okay I have a web application that manages the logins for different client web applications, stored inside the root folder. Each client web application has its own login controlled by C# Roles class, where by they are routed to their site.
http://msdn.microsoft.com/en-us/library/system.web.security.roles.aspx
Now while logging in and using the site works perfectly, the problem is if a user enters the url for one of the other client sites, it allows them access to it.
Is it possible to restrict this access?
Your roles should be attached to a specific application. This can either be done with separate databases for each application, by adding and filtering based on the associated application within your role manager, or using application specific roles for each application (I'd avoid this, but it should work). If you have the role "user" that is used by multiple applications without any filtering, then the individual application won't know whether it's a user for their app or not, and thus by default allow any "user" to access any application that allows users.
Related
I have a parent web application which uses identity server to authenticate users across a suite of other web applications which act as children of that parent app.
We utilize a profile service within the parent application to set user claims which can be used with the child application. This profile service is registered with Identity Server on startup by using IdentityServerBuilderExtensionsAdditional.AddProfileService.
Within the user claims we store some user preferences for easy access within our child applications. Recently we added functionality within the parent application to allow users to directly update these preferences.
Unfortunately these updates do not seem to apply until the user's token is refreshed. This can be up to 5 minutes. There doesn’t seem to be any way for me to broadcast to the child applications that something has changed within the parent.
How can I, within the parent application, force the child applications to refresh their claims by making them call that user profile service?
I have tried logging the user out then back in e.g.
await SignOut();
await SignIn(user, rememberMe);
Interestingly this actually seems to work locally on my development machine, but once deployed to production environments this does not work. But I have not been able to determine any difference between my configuration and the production configuration. So, I am looking for a more robust way to force child apps to call this user profile service early.
I have a single sign-off requirement from our customers as part of our next release. The existing flow is as follows:
User logs into their organization system (ad user) or main portal system using their email ID or user name as provided by the organization.
User clicks the link to my web (i.e. angular + web api)
User is automatically taken as a logged in user and he can access protected pages. If the user wants to log in from outside the organization he must use the login form on our site.
I have completed the login form web application using the email/password that we have stored in our local system, but I am still struggling to implement with window credential's.
My project is based on web api 2.0 with an angular fronted. It's hosted on IIS. I don't want to use any 3rd party DLLs to manage everything, so are there any appropriate solutions available in the .NET environment which would achieve my requirements in a simple way?
If your website needs to seamlessly authenticate user credentials in an AD domain, one way to achieve this is by creating a small IIS server with NTLM authentication inside the domain and forward some type of authorization/credential key to your outside website.
We have three different applications running on ASP.Net 4.0 and SQLServer 2008, the username/password etc to these applications are stored in user tables in the respective database separately (not forms/windows authentication). An user may have access to all three applications or only one. Currently if the user has access to all applications he has to login separately to each application, logout and login again to another application. Our boss wants make it as a single login page where the user can login and depending on the privilege he has the respective application icons should be shown, when he logout from that application without login again he should be able to access the other application.
I thought of creating a common table which will have all loginid and passwords from three applications, and create a wrapper application in which the credentials will be captured. First the username will be checked in the common login table and depending on the application access he has, the respective database and application will be invoked. My issue is currently when user login separately to the application few session parameters are passed. When I write a wrapper for common login how do I maintain these session parameters. Also is it possible to maintain session timeout All three applications are in different sub domains in same server. Please advise. Thanks in advance.
I'm currently developing a WFC RIA based Silverlight Business Application (intranet use only) for my company. I ran into a couple of problems when trying to authorize users. Here is the situation:
The app is running in our Windows domain and is therefore using Windows Authentication, which already works well. Access to certain domain service operations shall be restricted to members of a certain group (let's say "Admins"). This group is available locally on the server where the app is hosted and is already used to restrict access to the SQL Server instance. It will not be possible to add this group to the domain and make it available globally.
I know that I can restrict access to domain service methods via the RequiresRole[] attribute. The problem is, however, that the local group memberships of a user are not loaded into the user object that is available via WebContext.Current.User and therefore the authorization fails.
Is there any workaround or better way to do this?
Thanks in advance!
Have you tried setting the "PrincipalPermission" attribute on the service method you want to restrict?
