I was assigned with a mission to upgrade a legacy WCF and angular project written long time ago by a freelancer and add authentication and authorization to it.
I am quite new to the project and I was quite horrified when I saw the code.
Unfortunately, I can't share code, but I can tell you that:
Client-side is an SPA angularjs application.
Project is quite small.
There is no ORM - Only SQL (Stored procedure) queries.
The database is SQL Server.
The database Users, Roles etc.. schema was decided by the freelancer and was not built by any tool (like Microsoft Membership)
and without any regard to any conventional user table schemas. User table has a username, email, password, and a lot of other application data columns.
Most of the database table columns are encrypted/decrypted by the server before writing or read to/from the database. He wrote an encryption service.
Password was encrypted with a symmetric encryption (and only once).
Data being sent to the server is encrypted by the client and decrypted by the server and vis verse. The server always receives and return
strings (I guess he didn't trust HTTPS).
There are 2 encryptions - one between client and server and the other one between server and database.
The server always returns status 200, even when there is a failure. The return type must always be an object of type {success, resultObj} - this is what the client expected.
This system works on production with live users so changing schema will force schema change in production as well.
WCF server only serves site requests for now but might be needed to serve other application as well in the near future
Fortunately, the business logic is well organized in services and there is no code in the WCF controllers except calling services functions.
There is a separate project for the WCF service and another one for the angularjs application
There is no authorization or authentication at all!!! Login doesn't do anything (no cookie, no session, no token- no nothing).
Requirements:
I need to implement a bear minimum of authentication and authorization.
I need to update the server technology as much as we can to help us build new features on top of it in the near future.
Time is at the essence
I know it a lot to process and I am willing to share all data necessary (except code).
I read a lot about Asp.Net Identity and Identity Server and Web API Security and MVC Security but I really don't know which way to go.
Questions:
I am thinking of killing the WCF Service project and opening a new project where I will move all my business logic too.
I'm not sure If I need to create an MVC or Web API application. My client is angularjs spa application. If I don't need razor views should I use Web API?
Can I implement Identity Server on a database with a custom-made schema without entity framework? Is it recommended?
I understood that Identity Server is not used to authenticate and authorize the request, if so, what should I use on top of it?
If you have any thoughts, specific articles or any guiding questions, I will really really appreciate some help.
Related
I am working on creating a website for my web systems class in which I will be implementing a login platform. The website after becoming authenticated the user will be able to send messages to other users, I will be implementing SignalR to perform the real-time messaging.
I want to create a system that within AngularJS I can call a C# backend provide a username and password and authenticate. I would also at the same time like to use SignalR's role based authentication to ensure my methods are secure.
Example:
[Authorize(Roles = "Admin")]
public class AdminAuthHub : Hub
{
}
Currently I've written my own code to accept a username and password and hash it and store the hash value. However, I don't want to reinvent the wheel here. I want to use a Microsoft based authentication system because I am working within a C# backend and SignalR technology.
I am currently hosting using Microsoft Azure and that works and all but I am eventually going to be switching to a locally hosted Windows Server I maintain. I have heard about using Active Directory but have never worked with it and would have to do extensive setup to get a fresh server ready for that.
My overall question is what path do I go? Also if I go the strictly Microsoft everything way, is setting up active directory simple on Windows Server 2016? During my research I found that there is a ASP.NET method of authenticating a user against a SQL Server database. Would this method be preferable because the system can be used outside of ASP.NET and the data is in a form that I've worked with before?
Do I write my own custom authenticate logic, accepting username and password and hashing and using my own tables and databases. Then within the SignalR side of things find a way of setting the user variable and setting their role from my database. Then simply performing a check at the beginning of each method call.
There is a lot of information on the internet about how to potentially approach some of those questions.
A quick google for "Angualr / Asp.net identity / signalr" returns a few resources that you may suite your needs, maybe not solely, but you should be able to combine some of the approaches.
Here a few links for you :
SignalR Authorization using Web API Token
https://logcorner.com/angular-js-token-based-authentication-using-asp-net-identity-and-asp-net-web-api/
https://www.codeproject.com/Articles/884647/Web-app-using-Web-API-SignalR-and-AngularJS
I would like to add a password protected page to my WPF modernUI application and could use some help with it.
First of all I don't really have a clue how to handle this stuff correctly in my case.
My application is used on several machines. The protected page should be some kind of admin-page to edit a database that is used by the app.
My idea is, that there is only one Admin-account. But this account can be used from any machine. The admin should be able to change his password. So there must be some kind of encrypted password file on the server which can be accessed from any machine. I don't want to store the password within the application, as this would mean that the admin has to change his password on every machine.
So my question is: What is the best/safest solution for my idea? I'm just looking for hints as I don't have a clue what to search for.
The best Practise nowadays for distributed client applications who share a Database is indeed not to have direct access to the Database.
What you need is a WebService. A web service can be anything. It just has to be hosted somewhere. It can be an ASP.NET application, a WCF Service, or even something not .NET related like a PHP or Java application.
The communication between your application and your WebService depends on what you decide to use. Today a lot of people are using so called REST APIs which use either XML or JSON as data transfer format and use the HTTP protocol.
