I have a website that uses WebMatrix user authentication (login/register pages) and I am making an app in Windows 8 release preview and would like to know if it is possible to authenticate users of my app (let users of my app sign in to my app) if they are registered members of my website? And if they are not, allow them to register through my app - but it appears that remost db connections are not possible in Metro apps - so I don't know what to do. Can somebody please help?
I've been searching for weeks but there still isn't a whole lot of official documentation out there.
You should never ever allow any client or user program to access your database directly (not even read access). People WILL abuse it one way or another and they might try exploits to gain write access if their access is restricted to reading. If you'd like a prominent example, Super Meat Boy did that exactly, and they got lots of database issues and abuse over last year's christmas days (while there game was on (Steam) sale, so they got lots of additional upset players!).
I've never used WebMatrix, so I might be a bit off here, but in general you should have several possible approaches - all being better than doing direct database access:
Use some provided remote access (this might be some extra class or addon or whatever; IF available).
Write your own remote access tool. This would essentially be some special website accepting/returning text or data interpreted by your program. E.g. you could post the login credentials in a HTTP POST request and it could return ok or failed or something like that.
Essentially fake a web browser and access the standard URLs/scripts/systems provided by WebMatrix.
Related
So I'm trying to find a "Best" way to interact(create a interface) with Active Directory read/write mode. So I'm deciding between this two aproaches:
Try and use the ADWS.
C# Implementation.
Apparently for ADWS is not that easy even though there is a full WSDL I'v not been able to locate it, to try to do some test via SOAPui...
Now fort the C# Implementation there are few implementations
but still I'm not sure if its 100% doable to have full READ/WRITE to AD i.e. creating accounts users, query for users info, etc. from lets say REST WS.
So My questions are
Is there a way of getting a WSDL from the AD server so that I can use that as a starting point? ( I don't want to get me into PowerShell stuff or the like)
Are there any good articles for the latest versions C# ,libs, etc... to help me implement this?
Is there a better way of doing this?
As an example This is what we're trying to do:
Scenario 1:
Create a Web Service (INTERFACE) that expose AD information
The Web Service could be REST or SOAP
The WS should read/Query/Write the AD
Any Application inside the network can consume the WS
Scenario 2 (What we currently plan to do):
Sharepoint Reads AD Information
Job should copy AD to DB
Applications can read this data
There should exist some replication between the DB and AD
Any suggestions will be more than welcome
I'm Using server 2008R2 ,Sharepoint foundations 2010
I'm assuming this is related to your previous question which mentioned Exchange.
My personal suggestion is to host a WCF service in IIS. You can set this service up to do whatever you want to suite your needs for the apps accessing it. You can probably do most of what you need to do through the System.DirectoryServices.AccountManagement namespace when it comes to User and Groups.
System.DirectoryServices will give you more granular control at the cost of more work. However, it is a little easier and reading and writing from/to custom attributes here.
If you're going to interact with Exchange 2010 you'll need to mess with Powershell. And you could use Powershell to do core AD work as well.
And of course if you're going to write your own web service you could make it REST.
Here is a link to MSDN with info about System.DirectoryServices and the various namespaces. I personally find AD to be a lot of fun to work with. There are many ways to do the same thing in it so I don't think there's one right answer for you. Go with what you're comfortable with or challenge yourself to do something new!
I am working on a web application which provide some services for its users who has accounts to log on to the web application. as you already probably know, it is possible to programmatically log in to web sites by providing username and password and sometime a catcha code. As I know it is possible to simulate the request programmatically. for example in c# we can make a request and fill all request headers such as User-Agent, Referer, .. and send it to the server in order to log in.
However, my question is how can I prevent users from logging in into web application via something other than browsers?
Thanks.
You can't. Timing, CAPTCHA and honeypot fields and using Javascript are common ways to prevent most robots, but someone dedicated to specifically targeting your site will find a way to simulate a genuine user.
All you can do it raise the barrier as high as you are able, and as high as is acceptable for your users. Security is always a trade-off against convenience.
There are ways you can raise the barrier, but each method's application varies across applications. For example, you could sniff the user agent and check it against a list and reject anything that isn't defined as a browser on your list. That kind of thing works for me in an internal situation where we have specific policies and controls over the browsers employees can use. For a web application however it would likely fail as the list would need to be managed, and people in the outside world probably know how to spoof their user agent anyway.
So it all depends. You need to consider the vectors around where your threats are coming from and guard against those threats as best you can rather than trying a blanket approach.
I am going to write up a webapp hosted on a windows 2003 server to allow me to connect to local and remote servers to do some basic things.
