from an origin in the "Internet" zone.
See: Access denied in IE 10 and 11 when ajax target is localhost
This is not just a localhost issue as previously suggested. I have a production AngularJS application that is trying to POST to a public Web API 2 on a different domain. IE11, Chrome, and Firefox work without a hitch when the site is accessed externally. When accessing from a subnet that can talk directly to those servers, I get Access Denied and IE doesn't even send the request (Chrome and Firefox work flawlessly, of course. One workaround (I refuse to call this a fix) is to add the site as a Trusted Site in IE11. Even when the security settings for Internet mirror the settings for Trusted Site, I get access denied. I have to add the site on each internal IE system to gain access.
We have a requirement to open a web site URL in default browser of the client machine from our WPF application. All this time we were using simple Process.Start(URL) and it was working fine. Until now where one of customer has this "URL" behind basic authentication. The site they want us to browse using URL is hosted on Apache web server. From what I know, if we have https://username:password#domain.com it directly takes us in site without the username/password challenge and it works fine in Chrome and Firefox, however newer version on IE stopped supporting it for security reasons.
Can someone suggest some alternate approach to achieve same considering following objectives ?
List item
Browse to URL with passing in username password.
Open default browser in client's desktop machine.
Don't want to user browser control
At minimum should work in 3 browsers - IE, Firefox and Chrome
We cannot make changes to client desktop's machine, so solution shouldn't require any special settings.
The workaround for developers from the Microsoft Support site : http://support.microsoft.com/kb/834489
Workarounds for application and Web site developers
URLs that are opened by objects that call WinInet or Urlmon functions
For objects that use an HTTP or an HTTPS URL that includes user
information when they call a WinInet or Urlmon function such as
InternetOpenURL, rewrite the object to use one of the following
methods to send user information to the Web site: Use the
InternetSetOption function and include the following option flags:
INTERNET_OPTION_USERNAME INTERNET_OPTION_PASSWORD Note For these
flags, the InternetSetOption option must have a handle returned by the
InternetConnect function. Therefore, if the application uses the
InternetOpenUrl function, modify the application to use the
InternetConnect, HttpOpenRequest and HttpSendRequest WinInet
functions. For more information about how to use these functions,
visit the following Microsoft Web sites:
http://msdn2.microsoft.com/en-us/library/Aa384363
http://msdn2.microsoft.com/en-us/library/Aa384233
http://msdn2.microsoft.com/en-us/library/aa384247.aspx Use the
IAuthenticate Interface. For more information about how to use the
IAuthenticate Interface, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/ms775080.aspx
Was this option tried ?
I have a hybrid website, a mix of aspx and XBAPP resources, which is hosted on IIS6.0 on top of Windows 2003 server. We have a Sun IDM server for single-sign-on as there are multiple applications and a proxy, which rewrites the url. The website is hosted on a separate server and the IDM server on different machine. This is especially done to hide the actual resources being called from the IDM server. Every url hit goes to the IDM server and rewrites to the required resource server. Now the problem is when I call the website hosted server's url directly it works perfectly fine and XBAPP loads and run exactly as required but crashes when called through the IDM server. What I observed on Fiddler is that the moment the URL is called by the PresentationHost, there is a new session on the server and causes an authentication failure.
Look if you are redirecting to any self generated url. You should use a relative path everywhere to maintain the session. The proxy server might be impersonating the requests and the url. In such a case, a request to your absolute path might violate the impersonation and hence the loss of session.
We have a Silverlight app which we wrote which calls a Silverlight-enabled data service. The Silverlight app cannot require a login, as it is required to present data to the unauthenticated public.
We have some schmoe who took the time to examine our Silverlight app, one way or another figure out what service it is calling, and then wrote his own client to slurp off the data so he can post it on his site and pretend like it is his. We need to prevent this.
How can i limit my data service somehow to ONLY accept requests from my silverlight app? I tried using the allow-from domain uri setting in the clientaccesspolicy.xml file to limit access to the service only from the domain in which the silverlight app sits (say mydomain.com). This did absolutely nothing though, and the service is still serving up requests to clients from outside the domain. (I tested this by putting my SL app on a different domain under our control).
What is the proper/best/most effective way to limit the data service so only our app can use it? Thanks!!!
I'm using SL 3 and .NET 3.5.
The clientaccesspolicy.xml tells the Silverlight application which Webservice it can consume. Not preventing people accessing the Webservice.
You can try using a authentication login even though its not required. This prevents 'schmoes' accessing your webservice.
Also use Dotfuscator to prevent 'schoes' to disassemble your Silverlight application and acquire the login.
Silverlight webservice security follows the same patterns you'd use for ASP.NET security, especially services exposed to AJAX. The best way to do make use of ASP.NET's authentication.
RIA Services is an even better way to handle this. It rides on top of the ASP.NET authorization, but validates on both the client and server-side automatically to combat service spoofing. It let you take care of both client and server-side authorization by adding attributes to your methods indicating that the method requires authorized access, and by which groups or users if you need to be specific.
In addition to wire-side security and obfuscation, remember that clients can attach a debugger to Silverlight applications running in their browser. See this example from MSDN Magazine's Security IQ Test, November 2008.