I am building a set of services based on MVC 4. They should all be a part of the same authentication system. Currently I have got a separate project for all the model handling, including the Forms Authentication you get by default when making a new MVC 4 app.
Now, I would like to make a toolbar for logging in to our cloud services, and this toolbar must be made in such a way that it can be imported into our other services. Logging in with this toolbar should log you in to all our services, that are separated into different MVC apps. Thus logging in when browsing "service1" and then going to "service2", you should still be logged in with the same user.
Can anyone point me in the right direction here? Should I make a separate MVC app for this toolbar, and somehow reference it in all of my other projects? Should I export my controllers into a separate project and use them? I am not sure what the best practice is here, nor where to find the info I need on the matter.
Since you will be hosting your applications on different domains, you could implement some Single Sign On mechanism the way SO does it over the Stack Exchange network: https://meta.stackexchange.com/questions/64260/how-does-sos-new-auto-login-feature-work/64274#64274
Different domains means that you won't be able to share the Forms cookie. You should rather learn how to use one of the enterprise Single Sign-on protocols - using a recognized protocol means that you can easily integrate other applications, even if they are developed in different technologies (standarized protocols are supported by most development environments).
Possible candidates are:
the OAuth2 protocol. It is a respected protocol as Google, LiveID, Facebook, Twitter and others support it. To build an OAuth2 server you will need a framework like the DotNetOpenAuth.
WS-Federation. Got a lot of attention in .NET world as we got the Windows Identity Foundation framework which lets you create WS-Federation servers and clients.
Anyway, my advice is to invest your time now as this will pay off well in future.
Related
How can I communicate between web applications?
I have an application that manages my web application with other applications: When I login to my application, it lets me connect to another application.
I work in VS2015 ASP.net MVC, c#. Help, please!
I am not sure what do you mean here by communication.
it can have two meanings -
Page Re-directions from one web app to another:
You want the links of other applications to be included in one application and then when user clicks they can redirect users to those respective pages. If you have SSO implemented, they will not even ask the login information.
This would be simple, you have to include anchor tags with targets of other web sites.
As long as they are hosted under same domain name, it would work.
If they are not hosted in same domain name, then you will have to enable CORS in those web sites to allow requests from other origins.
Secondly, by communication, you may mean to just call APIs to get some data in current web app
For this you will have to write the RESTful APIs from other applications which cater to your needs.
Then you can call those APIs like any other web API call.
Here also, if the other applications / APIs are not hosted under same domain name, you will have to enable CORS.
For enabling CORS in your application, please refer this MSDN article.
For creating APIs, you can refer this MSDN article.
Again, this is not directly answers to your question. But I am sure this has provided enough details to think about integrating with other apps.
Hope this helps.
I implemented SSO for my web applications with following architecture
These are basic flows:
Now conceptually it seems OK to me but what bothers me is the fact that all applications depend on SSO web api.
if something changes in SSO Web Api, all applications could suddenly stop working - what is good approach of versioning Web API to make it backward compatible?
If SSO API has DTO objects for users (username, email, roles, functions) that means I have to share them somehow with App1 and App2. I considered SOAP with wsdl but I would like to stick with Web API since its much more flexible client-wise and successor to WCF. One thing that comes to my mind is putting DTO objects of SSO API into separate class library project and referencing it in both App1 and App2?
EDIT: I need this for intranet applications with role/function based authorization
Regarding your two questions: There are well established standards for use cases like yours. Have a look at OpenID Connect and OAuth or the older, more enterprise-like, WS-Federation/SAML.
Anyways, rolling your own security is usually no good idea and a thing you should avoid (evidence). For a quite ready-to-use solution have a look at IdentityServer.
This looks like a home-grown SSO solution. I recommend that you don't build your own.
On the other hand, to answer your questions:
Q1: You have to version your API. There are several ways to version it. The easiest probably is to have a version number in your routing like:
"api/v2/sso"
Q2. If you have a DTO, you can create a library project that only contains the DTO. You can share the library by hard-referencing it as a DLL in your App1 and App2 project or you can distribute it as a nuget package. I prefer the nuget package - you can have a nuget server that is web based(hosted in IIS) or as a shared drive in your network.
I'm currently devoloping a N-Tier Application with C# as Business Tier. It's a kind of ERP and I need authentication (email/password) for this app.
I need also permissions based on the login (create orders, delete articles)
All this informations should be stored in one database.
As UI Clients I planned to make WPF Client, ASP.Net and maybe in future iPhone/Android.
As message broker I use RabbitMQ (Clients talk to Business Layer only over AMQP. Due to the advanteges I have more than one Business Layer for round robin dispatching).
On my research for authentication in N-Tier applications I found one advise for Windows Identity Foundation. WIF is completly new for me. All the examples I found handle only ASP.Net Applications.
My question now is:
Is WIF the right thing for me or should I implement this session handling on my own?
If WIF can fit my needs, what is the best way to handle this?
Do I have to implement a custom STS and place it within a WCF Service?
As you are explicitly mentioning RabbitMq, I am suggesting ServiceStack for your service interface.
