I am building an ASP.NET WCF Restful Service for several colleges. The service allows students to authenticate, therefore I will be leveraging some sort of central authentication at each College. For example one college may require authentication via Open LDAP while another may require Active Directory Authentication.
I need the ability to easily drop code into my project to change the authentication type (Open LDAP, Active Directory, etc..).
My solution is to create an interface and implement it in my Custom Authentication class. I would drop the compiled authentication class into my bin folder and add a key value entry into the web.config file which specifies the Assembly name and Class name. When a user Authenticates I would create the class through reflection and use the interface methods to authenticate the user.
Is the above approach a good approach to handle custom authentication? Has anyone solved this using a different approach?
Thank you for your time.
Victor
You could just use the ASP.NET provider model or use MEF to look through your directories and assemblies to discover implementations of an interface. That way you don't have to write the reflection code yourself, and it will be correctly loaded on application initialization, rather than you creating it on every authentication attempt.
I think you can develop a custom service behavior, and in that behavior you can define your customized authentication ways.
This link (http://www.codeproject.com/KB/WCF/Custom_Authorization_WCF.aspx) may help you.
Related
I would like to add a password protected page to my WPF modernUI application and could use some help with it.
First of all I don't really have a clue how to handle this stuff correctly in my case.
My application is used on several machines. The protected page should be some kind of admin-page to edit a database that is used by the app.
My idea is, that there is only one Admin-account. But this account can be used from any machine. The admin should be able to change his password. So there must be some kind of encrypted password file on the server which can be accessed from any machine. I don't want to store the password within the application, as this would mean that the admin has to change his password on every machine.
So my question is: What is the best/safest solution for my idea? I'm just looking for hints as I don't have a clue what to search for.
The best Practise nowadays for distributed client applications who share a Database is indeed not to have direct access to the Database.
What you need is a WebService. A web service can be anything. It just has to be hosted somewhere. It can be an ASP.NET application, a WCF Service, or even something not .NET related like a PHP or Java application.
The communication between your application and your WebService depends on what you decide to use. Today a lot of people are using so called REST APIs which use either XML or JSON as data transfer format and use the HTTP protocol.
Its not hard to implement such an API since there are ton of Libs and Solutions out there.
You could use RestSharp for the communication at your client side. Which is straight forward and simple. You could also consume a WCF Service. Which is hosted in IIS somewhere.
However your Problem is nothing special and there are several solutions available. The decision is on your side since it depends on a lot of things such budget, available infrastructe etc.
Your question is quite broad but as far as WPF is concerned you could implement custom authentication and authorization in your application by creating classes that derive from the IIdentity and IPrincipal interfaces and overriding the application thread’s default identity. Please refer to the following blog post for more information an an example.
Custom authorization in WPF: https://blog.magnusmontin.net/2013/03/24/custom-authorization-in-wpf/
The actual credentials should be stored on some remote server that may be accessed through a web service, WCF service or some other kind of API. The details of how to actually get the credentails would be implemented in the AuthenticationService class in the sample code from the above link.
I am building a plugin for multiple .NET based solutions. The application it self will connect to a database that holds user data and user group data, as well as some configuration files that users create for them selves. The configurations may also be shared between users (the owner can share his configurations with another user), and administrators will be able to edit all permissions on all files(my guess is via some web interface).
The applications that will have access to the functionality of this plugin are using the .NET platform but after that the projects diverge. One is using old win forms, the other WPF for desktop and another is web based using a JavaScript library. All the aforementioned applications are just interfaces for a shared lib that contains actual business logic.
My plugin will be implemented within the shared business logic library. The app will support both username and password authentication as well as windows authentication(if win auth fails the all will ask for username and password to try to access data that way).
My options regarding membership and authentication/authorization are plentiful and I'm not sure of my choice. I can use the Membership library or the new Identity library. I am also sure there are 3rd party libs that are quite good at this stuff but I have yet to hear of them.
is there a preferred lib to use or is the choice trivial and i should just start from somewhere?
This is a great place to start: http://brockallen.com/category/membershipreboot/
I'm trying to get a handle on all the various techniques of implementing custom authorization within a traditional ASP.NET application - it seems that the preferred approach is to use the Membership API by creating a custom provider model.
I'm interested in implementing a custom roles authorization model based on a combination of roles and individual permissions (a role is comprised of permissions and a user can have multiple roles or specific permissions which override whatever permissions the roles might have)
What is the advantage or disadvantage of creating a full-fledged Roles provider vs implementing a custom principal object and implementing all the authorization logic in overloads of the IsInRole method? Are custom principals a deprecated technique stemming back to 1.1? In general, when are you supposed to implement a custom principal?
We are using Active Directory as the user store. A third party consulting firm has implemented a TERRIBLE custom roles-based authorization module that contains authorization logic and rules contained in an XML file and passed around in the Session object for each user and does not tie in whatsoever with the ASP.NET infrastructure for authorization.
I'd like to know what the best practice for this would be
I would advise to stick with the asp.net membership and role provider architecture. It integrates well, and is a good thought out system.
If you need to use another account store then the asp.net membership or active directory you can always implement a custom membership and/or role provider. This is not hard.
It may be possible to wrap the custom third party system in a custom role provider, but i only would go custom if you have special needs that aren't provided in the given classes.
this video may be interesting
I have created a project which is basically described as a consumable service to create or edit users on a remote computer. The idea is to connect to a server and add a user. The structure of the project is as follows:
WCF Service: to expose functions to create/edit/select users
Utility assembly: Netapi32 COM functions wrapped in a utility class
Consumer: Usable assembly that wraps calls to the WCF service to use in site
The problem I am having, is that I can get a list of all the users on the computer running the WCF service, but i cannot create or edit them. it is only giving me readonly functionality.
Does anyone have any idea how I might be able to fix this or even trouble shoot it?
The account that actually runs the WCF Service may very well not have rights to create or edit users.
Make sure your service is running under an admin user that actually has the rights to create users. If you use the default user for IIS i bet it does not have that kind of access.
We use an IBM database known as Universe that holds all of our user id's, passwords, and profile information in a table called USERINFO.
Can I use the Membership Provider to connect to this database and authenticate the user?
The database access is actually through a web service since we don't have a direct connect to the database.
We have a web service method called GetUserInfo which accepts a parameter of username. The method will return the password and profile information.
As mentioned above, you'll need to create a custom membership provider which a fairly straightforward. You'll create a .NET class that inherits from System.Web.Security.MembershipProvider. There are several methods that need to be overriden in your class, but most are not even used by the MVC account controller. The main method you'll want to override is ValidateUser(username, password) which will get a user logged in. After you've implemented your class you'll need to register it in web.config which is easy as well.
You can find a sample for a custom provider here:
http://msdn.microsoft.com/en-us/library/6tc47t75(VS.80).aspx
And a tutorial for the entire process here:
http://www.15seconds.com/issue/050216.htm
Keep in mind that the process for making a custom provider for MVC is the same for a standard ASP.NET web site, however MVC does not fully utilize all methods of the MembershipProvider class so it's much easier to implement.
You'll have to create a custom provider for that. It isn't very hard, as long as you can access the web service without an issue.
Have you investigated the UniObjects interface? It comes with Universe, but needs to be installed. It has complete access to all database functions. Logging in, Selecting files, reading, writing, deleteing, creating new files etc.