The webapp will be hosted on serverA. It will need to be able to copy files/folders from one folder to another on this server.
It will need to be able to connect to ServerB and copy files in the same way, e.g. copy \serverB\path\to\sourcefiles to \serverB\path\to\destinationfiles
ServerB hosts an installation of MSSQL 2008, I want to be able to create new database/login etc.
How do I go about this please? I've been reading a bit about Windows Authentication, Impersonation, Delegation but i don't know where to focus on.
thanks
S
To be honest there isn't really a one size fits all complete answer to your question, however there are a number of things that you need to take into consideration early in development to ensure that your platform is built on solid foundations.
From the description you have given the most critical consideration has to be security and everything you develop has to have this at its core. Judging by your post if the wrong person was to access your front end then they could wreak havoc.
As for the model to use, I would suggest Windows Authentication as this is built into the framework and gives you the ability to segregate into usergroups with differing levels of access. It will also open up some of the functionality you need, i.e. network copy of files etc
As for the database management aspect, this again can easily be done via Windows Authentication as you can grant (in SQL) windows users the ability to perform certain tasks, i.e. Create Database, Create Login, drop x, etc
All this said, it of course assumes that the two servers share user credentials, i.e. domain controller etc.
Another method, would be to use the web "interface" as a pass through onto a WCF service that operates under a specific user account that has the access you need. You would then seperately manage authentication/authorisation in a manner that you decide.
Like I said, no simple one size answer - but hopefully this will give you something to chew on.
If your goal is to create new databases or logins, why can't you use the create database and create login commands?
First time poster. Back to programming after being away for a few years, trying to clean off the rust. I'm creating a dashboard that will run initially on my laptop (Macbook Pro, 10.4.x O/S). Amongst other things I want it to retrieve latest information from my online accounts. I'm starting with html, but will probably migrate to something else (TBD, possibly ruby or c#). What would sample code look like for logging into account, going through specific account workflow, retrieve data/docs/other, and pull it back to be stored locally.
It is a little open-ended, apologies and thanks in advance.
Are you looking for something like Google Gears?
It depends on the kind of accounts you want to log onto.
For instance there is a Google has an specific API for that Google Accounts API, other services provide similar API's some other do not.
So it depends pretty much what are your "online accounts" all about and if they do provide a public API or not.
EDIT
As per your comment and for the products you've mentioned, I'll suggest your to start looking at browsers plugin development and to start understanding the HTTP protocol and all the related technologies around it ( HTTPS, encryption, authentication etc. )
The public API let you easily login into an account, but you don't really need one to do it ( although it make life much more simpler ) If you do not have a public API, you can still login into any account by "simply" doing what the browser does. Sending an HTTP(s) request with the appropriate security mechanism and following the protocol.
If you know how does the browser send the request and you have the user trusting your their passwords, the only remaining thing you have to do is ... :) code it.
As of now the question is too broad to be answered. Pick one service at a time and ask specific questions about it.
I would suggest you to start with the previously mentioned "Google Accounts" API and learn from there.
One open source product that already manages google account authentication is "Ubiquity" you can take a peak at their source code and start understanding how do they fetch the user contact list.
I'm trying to build a C# console application to automate grabbing certain files from our website, mostly to save myself clicks and - frankly - just to have done it. But I've hit a snag that for which I've been unable to find a working solution.
The website I'm trying to which I'm trying to connect uses ASP.Net forms authorization, and I cannot figure out how to authenticate myself with it. This application is a complete hack so I can hard code my username and password or any other needed auth info, and the solution itself doesn't need to be something that is viable enough to release to general users. In other words, if the only possible solution is a hack, I'm fine with that.
Basically, I'm trying to use HttpWebRequest to pull the site that has the list of files, iterating through that list and then downloading what I need. So the actual work on the site is fairly trivial once I can get the website to consider me authorized.
I have dealt with something similar, and the hardest part is figuring out exactly what you needed to "fake" to get authorized. In my case it was authorizing into some Lotus Notes webservice, but the details are unimportant, the method is the same.
Essentially, we need to record a regular user session. I would recommend Fiddler http://www.fiddler2.com but if you're on linux or something, then you'll need to use wireshark to figure some of the things out. Not sure if there is a firefox plugin that could be used.
Anyway, start up IE, then start up Fiddler. Complete the login process.
Stop what you're doing. Switch to the fiddler pane, and examine the recorded sessions in detail. It should give you exactly what you need to fake using WebRequests.
This page should get you started. You need to first make a request to the page, and then saving the cookie to a container that you include in all later request. That should keep you logged in, and able to retrieve the files.