There are a number of questiosn on StackOverflow that ALMOST hit this topic head on, but they are either for other technologies, reference obsolets information or don;t supply an answer that I can suss out. So pardon the almost duplication :)
I have a working ADO.NET Data Service, and a WPF client that hits it. Now that they are working fine I want to add authentication / security to the system. My understanding of the steps so far is...
Turn on forms authentication and configure it on the server (I have an existing asp.net membership service DB for other aspects of this app, so that isnt a problem) so that it is required for the service URL
In WCF apply for and recieve a forms authentication "ticket" as part of a login routine
Add that "ticket" to the headers of the ADO.NET service calls in WPF
Profit!
All well and good - but does anyone have a line on a soup to nuts code sample, using the modern releases of these technologies?
Thanks!
I have an example of doing this from Silverlight on my blog.
Check it out here : Forms Authentication and ADO.NET Data Services
You should be able to adapt this to a WPF application with minor code changes.
Related
I have built a small web application with asp.net core 2.0 MVC. In this web application, I did not implement any authentication methods so far.
Right now I have an MSSQL database running in the background and I can add/view/edit/delete users from the database.
I adapted this tutorial and followed it pretty closely. However I also added some functionality like localization and stuff, and everything is running pretty smoothly.
My next goal is to enable authentication and authorization. The authentication part shall be straightforward. The goal is that the application will be running as an intranet solution. This means the authentication method just shall check if the Windows User is existing in the previously mentioned database. I don't want to create a separate login. However, it might be that there is a Windows user in the active directory, which is not part of the database. This User should just be able to see a default error page.
I made quite a huge research and I also tried a lot of different stuff, however, I do absolutely not find any "database first" tutorial for this part or any other documentation which explains what to do.
I actually "just" want to teach the asp.net core 2.0 identity framework that it shall look into my user-table and check if the current windows user is existent and if not to forward him to the error page.
A second step would be to load all the roles which this user is assigned to from the mapping table.
Any kind of help would be highly appreciated.
Dosc Microsoft has a lot of posts regarding authentication for ASP.NET Core. Here are some of the links to get you started:
ASP.NET Core Authentication
ASP.NET Core Authentication Identity
and a lot more.
I want to send simple data (geolocation data to be precise) from Windows Phone 7 application to a windows forms application and use it, as I'm a total beginner in this field I don't know which tools to use.
I searched about wcf services and tested this method but there's some issues: the data is sent from the phone application but isn't sent to the winforms application (guess something is missing)
If your know how to do this in a quick way, or have good tutorials I'll be thankful.
EDIT
I found this tutorial, it show how to connect directly wp7 application and desktop application without using sockets neither wcf service, I'm wondering if it is really works if the application isn't in localhost.
the like for the tutorial: wp7 tutorial
I had a similar problem and so I created a REST/JSON WCF service hosted in IIS with AppHarbor to provide the data. There's hundreds of ways to do it (Ruby/Heroku, etc..), but that particular one fits well within the Microsoft stack. I also needed to share route data and I used the WCF service to wrap the BingMaps services so that route computations are cached and shared. Considering that I had already created a local model, moving it out of my phone project into a service took less than a few hours (including the usual config hiccups, and forgetting to add the appharbor user to my bitbucket repo).
Consuming the service from WinForms (or any client) shouldn't be an issue as the service knows nothing about the client implementation.
Here's a tutorial from code project. REST WCF Service with JSON
I think you would need to implement some sort of server side solution which you could upload to on your Windows Phone and download from on your Windows Form application. This could be achieved using a WCF service which was connected to a server side database.
Another option would be to use sockets and communicate directly with your WinForms application. Check this tutorial on how to use basic sockets on WP7.
I'm consuming a lot of WCF Services from a Silverlight application in a totally disconnected-way.
I want to ensure that I know the user who is calling every service and I don't know if there is a "standar way".
I've thought of a Login method to get a Token and then pass the username and its token in every call to ensure he/she is logged and has permissions to execute it.
Is there any "almost-done" way with ASP.NET authorization in my own SQL Server? Or I can only use its tables but I'll have to do it "manually"???
Thanks in advance!!!
It sounds like using ASP.NET Membership might be a good fit for you. There's two approaches you an use with this. The first is to use the default membership tables as generated by aspnet_regiis. This option has the advantage of being basically done for you. In this case, all you'd need to do is run the aspnet_regiis tool, then add the necessary portions to the Web.config for your WCF service as described here. Then, when calling the service you need to set credentials for your binding as described here - specifically the portion about setting ClientCredential for your binding when consuming the service.
