I’ve been asked to integrate a windows form application with SagePay to take payments directly from the application. The SagePay documentation talks about ASP.NET so I’m not sure whether this is possible. Has anyone integrated a WinForm application with SagePay before? Is it possible?
I know some payment processors have a connection option where the payment part is hosted on a form on their server. You could try embedding a web browser control into your app to display the payment page.
Usually there is another type of connection option where you can send your information via HttpWebRequest, but I'm not sure that this would work as it requires SSL. Since you are running your app as a desktop client, I'm not sure what you would have available.
I am not sure this is possible given that sagepay needs to redirect users to Mastercard securecode or Verified by Visa, I think they would need to redirect to the bank which then redirects back to a supplied URL. I would think this needs to be within a browser environment.
You can post to urls and get back a response via .net objects and parse the results to display on a form.
You can also ask SagePay to create a Vendor account with 3d secure switched off. This allows you to take payments in house in your winforms app without the customers password however most card vendors if you bypass 3d secure will not protect you if someone calls and uses a card fraudulently.
However it can definitely be done.
You can normally post to secure servers from non secure pages so again this isn't usually an issue.
Related
I couldn't find the exact answer I was looking for. I have two applications - web application built with react and desktop application built in C# Forms. What I want is if the user goes to a certain page in the Web Application, the browser should open (with or without a request) the windows application and send data, like the user's id. Could you guys give me an advice how this can be done?
For that, when installing your windows C# form in the user machine, you need to register a custom protocol in the registery.
See How do I register a custom URL protocol in Windows?
We have 3-4 ASP.Net MVC 5 applications for which we want to implement the solution of single sign on.
Our requirements are
Any user trying to access anyone of the application (any page)
and if he has not signed in into the same or another application in
the same browser should be re-directed to the login page.
If the login is successful till that application is running, the user
should not be asked the login credentials again.
If the user logs out from one application, he should log out from all other
applications
Things which may be useful while suggesting a solution.
Currently 2 applications are hosted on different domains. Other 2 applications are on subdomains
Though they are on the same server, one application can have access to database of other application but we would like to have a solution where in this direct access of db should not be required.
We would like to have a 5th application which will do the account management and also login and logout will be handled by this application
We are not just looking at a solution where authentication will be done by the identity server but we are also looking at the authorization wherein the identity server will authorize the level of access of requesting application.
Going ahead if this solution can help us take care of mobile devices as well as webservice based client access, it would be an added bonus.
We are using forms authentication in our application right now.
We have seen some examples on internet which but we seem to be lost on some or the other feature. Either we are going wrong somewhere or we are not looking in the right direction.
Hence we are looking for an answer. Appreciate your time to read this big question.
Thanks
As far as I know, when I developed a console app using YoutubeAPI to create live events for streaming, youtube required me to choose the account which was enable live streaming to put live events on.
But when I developed a website app using that API, even though I opened icognito browser to create live events, it still used my first account in Chrome to create live event.
I wondered if there is some way to make this API to select user like what happened in console app.
I think it is because of the client_secrets.json but I don't know how to fix it.
I am using C# to develop
All of the Live Streaming endpoints require OAuth, you must be authenticated as the user you wish to stream live with. You cannot stream on another user's behalf unless they have logged in and provided a valid OAuth token to use for your requests.
I have scoured the web looking for bits and pieces of a more comprehensive solution. I have been unsuccessful in my efforts, so I send up a call for help.
The problem:
I have a .Net/C# WebApp that uses windows integrated authentication. The application is a custom form application that allows users to submit requests. These requests are then routed to supervisors and other parties that will review and approve the requests.
For audit purposes, I must have each supervisor "Sign" the form. The easy solution - use the active browser session information. A user clicks the "approve" button and that information is logged into the database (ID and date/time). But the auditors don't like this solution. They view it as insecure. They want a separate challenge for credentials where users are forced to enter an ID and password (and very soon present a token/PIN combo in lieu of ID/password).
To satisfy this in an infopath version of this form, I used CredUIPromptForCredentials. That code (although written in C#) does not directly port to the new custom WebApplication. I did some digging and uncovered a number of resources on the newer CredUIPromptForWindowsCredentials:
How to show Windows Login Dialog?
