I have an MVC4 internet solution which uses the following setup
N Tier Application with Repository Design
Authentication etc all decoupled from UI and on DAL Layer (Accessed via SecurityRepository)
Uses SimpleAuthentication in background
I have been asked to add a WebAPI project to the solution so I can share the datasource, purely for reading some data out to a Winform application internally.
Is it possible to still decorate the Controllers in the API with [Authorize] and call the SecurityRepository.Login method to authenticate a winform? Winforms don't use cookies so not sure how I would supply a token and manage access via roles. I want it to authenticate in the background and not have a login page, ideally seamless to the end user we have switched the current Winform app datasource to point to this WebAPI.
[Edit]
For future searchers, look here too: ASP.NET MVC 4 Web API Authentication with Membership Provider
You will have to change your Authentication for WebApi. The easiest way is to implement token autentication. There is a simple article on Steves Coding Blog about Basic Authentication with Asp.Net WebAPI
Related
I have a website written in ASP NET MVC. It's using ASP.NET Identity to authorize users to particular Controller actions. It's using different claims on users(like roles).
Now I need to write a Mobile App which is suppose to do the same what my website does, so to avoid duplicating code I decided to move all the data access layer to separated Web Api(MVC 6) Project so I can reuse the logic between applications. The question is - is there a way to somehow "Reuse" the authorization I have in my MVC project, like generating and passing some token to Web Api or something ? Re-writting it from scratch would take too much time, which I don't have too much. Any answers/tips/articles would be appreciated.
Yes, but API's do not generally use cookies so you can configure Bearer Token authentication which your API can use. OWIN middleware will look after authenticating the token and populating the User principal in the same way that cookies are handled in MVC.
After that, you'll be able to handle authorization in the same way as your MVC controllers.
We are starting a project which will consist in:
Web project (ASP.NET MVC)
IOS app
and both will consume data from a .NET WEB API service.
The WEB API service will expose a POST Method with the url "user/create". But i don't know how can i avoid another apps for making post to this url? I know i need a security protocol, but i wanted to know which one you recommend me, and if you have, an article where is it explained.
Thanks
web api 2 provides oauth authentication. You will need to get a token from the token end point of web api and pass that token in subsequent requests.
You should find lot of online resources if you search for web api 2 oauth.
We did something similar recently using OWIN OAuth 2.0 Authorization Server
Reference this ASP.NET page for details. Sample code is included as well for several different implementations.
For our purposes, we used the Client Credentials Grant section about half-way down the page. Our implementation involved server-server OAuth (Web API to MVC), but I bet it's pretty similar to have iOS connect. The only thing I would caution is to somehow encrypt the login credentials on the iOS side, and I'm sure there is a way to do that.
So you want the WebAPI to only be used by the MVC page? The best architectural method is to separate the two rather than leave both in one project. Why? Because the MVC app is a experience layer for humans. The WebAPI is an experience layer for the MVC app. Move it back where it can't be accessed.
You can add on tokens, etc, but the MVC app sits on the server, but is accessed on the client computer. The wider the scope of the application (ie, intranet or internet or something in between?), the more difficult the problem and the harder it is for your users to access the application. Moving the WebAPI internal and leaving the MVC app exposed guarantees external users cannot use the API.
The main reason WebAPI and MVC exist together in a single project (still a mistake in most instances, IMO) is you are exposing both to the same audience. If that is not your intent, don't do it.
As a warning, I am very new to ASP.NET Identity. I have a project I am working on, and am trying to create different projects to better organize it. I have my UI layer, which is an MVC5 project, and my WebAPI, which is the API that will get called to perform various actions.
I want to use ASP.NET Identity 2.0 to authenticate and authorize actions in both projects. What is the proper way to do this?
I have two projects in the same solution. Let's say that I run debugging for both of the projects, I want to test being able to authenticate in the UI, then try and access a protected API call and see if it works.
However, if the Identity information is configured in the UI (using the default template), how do I make sure the API properly authenticates users?
One approach is to perform all user actions via the Web API, including authentication and authorization, as well as other Identity-related tasks such as registering and confirming new user accounts. This way, your presentation layer (whether it is a web, desktop or mobile application) will be responsible only for interacting with your API and presenting the data (as it supposed to be).
Check out this series of blog posts that demonstrate how to implement this approach using ASP.NET Web API and AngularJS.
I would like to know if it’s possible to do use authentication in Silverlight 5 without having to use RIA Services. I am using Entity Framework to connect to my database. I am also using the Business Application template. I have created a custom membership provider through which I am able to validate user credentials and can add new users. However, if I want to restrict content on the app based on which user is logged on, I have no way of doing. I believe that if I create a RIA Services Domain Context I can potentially check user information via WebContext.Current.User. Is there a way to get this type of information without RIA? Perhaps a WCF service of some sort?
Once I wrote a tutorial on how to share forms authentication between your web app and a silverlight app. This works without ria, uses guarded wcf. You can even fine tune the access to individual roles.
http://netpl.blogspot.com/2010/04/aspnet-forms-authentication-sharing-for.html
I have an ASP.NET web application I built for a client that uses default the ASP.NET forms authentication. They are now requesting a desktop (WinForms) app that works "with" the web application. I have created the webservices to access the data they want from the web app and put it into the desktop app. That works great.. but there needs to be the same level of security and data access based on roles that is already stored in the asp.net application.
So now it's time to make authentication work across both applications.
I would like to take advantage of the asp.net authentication by prompting a login when a user first opens the WinForms application and the calls possibly a web service to authenticate the user, get the users role, and profile.
I'm sure this has done and or asked about.. I'm just not finding the question/answer in SO.
First: Use WCF for your web services. It's a better framework than the old ASMX services.
Second: WCF can utilize the same RoleProvider and MembershipProvider classes that your ASP.NET application utilizes. It's a simple configuration switch. Use them both and your web service requires the same credentials as the web application.
And... that's pretty much it.
For more info, see:
Implementing a Role Provider
Implementing a Membership Provider
How to: Use the ASP.NET Membership Provider
To add to Randolpho's answer: another feature users might like is the ability to save their credentials rather than entering them every time they start your application. You can use the Credential Management API for this as described in this answer.