I'd need to establish my XMPP connection on the server side of a .net C# web application and then pass the RID and the SID to the client to allow a BOSH connection to be established.
Problem is, I am finding it impossible to get the RID and the SID from any of the C# XMPP Libraries.
Can anyone tell me how to obtain these? Also.... do I need to establish a BOSH connection server-side or will a normal connection do?
Using Strophe and ejabberd does not require you to attach, you can use a normal connection if you wish so. Attaching has the following advantages:
It allows you to authenticate with the server and pass the RID, SID to strophe avoiding the js knowing the user password.
It allows you to reattach on a later request.
Attachment is described in detail in XEP-0206
It's a lengthy but straightforward process, but I have no idea whether your C# libray supports it. It uses standard HTTP so you should be able to write it yourself or use a library (punjab comes to mind). If you can follow python, here is how I am doing it in a project of mine.
I just blogged about this topic here:
http://www.ag-software.de/2012/01/31/bosh-prebind-in-matrix-and-attach-to-strophe/
MatriX supports what you are looking for.
Alex
Related
I am trying o figure out how CoAP server handles authentication. DTLS seems to be the only option. However I could not find any clear example of it for .NET. I have also seen a mention about cookie on server side but that is all, no more information.
https://github.com/chkr1011/CoAPnet seems to be a good library. They also have a client example but I sould not find server example of it. Projest seems to have CoAP server as well, however I could not find it in source code.
Can any client send requests to the server if url is known? Is DTLS the way to go? Is there any server/client example of DTLS in C#?
If a java server will also help, have a look at eclipse/californium. We run a sondbox at "californium.eclipse.org" and if you want to "connect" a client, you may just use the "openssl" PSK demo credentials "Client_identity" and "secretPSK".
Can any client send requests to the server if url is known?
That depends on the protocol variant. Without encryption (plain coap), yes. Some projects then use a "token" in the request, to authenticate the request (see ThingsBoard). With encryption (DTLS, coaps), you need valid credentials, e.g. PSK (as above), a x.509 certificate or a Raw Public Key certificate. There are also setups, where only the server authenticates itself using x.509, and the client then uses the already encrpyted communication to authenticate with an other mechanism (e.g. username/password, so very similar to the model, mostly used with https).
The most pain is usually to find implementations, which could be used in the intended/wanted way. Maybe some projects helps you, to adapt the implementation.
Is DTLS the way to go?
In my opinion, yes. The alternative with OSCORE (payload encryption) are currently in development, we will see, if that changes the game.
Is there any server/client example of DTLS in C#?
I don't know that. Maybe you ask that the project you already found. Or ask here CoAP-CSharp
I am building a program for myself that will save my passwords. Now I have the following questions. Because I have a lot of computers (one for work, three for myself), I want to keep the passwords in sync with a server. But now my question is what is the safest way to send data over the internet with c#? Is it possible to make the connection so safe that I can send passwords over it? And maybe any suggestions for the app.
Yes, you can make it reasonably secure. First, I would recommend against writing your own protocol stack, simply because it is so incredibly easy to make a simple mistake that would make it trivial to hack the security.
( Obviously there are plenty of already existing services (like 1password, passpack, etc) but I assume you know that already. )
I would recommend that you focus on the syncing and UI and leave the security to alredy proven libraries. One such solution is to use SSH with RSA authentication and known host keys. This is in use on many production sites and AFAIK considered reasonably secure (though there was one hole in one of the most popular implementations, OpenSSH, some years ago that was pretty bad). The SSH protocol can be used as a carrier for all kinds of different protocol, including your own password-syncing protocol (for that you could just use SOAP or JSON-RPC or something similar that there are plenty of libraries for).
You can then integrate directly with C# by using a SSH client library (https://sshnet.codeplex.com was the first Google hit). I have no experience using C# directly to talk SSH, though. What I usually do is to let an existing SSH client (PuTTY, for example) open up a port forward and then use regular TCP sockets. It all depends on how slick you want the sync app, but since you are writing it for yourself only, I would go with the latter.