One issue with MQs in general is that they are decoupled from any meta information, such as HTTP Headers, to inject authentication. You should in contrast provide a property Session (with pre authentication) or UserName and Password in your message (where the later one is not prefered, as the credentials are passed in plain). A sample solution with the built-in SessionFeature of ServiceStack is available in their documentation.
Another nice feature of ServiceStack is that you can decorate your handlers not only with AuthenticateAttribute but also with RequiredRoleAttribute and RequiredPermissionAttribute.
Also: How do you plan to queue a message with Android? Can you expose the internal MQ to the outside, and is there a client available for eg Android? Therefore I suggest a dual endpoint over HTTP to queue messages in whatever MQ you choose to use. More information on how to integrate MQ in your HTTP service is available in the documentation.
With ServiceStack you can spin as many consumer instances you want, as there is a plain communication without all the serivce stuff available.
Trivia: As I am authoring an upcoming book on Mastering ServiceStack I am a little bit biased. Nevertheless I do cover most of your questions in the book, and provide code examples: Bits and pieces to your scenario are already covered here (do not get frightened by specific MQ, they are interchangeable).
I am a total newbie to the WCF world. I have an ASP.net (v4) website running on our dedicated windows 2008 server box. I'll refer to the website as, webisteA.com
I'm creating a new website, websiteB.com.au and I'd like to expose the functionality in WebsiteA.com to the new site. Things like logging in, registering in the database etc.
I think the best way to do this is to create a WCF service which sits in WebsiteA.com - but I am struggling to find any tutorials on how to do this. There are lots about creating a new project, but not that many about adding a WCF service to existing websites.
Is this the best way to do it? In the future I'd also like to use the service for mobile apps in the future too - not sure if that will make a difference.
OR - do I create a new service in a new app which is totally seperate to websiteA.com and websiteB.com and host this as website0.com and expose the database via that?
The questions I don't have answers for are...
is it restful? Do I use XML or JSON?
Baiscally, I want to be able to use it like an API - for example, saying "show me all the members who meet criteria X".
Thanks for any information.
ps) I have visual studio express 2010 c# (and a trial of studio pro)
You can certainly include WCF within the website A project - but have you considered the ASP.NET Web API? I haven't used it yet - but did use the earlier WCF Web API which spawned it.
Neat features include Content Negotiation (if the client asks for XML the API sends XML. If it asks for JSON is gets JSON) and a lot less config cruft (WCF web.configs are dreadful and completely overcomplicated IMO)
It's probably a lot easier to make a RESTy API with the ASP.NET Web API than with standard WCF.
A great open-source .NET solution is NancyFX which is really worth a look too.
I am building a solution for a small business without any in house IT staff.
The central datastore is SQL SERVER (express2008)
I would like to leverage SQLs built in security (certain views for certain classes of employees).
However the boss (the one who needs the control to say who sees what and who can edit) is overwhelmed by Management Studio.
No I know that in just 16-20 hours I could put together a nice interface that uses SQL to manage the users.
It just seems silly for me to reinvent the wheel for what seams like it must be a common problem and must have been solved many times before. but searching on the web has not turned anything up.
I would rather something that I could package with my app (WPF/C#/Linq2Sql)
but if it was stand alone it would also be great as long as it was dummy proof.
While I am on the topic.
How do users usually change their sql passwords (when you are forced to used mixed authentication)?
Thanks
From Scott Guthrie's weblog:
If you haven’t watched this great online video yet you absolutely should. It walks through how to add Forms Authentication (using the <asp:login> control) with a secure Membership Credential Store + Role Based Security to a site, then implement pages that enable Registration (using the <asp:createuserwizard> control) + Change Password (using the <asp:changepassword> control) + Reset Password (using the <asp:recoverypassword> control), and then authorize page access and hide menu navigation links using the role groupings of the authenticated user. The video shows how to-do all of this from scratch in only 17 minutes. You can watch it here. You can also find other great ASP.NET “how to” videos here.
Easiest way to implement this kind of functionality, in my opinion, assuming you're building an ASP.NET front-end.
Edit:
Even though you're delivering a desktop app, I'd still build a web app, stick it on their intranet and then there's one place to go for user account stuff. It's just too easy.
Edit Again:
Look into the stored procedures that are called from the <asp:changepassword> and the <asp:createuserwizard> controls and replicate them from in your admin section.
The answer you're looking for:
Again, Scott Guthrie comes to the rescue:
Peter Kellner has a good article on the new ASP.NET 2.0 Membership and Roles Features, and then put together a very useful sample that demonstrates how to implement a set of admin data-pages on top of the ASP.NET 2.0 Membership and Role Management system to allow you to remotely administer your users and roles. His sample is available to download in source format -- so you can integrate it within your applications to provide a remote management experience for users/roles that works well in a hosting environment.
Update: Check out Juval's article and sample code on how to accomplish the same thing using a Windows Forms front-end and web-services. Very slick!
Updated: Juval has updated his code again to support three options:
1) The version mentioned in the magazine
2) A WCF (Indigo) version hosted in IIS
3) A WCF (Indigo) version with a custom server host in case IIS isn't an option
You can download all three versions here: http://www.idesign.net/idesign/temp/CredentialsManager.zip
Hope this helps,
Scott