I want to authenticate web service user on first web method call only & use his identity for other web method calls.
How web service maintain the user identity?
ASMX web services only support the types of authentication directly supported by IIS.
Alternatively, you could implement your own authentication using SOAP Headers, but then your authentication code has to be perfect.
You can set up a session using 2.0 or a cookie and than passing the data will be easy.
Let me know.
Related
My web application is running on server(cloud) which is not part of my domain. I want to implement SAML based login to the web application with my domain(Intranet machines).
Is it allowed? If it is, any special configuration needs to be done?
Is it allowed?
yes
If it is, any special configuration needs to be done?
You need to implement/use a SAML Identity Provider.
In general SAML was designed as a Single Sign On technology for web-based applications without the use of cookies. You may only use so called 'front-channel' bindings (like HTTP REDIRECT and HTTP POST) to transmit the SAML messages between the SAML Service Provider and the Identity Provider if the Service Provider can not communicate with the Identity Provider.
I am in the process of building a RESTful web service using ASP.NET Web API, and I am considering using OAuth 1.0 as an authentication mechanism to secure the service. Our API would also be maintaining the credentials store and would therefore be the OAuth provider. Client applications using our API would be used by end users who would have to authenticate using a username and password, so I assume the client app is considered to be an OAuth consumer. The client application would make an API call to retrieve an unauthorized request token, then send along the user's credentials with the token to get an access token.
Ultimately, I could see other 3rd party applications wanting to access our application through my API, and they would use OAuth with the redirection with our application being the credentials provider.
Is this a viable way to use OAuth? Will something like DotNetOpenAuth support this scenario?
We have decided to implement OAuth 2.0, which supports various workflows, one of which includes a Resource Owner Credentials flow that allows the client to pass user credentials to the authorization server in exchange for an access token. This will serve our purposes.
We would like to achieve following very general, day to day scenario in any web app. We would like to secure a call from non-windows client (i.e. non .NET client) to WCF web service. Client is mobile device (iPhone, Android or Blackberry, but should work on all of them) and also assume native app will be a banking (finance) domain app . So security cannot be compromised.
User will be provided a screen to enter username and password.
WCF Service call will authenticate the user credentials ( we would want to know how to secure this WCF service call)
After successful authentication, all the subsequent call does not have to pass username and password.
Each service call should be able validate the credentials or check whether it is a already authenticated user and if it is then load user roles from some store to authorize the call.
As you can understand we are looking for secure session from a now windows client to WCF Services. Looking forward for a solution ( avoiding ASP.NET sessions) to secure every service call and to authorize call.
Please reply back with code, configuration
Thanks and regards,
Milind
That is perhaps day to day scenario in web app but not in the service. Day to day scenario with a service is authentication in each call and avoiding any session as much as possible.
The answer to your security requirement is HTTPS. That will ensure that the communication will not be compromised. The answer to your authentication requirement is Basic authentication (and perhaps custom HTTP module for handling authentication if you host the service in IIS) or UserName token profile for passing credentials in message body (only SOAP services).
User will be able to provide his credentials in your mobile application but your mobile application should use these credentials for every call to the service (in .NET world these credentials are set only once for communication proxy but that is just implementation - they are still send within each call).
WCF supports security session implemented on top of WS-SecureConversation but neither of mobile platform supports it and it is pretty tough specification so you will no try to implement it yourselves (if you do, you can sell it as separate project). Moreover with very poor SOAP support on iPhone you will most probably use REST service where nothing like secure conversation or even session exists.
If you want any session you will have to use ASP.NET Session (= AspNetCompatibility) or you will have to implement your own session management and pass session token in cookie (= generally same mechanism as ASP.NET session) or in message body (= generally what WS-SecureConversation does but it handles all security stuff around this).
I have a C# ASP.NET 3.5 web application which uses forms authentication. Users log in with their username and password on login.aspx, are authenicated using a custom authentication logic and are then directed to input.aspx, where they enter some parameters and get response on output.aspx. If they try to access input.aspx without authenticating themselves, they are redirected to login.aspx.
The same users want to be able to use the functionality of this web application without using the UI, from Unix environment. So I added a web service file (.asmx) to this web application. I didn't create a separate project for this web service because the web service uses code files, code in global.asax of the existing web application and I should not duplicate that code for the web service.
The web service functionality works fine now, though I don't know how to authenticate the users. The web service client will send username and password once (maybe using a 'login' webmethod, which I can write to authenticate them) and then should be able to send multiple requests (maybe until they call a 'logout' webmethod or until their session/cookies expire).
For web requests to not get redirected to login.aspx page, I excluded the .asmx file from Forms authentication using the location tag in web.config. (I don't know if that's the way to go.) But then I am thinking that the user is not then authenticated in the web application and so the web application code that the service uses, won't be accessible, right?
I would recommend a quick read on this link (http://msdn.microsoft.com/en-us/library/ms977327.aspx) and then follow it up with this one (http://msdn.microsoft.com/en-us/library/9z52by6a(VS.80).aspx). A custom security header is probably where you want to go to secure your web service outside of forms authentication. It does mean that each method call needs to have the header supplied though.
This is for an ASP.NET MVC application. For browser based access on my normal controllers, I'm using standard forms authentication and auth cookies.
My question is how I do the same for an iPhone application. I have a set of RESTful controllers that the iPhone application uses directly, but I'm not sure how to go about authentication...
I was thinking of having a special Login method that returns the auth cookie. Then I can use the standard Authentication attribute on the ASP.NET MVC side, but I'm not sure how to handle this on the iPhone side? Can I store this cookie and have it automatically sent with every request?
Perhaps there's a better approach altogether?
If it is RESTful you can use an NSURLConnection and send your server the appropriate HTTP headers the API requires.
http://developer.apple.com/mac/library/DOCUMENTATION/Cocoa/Conceptual/URLLoadingSystem/Tasks/UsingNSURLConnection.html