If you are clever writing your app, you don't need a server part except of your own (for example, SSH implements SFTP for file storage).
A similar idea is to use SSL. If you pre-trust the certificate chain, this can be made secure enough but my experience is that the default SSL socket API in C# is way too much tied into the Windows architecture, making things like custom certificate validation trickier. Using a publicly exposed server to your service (directly of via IIS) also opens up a lot of new attack vectors.
I am creating a website where I need to have access to the clients files. I know that the client will have to accept some warning message and also run my progam.
I have reaserched on the internet and I know that I can acomplish this with Web Sockets. I have been able to establish a tcp connection localy from c# and google chrom html 5 websocket. the problem with websockets is that it did not work with other browsers.
Another solution that I was thinking was to use cookies to exchange messages. I havent tried that and I dont think that will be efficient.
Some websites when giving them privilades are able to use java. I have no idea how they exchange messages but maybe there is a similar way of doing it with c#
Look at SignalR -- https://github.com/SignalR/SignalR. Be careful though, web sockets (and any other "per user" type connection has server resource implications -- see http://robrich.org/archive/2012/04/05/The-real-time-web-in-ASP-NET-MVC.aspx
I'm new at Visual C# and the .NET framework but have a fair amount of experience in LAMP development. I was wondering about the security of linq to sql communication.
Usually when doing it the LAMP way, measures such as using a service layer were used partially to increase the security of the system not exposing the database authentication details over http.
Having gone through a few recommended (by microsoft) linq->sql tutorials, it seems as if the client-side application (through a web application) is interacting directly with the database. This doesn't seem very efficient or secure....
I would like to know the following hings:
1) What measures exist in .NET to allow for secure communication between client-side and server side apps?
2) Are there any preinstalled service-layer frameworks to work with in .NET?
3) Is it possible to manually use http request methods (POST/GET) in order to send data from a c# web application to a remote SQL Server database?
In an ASP.NET application all the C# code you write is executed on the server(server-side), and after it is executed the page is sent to the client(browser). Client-side code refers to javascript. Database details are not sent to the client.
You could refer to a LINQ system as a "client" in relation to the database, but that would be like referring to the PHP part of a LAMP application as the "client" in relation to the database - completely true but slightly misleading. In terms of the overall client - the browser - LINQ no more exposes authentication details than LAMP does.
Which "client" do you mean here. In terms of the browser the main mechanism is that the browser doesn't know what on earth you are doing. It won't even know it is LINQ unless you're the sort of person who likes putting "Powered by..." images on your webpage. In terms of the client to the database, there are several authentication models (user/pass, NTLM, Kerberos and I think some more) and you can use SSL and IPSec on the connection between the webserver and the database server.
You mean like MVC and WCF?
Yes, there has been since SQL2000, see http://msdn.microsoft.com/en-us/library/aa226553%28v=sql.80%29.aspx though I don't think it's very popular. This has nothing to do with LINQ which would connect to SQL through 1433 using its native protocol, and perhaps be used to build a website that allowed restricted operations rather than manual manipulation of server over HTTP.
I have a server client application.
The clients sends the server http posts with info every second or so.
The server is implemented using C#, there server doesn't need to respond in any way to the client.
Whats the easiest and most practical way to get this done? Is there some kind of library that is easy to use that I can import into my project.
Why not just use a regular old web service? It sounds like you have simple functionality that doesn't need to maintain a connection state. With a web service, you can simply expose the methods to your client, accessible via HTTP/S. If you're already using .NET for your client, you can simply add a web reference to your project and have .NET do the heavy lifting for you. There wouldn't be any need to reinvent the wheel.
You can use http.sys to create your own http listener without IIS or additional overhead. Aaron Skonnard has a good article here.
Because of certain limitations of uhttpsharp (specifically no support for POST forms and file uploads and it using threads to process requests), I've made NHttp available at github which supports full request parsing like ASP.net and processes requests using the asynchronous TCP model.