Show Authentication dialog in C# for windows Vista/7
How to show authentication dialog in C# .Net 3.5 SP1
Windows Security Custom login validation
This is really in the spirit of what I'm trying to accomplish. With very few modifications to the code in the articles above (and borrowing from some code in my old InfoPath form), I was able to get a working system of prompting and testing.
I would be happy to share the existing code if anyone is interested, but it is VERY similar (nearly verbatim) to the existing code referenced above. The only difference is a separate isAuthenticated method that actually tests the credentials by instantiating a DirectoryEntry object and passing that object to a DirectorySearcher object to test if the credentials worked.
But no so fast. This code, as I said, works, but ONLY when I run in debug mode in Visual Studios 2012. If I visit the site by entering the address and click the button to "sign" the form, the site spins and never shows the security dialog. It's almost as if (and this is just my guess) the IIS settings that allow windows authentication are preventing the applications request to prompt for credentials. This is not the case when I run the site through the debugger.
Once I get past that barrier, I have to actually do some further testing to see if this code will support authentication with a PKI card. I am guessing it will since CredUI passes the prompting to windows to handle.
So here are the questions:
1) What could possibly be preventing the windows security window from popping up when the method is called through the IIS server VS running in Debug (localhost)?
2) Does anyone have any experience with implementing CredUIPromptForWindowsCredentials to work with PKI?
2a) If so, does CredUIPromptForWindowsCredentials actually support PKI without any additional code (assuming that the windows workstations are configured with all of the hardware, drivers, and middleware)?
Thanks in advance for any insight you can lend.
Phil S.
Looking your problem and as an old Auditor, may I recommend an detour to satisfy your auditing team? PKI is not the most safe thing around...
1) Provide a normal LOGIN/PASSWORD form, without any special instruction or Credentials (that could be frauded or stolen "on the fly"). Preferable, utilize HTTPS in this page.
2) Once the guy inform the data, pass a 2-Factor Authentication using SMS (INstant Message). The cost is really irrelevant (see Twilio to get some idea). Obviously, each guy, beyond his login/password, must have his phone within database.
3) This way you can ensure that the Supervisor is really the guy who had approved/sign the page.
It´s the safer mode and, because of it, Facebook, Google Mail and others are utilizing this method.
Sorry, I know I not answered you as you need, but it´s safer than your proposal.
Good luck!
I have a program that opens a web browser control and just displays a web page from our server. They can't navigate around or anything.
The users are not allowed to know the credentials required to login, so after some googling on how to log into a server I found this:
http://user_name:password#URL
This is 'hard coded' into the web browsers code. -It works fine.
HOWEVER: Some smart ass managed to grab the credentials by using WireShark which tracks all the packets sent from your machine.
Is there a way I can encrypt this so the users cannot find out?
I've tried other things like using POST but with the way the page was setup, it was proving extremely difficult to get working. -(Its an SSRS Report Manager webpage)
I forgot to include a link to this question: How to encrypt/decrypt the url in C#
^I cannot use this answer as I myself am not allowed to change any of the server setup!
Sorry if this is an awful question, I've tried searching around for the past few days but can't find anything that works.
Perhaps you could work around your issue with a layer of indirection - for example, you could create a simple MVC website that doesn't require any authentication (or indeed, requires some authentication that you fully control) and it is this site that actually makes the request to the SSRS page.
That way you can have full control over how you send authentication, and you need never worry about someone ever getting access to the actual SSRS system. Now if your solution requires the webpage to be interactive then I'm not sure this will work for you, but if it's just a static report, it might be the way to go.
i.e. your flow from the app would be
User logs into your app (or use Windows credentials, etc)
User clicks to request the SSRS page
Your app makes an HTTP request to your MVC application
Your MVC application makes the "real" HTTP request to SSRS (eg via HttpClient, etc) and dumps the result back to the caller (for example,it could write the SSRS response via #HTML.Raw in an MVC View) The credentials for SSRS will therefore never be sent by your app, so you don't need to worry about that problem any more...
Just a thought.
Incidentally, you could take a look here for the various options that SSRS allows for authentication; you may find some method that suits (for e.g Custom authentication) - I know you mentioned you can't change anything on the server so I'm just including it for posterity.