Its not hard to implement such an API since there are ton of Libs and Solutions out there.
You could use RestSharp for the communication at your client side. Which is straight forward and simple. You could also consume a WCF Service. Which is hosted in IIS somewhere.
However your Problem is nothing special and there are several solutions available. The decision is on your side since it depends on a lot of things such budget, available infrastructe etc.
Your question is quite broad but as far as WPF is concerned you could implement custom authentication and authorization in your application by creating classes that derive from the IIdentity and IPrincipal interfaces and overriding the application thread’s default identity. Please refer to the following blog post for more information an an example.
Custom authorization in WPF: https://blog.magnusmontin.net/2013/03/24/custom-authorization-in-wpf/
The actual credentials should be stored on some remote server that may be accessed through a web service, WCF service or some other kind of API. The details of how to actually get the credentails would be implemented in the AuthenticationService class in the sample code from the above link.
I have a website, but some of the back-end infrastructure is little slow.
So I am planning to get help from CLOUD, I haven't decided which one yet.
I need to know does Microsoft Cloud does the same thing.
What I need is following,
1) Have database on external web resource.
2) Have code and http enabled methods that I will write in C# and place it on Cloud.
3) And call the methods in step 3 from my asp.net MVC wesite's codebehind and client side(javascript).
I need to know if I get support from Microsoft Cloud platform, will I get the solution required in above 3 mentioned points?
And if I get support from Microsoft Cloud, then the coding syntax for SQL, will be same as if I run queries against normal SQL Server database
Thanks,
If I am understanding you correctly in that you are looking to have a cloud hosted SQL database and HTTP access to this database through custom C# code, then yes to all three of these.
You can set up your database as an Azure SQL database and create an ASP.NET WebAPI application to open up your database to HTTP calls as you see fit. Then you can use the REST client of your choice to access your database from your MVC controllers or through Javascript in your views.
Also, yes, SQL syntax for Azure SQL is the same as for regular SQL Server.
I am investigating how IdentityServer 3 works and I still have problem to fully understand.
In general concept is clear to me but still I am not sure how to implement this on real project.
This is basic example that I am trying to implement in my case: link
I have web api project and I want to call my api methods from any client (mvc, wpf, phone…)
So I need implementation that is suitable for all clients.
If I understand well (and probably I am not understand completely), I should have 3 projects:
Client
Api
Project that host IdentityServer
And all projects should have required stuff like on picture:
Steps on picture:
Get token
Return token
Call api
Check if Token is OK
If Token is fine than return data else show error
My questions are:
Is my thinking about how this works ok?
Where I making mistakes?
Is this example good enough for my case? Am I missing something
important?
Do I have to create project that host IdentityServer, or this is
needed just for example code ?
Does IdentityServer host project must be console application that
communicate with api and client(like in example), or in real world
this is done differently ?
Should project that host identity server be aware of Clients and
Users ?
Should some other project except host identity server project be aware of Clients and Users ?
What is diference between implicit and hybrid flow, what I need in my case and why?
How do I create my own login view? I want have html page for login if I use web client, but to have wpf login view if I use wpf, also different view for mobile client.
EDIT:
I think that I need Resource Owner flow . I supose that resource i view where user type user name and password.
Your basic flow is correct, with Identity Server acting as your authorization server and your client and web API separate.
You should host Identity Server in its own project to ensure it is separate from any other logic which has the potential to introduce security concerns. How you host it is up to you and your use case. Typically you would see it hosted within an ASP.NET project on an IIS Server.
Identity Server must be aware of clients and users in order to authenticate them. The only other projects that should be aware of your identity store (users) is any applications that concern things like admin, user registration, etc. The client store would only ever be used by Identity Server.
Views can be modified using the Identity Server templates or by introducing your own ViewService. See the docs for more info: https://identityserver.github.io/Documentation/docsv2/advanced/customizingViews.html
Regarding flows, the Resource Owner flow is OAuth only, so there will be no authentication (log in page), only authorization (server to server).
I am currently developing a WPF client application which uses Linq-to-SQL for the typed table objects and to wrap around an abundance of CRUD stored procedures in a MS SQL database on an external server. I do not foresee manipulating data directly via the context, only the stored procedures.
My two biggest concerns are:
1) Database security
2) Flexible architecture
As far as I can tell, since the application will be readily available for download via the internet, storing database connection information in the application itself is not an option (for security reasons). I feel my only option is putting my DAL in a web service.
User credentials can be passed along on a per-operation basis and database connection information will be stored safely on a secure web server.
I am curious as to whether this is method is valid, and if so is it optimal? Can I easily serialize Linq-to-SQL objects (table and stored procedure results) to send back and forth between the client and the web service?
Thank you in advance.
You are right, if your application is used over the internet, you pretty much have to put a middle tiers in there.
If what you are doing is primarily CRUD, I think a good idea would be to take a look at ADO .Net Data Services. It's an efficient way to expose data through a REST interface, and you get a client library to access your data in a typed manner on the client side.
It supports the usual ASP.Net security mechanisms (such as Forms authentication, membership provider and so on) so that you can secure your access points based on the user's credentials (and for that you can use the Client Services that can take care of authenticating between your app and your server).
Hope those pointers help.