The other option is to write your own custom membership provider as described here. This allows you to do whatever you want behind the scenes in terms of storing and managing your users, rather than using the pre-built ASP.NET mechanisms. This is a good approach if you're mating with an existing user base or want to have more control over how things are implemented.
Also, keep in mind that ASP.NET Membership isn't your only option for securing your WCF service. Spend some time reading up on your options, which include:
Windows Authentication and Windows Authorization via transport level security on basicHttpBinding
Windows Authentication and Windows Authorization via message level security on wsHttpBinding
UsernamePasswordToken Authentication with ASP.NET Membership and ASP.NET Role Authorization via message level security on wsHttpBinding
UsernamePasswordToken Authentication with custom validator via message level security on wsHttpBinding
Authorization using a custom Authorization Policy
Impersonation using Windows credentials
That list comes from this blog post, which is a good place for you to start exploring your options. Reading up on them will give you the opportunity to learn the strengths, weaknesses, and features of each so that you can choose the one that best suits your purposes. You can also begin with the MSDN articles on WCF security here.
In summary, yes there is an "almost-done" way to do it with ASP.NET Membership, and it shouldn't be too hard to implement, but take some time to explore your other options as well before just diving in with one, because they all have trade-offs and you don't want to have to re-implement it in the future if you decide the approach you chose is a bad fit.
One way to do this is if you can impersonate all users for that You need to add following in your service behaviour
<serviceAuthorization impersonateCallerForAllOperations="true" />
more details here http://msdn.microsoft.com/en-us/library/ms731090.aspx
and if you want to know the user then inside your service methods you can use
System.Threading.Thread.CurrentPrincipal.Identity.Name
to find the user name who is using your services
Edit:
You can use membership api details here
http://msdn.microsoft.com/en-us/library/ms731049.aspx
http://blogs.msdn.com/b/pedram/archive/2007/10/05/wcf-authentication-custom-username-and-password-validator.aspx
http://social.msdn.microsoft.com/forums/en-US/asmxandxml/thread/8a679fb2-e67e-44a9-b491-eb95d5144068
Currently I am working on a LOB Silverlight application. Eventually, I need to implement a single sign-on for the new app and an old Classic ASP web app. Right now, the Silverlight App is secured using Forms Authentication through a custom Membership Provider.
Reading online, I've come to think that Passive Federated Security is what I need. But, I am struggling with following questions:
1) What is a relatively painless way to set up STS. I don't really want to spend a lot of time setting this up. I've take a look at WIF - it seems to require some platform changes so that really is not an ideal solution [Even though it seems relatively easy to set up]
2) How do I integrate Classic ASP app to use the STS? - Currently it is validating against a custom userStore and putting the authentication/authorization info in the session.
3) Eventually, users will be accessing both apps through a third-party portal that authenticates them outside of our organization. So, somehow the portal would need to be able to issue Security Tokens [SAML??] that the STS will understand.
I am currently focusing on 1 and 2. If anyone has even a slightest insight into this, that would be greatly appreciated.
Thanks,
Ravi
The latest Identity Training Kit contains a full lab that demonstrates SL + claims identity.
I have a Silverlight application that needs to retrieve some data from my database. This data is sensitive. Because of this, I only want my Silverlight application to be able to access the data. How do I ensure that only my applications can access the services that expose this data? Is there a way that I can validate a client attempting to retrieve the data?
Thank you!
These might be of interest:
Using ASP.NET Secure Services and Applications Services
Build Line-Of-Business Enterprise Apps With Silverlight, Part 2
MS Whitepaper: Security Guidance for Writing and Deploying Silverlight Applications
Well, everything your SL application does could be spoofed. So direct answer is NO, you cannot ensure that only your application will access to the data.
But there are number of options. For example you can implement authorization and then authenticate your user. In this way you can ensure that only users you trust access to the data.
Another option is to make spoofing harder. For example you can include sort of "secrete" token to all your requests. So other application will need to steal this token. This harder to achieve.
I think this question is more pertaining into implementing a web service or wcf service with authentication and authorization. If your service takes care of it, then you can be ensured about your data. Your silvelight app is just calling the service.
Whoever download the xap can decompress and reverse engineer your code, so your best bet is to build a web service as others suggested. Silverlight Ria ships with a full blown authentication membership that you can leverage.