[PrincipalPermission(SecurityAction.Demand, Role = "Admin")]
public string GetResult()
{
return "result";
}
Best regards,
Arjen
I solved my issue.
What I did was to copy the AspnetDb database to the SQL Server instance on my server machine. This database is holding all the information about users, roles, etc and is used by the ASP.NET role manager for authorization purposes. This database is usually located in the project folder of your Web project (inside the App_Data directory). To make the new configuration work, you have to change the connection string inside your Web.config
(for more details: http://weblogs.asp.net/scottgu/archive/2005/08/25/423703.aspx).
I manually added new users to the database. The user name you enter there must match the Windows user name (eg. DOMAIN\USER_NAME). Then you can add new roles to the database and give all your users their specific roles.
The ASP.NET role manager automatically loads the roles/users on application startup and you can restrict access to your domain service methods via the RequiresRole[] attribute.
In addition, there is also a way to dynamically show/hide/enable/disable user controls based on role membership, see here: http://blogs.msdn.com/b/kylemc/archive/2010/05/04/authorization-sample-201.aspx
Just going to start making a web application and was wondering which was better, or at least what are the main differences between them (as it probably matters what I am using them for)?
Windows Authentication
Passport Authentication
Form Authentication
I would say it greatly depends on what your web app will be doing, as each one has its place. Here is some brief details about each one.
Windows authentication enables you to identify users without creating a custom page.
Credentials are stored in the Web server s local user database or an Active Directory domain. Once identified you can use the user s credentials to gain access to resources that are protected by Windows authorization.
Forms authentication enables you to identify users with a custom database such as an ASP.NET membership database. Alternatively you can implement your own custom database. Once authenticated
you can reference the roles the user is in to restrict access to portions of your Web site.
Passport authentication relies on a centralized service provided by Microsoft. Passport authentication identifies a user with using his or her e-mail address and a password and a single Passport account can be used with many different Web sites.
Passport authentication is primarily used for public Web sites with thousands of users.
Anonymous authentication does not require the user to provide credentials.
http://msdn.microsoft.com/en-us/library/eeyk640h.aspx - ASP.NET Authentication further details on forms and window authentication
Edit
Rushyo link is better: http://msdn.microsoft.com/en-us/library/ee817643.aspx
Situation as when you can use what :
Windows Authentication : As you will be using the login & password used in a domain... If you use windows authentication, your webapp will (generally) have to be deployed in a network server and all your users should (generally) have a login created for them in the domain. Though cross domain operations are possible, primarily you wont be able to use it in non-domain based environment like public websites. It will be tough if you want to include some users who are outside your domain.
Forms Authentication : Here you are deciding to act independently. You will assign each user a separate userId and password and will manage them yourself. The overhead here is you should provide and restrict the ways users are created and removed. Here you are not restricted to any domain. For any user to gain access to your webapp should get registered with your webapp. This is similar to any mail sites you see on internet.
Passport Authentication : You are depending on MS to validate your users. This will give you a global status to your application, but if you are going to deploy it only to a small group of users, you will be forcing them to create a passport account (if they don't have) so that they can access your application.
To make it more clear.. Whichever method you follow You can still restrict who can access your webapp, and can also define your own roles for each users.
This should cover everything you're looking for (and more):
http://msdn.microsoft.com/en-us/library/ee817643.aspx
[Snap - I was totally going to use that exact same quote as well ;)]
Windows Authentication : As you will be using the login & password used in a domain... If you use windows authentication, your webapp will (generally) have to be deployed in a network server and all your users should (generally) have a login created for them in the domain. Though cross domain operations are possible, primarily you wont be able to use it in non-domain based environment like public websites. It will be tough if you want to include some users who are outside your domain.
Forms Authentication : Here you are deciding to act independently. You will assign each user a separate userId and password and will manage them yourself. The overhead here is you should provide and restrict the ways users are created and removed. Here you are not restricted to any domain. For any user to gain access to your webapp should get registered with your webapp. This is similar to any mail sites you see on internet.
Passport Authentication : You are depending on MS to validate your users. This will give you a global status to your application, but if you are going to deploy it only to a small group of users, you will be forcing them to create a passport account (if they don't have) so that they can access your application.
To make it more clear.. Whichever method you follow You can still restrict who can access your webapp, and can also define your own roles for each users.