I have a webservice that a developer can use to create a user account, apart of the create user account form, it requires an input of the user's "Postal Address"
The Postal address has "Country State Id"
Normally, I would provide a list for everything else, but when it comes to country state list it contains thousands and thousands of states/regions and its too much to list in a API specification document.
So my question is,
1) do you create a web service for the developer to retrieve the country state id?
or
2) provide the developer with a database file, with the list of country state id?
I'm thinking #2 would be best.
You might just be able to delegate this to a third-party webservice from your own. There is info on that option here. This one looks like you can get the required data for free, as a DB or webservice: http://www.geonames.org/export/
There are paid options as well as free, YMMV I am sure.
Related
We have a web application : C# + SQL 2k5
Different companies send us information, we parse, them, do different things, and come up with a simple list for each of our customers. The list will look the same, but will have different information based on the customer.
They should not have access to each other's data.
We would like to create a page which would be embedded on their own site. I was thinking about using something like an iFrame.
Basically customer ABC would embed on his own abc.com an iframe with a URL (we will give them the parameters needed) and his clients will see our data on his site.
The other customer, lets call him xyz, has an other website xyz.com, will do the same thing, but in the url I should make a difference between them.
I would like to know how is the best, safest way to proceed.
How should I start to build up this page that is going to be embedded.
How should I make a difference between the 2 customers? The only way to get info from them is the parameters they send me, and eventually, I could get the 'parent' of my embedded iFrame, so that might help me restrict xyz to embed using url parameter info to get data from abc. See my dilemma?
Probably a unique identifier for each customer (like a GUID?) will be needed, and they woul dnot know each other's ID ... Or is there a more secure way to do things like this?
Any help would be appreciated.
Thanks
Embed a publically visible unique id in the URL and process this to extract the client id. e.g.
<IFRAME src="http://example.com/1122334455667788aabbcc">
You could check the Request.UrlReferrer to ensure that the request see this answer
However the only safe way of doing this is to provide an authenticated API that the site uses server side to process via a services API (e.g. WCF), or at the very least an authenticated HttpWebRequest; any other way leaves your data only as secure as a publically visible unique id.
Take a look at how one of the credit card processing portals do this (eg WorldPay or Paypal). There are several ways.
At the very least you need provide each customer with a unique ID that they send you.
ASP.NET MVC3 newb here.
I am working on a MVC3 intranet application that uses windows authentication. Windows auth is setup and ready to go no problem.
What I need to happen is to capture the username (Domain\first.last) whenever a user accesses the app for the first time and then store that information into a database and associate that name to a another unique identifier (numeric and auto-incremented).
I already found a way to get the username:
string user = WindowsIdentity.GetCurrent().Name;
What I am having an issue with is taking that variable and storing it in my database.
Any suggestions, hints, tips or nudges towards helpful resources are greatly appreciated.
Apologies if this scenario was posted elsewhere, if it was then I was unable to locate it.
Cheers Guys!
Be careful - user names and display names can change. I would avoid storing them in the database.
Instead, look at storing the SID (id of the user). The User property of the WindowsIdentity returns the SID. You can store and update the user name for display purposes but don't rely on it for typing the authenticating user back to the previous user in your DB.
See this SO post as well:
How can I get the SID of the current Windows account?
Persist the SID (along with username for display only) and look up via SID.
I think what you are looking for here is really 'how to store some info in a database'
What database system?
Check out
http://www.datasprings.com/resources/articles-information/a-quick-guide-to-using-entity-framework
You can easily use the entity framework to store that value in the database which is what I think your question was really about. I do agree with Bryanmac though, you should be storing the SID not the login name in case the name changes. If you know it will NEVER change then you could store the name, but since they can technically change in Windows, I'd be aware of this.
If you have a specific question then on how to store that field using the Entity Framework, please post that.
When you create your MVC3 application, there is an option for "Intranet Application" that has all of the Windows Authentication stuff working already, you might want to check that out and pull over pieces of the code for your current project (or migrate what you have depending on how far you are).
It has some special code placed into Web.Config as well as the extra files it creates.
Read more here:
http://weblogs.asp.net/gunnarpeipman/archive/2011/04/14/asp-net-mvc-3-intranet-application-template.aspx
and here:
http://msdn.microsoft.com/en-us/library/gg703322%28VS.98%29.aspx
Also you'll want to use User.Identity.Name to reference the person viewing the website.
I'm designing restful service and one of the entities to maintain - user accounts. I'm doing it in .NET and using membership provider.
Here is what I have:
/users/ GET - returns list of users
/users/ POST - can create or update
multiple users (post array of User
objects)
This POST won't matter if you updating or creating user
Problem I have: How do I create service to change password? Changing password is separate from updating users procedure. I'm thinking something like:
/users/{userName}/password POST - to
change user password.
But then I have to pass different object here? (I use JSON)
Do you have any suggestion on how to layout URL? And should I really create another object? MembershipProvider requires old and new password to change
Well the question has to be whether we see the password as a resource in its own right, or not.
In my user dbs, I store all my passwords (salted and stretched) in their own table, so I can easily present the password as a separate resource. But just because you don't have that fine grained control doesn't mean you can't do the same - but I wouldn't consider implementing a GET for the password, ultimately you need an authentication service for that, which should follow some kind of protocol.
A rest service is free to represent its data however it wishes, with no real regard for the underlying structure so, given that, I think you're free to do it as a separate resource if it makes sense in your case.
You could include in your user data a uri to be used for changing the password. The client would have to know the type of data to send (so yes you will need a dedicated resource type to handle the change request), and that the uri should be triggered with a POST request.
If I understand your question, you'd like suggestions on how related to the Uri layout itself. The suggestions below is related specifically to designing a Uri that someone can use to change a password.
Never include any sensitive information in the clear in URIs, even if it comes over HTTPS, as that information may be written to log files on the server, or worse, recorded by analytics or monitoring software. Make sure sensitive information is sent as part of the body or part of the header.
Here are a couple of considerations why changing a password with a RESTfull service may require its own Uri:
Prevent accidental changes to a password when updating a user details.
Whenever this method changes, you may need additional security reviews as any defects therein that allows a anonymous user to change the password of an existing user will allow that anonymous user to hijack the account.
You may also want to include other additional security features like notifying a user that their password has changed and invalidate any OAuth tokens issues to applications. The membership provider is great, but doesn't provide this additional measures.
Since it is a different Uri you can monitor its usage and correlate it to IP Addresses allowing you to detect whether someone is trying to compromise a user account.
You can just PUT a data contract to https://example.com/users/{id}/password:
[DataContract]
public class ChangePassword
{
[DataMember]
public string OldPassword { get; set; }
[DataMember]
public string NewPassword { get; set; }
}
The latter assumes you'll authorize whether the client can actually perform this action. You may want to look at PUT vs POST in REST whether to use PUT or POST. In addition, the book RESTful Web Services and REST API Design Rulebook has been invaluable to me when designing RESTfull services, including Uri layout.
I have a website and i need to deploy it in a single country for example Lebanon. In other words, any request that comes to the website from any other country should not be responded to.
I think I may use the IP address of the request and know from which country it was generated.
How can I do this in C#.
I think I may use the IP address of the request and know from which country it was generated
No, you dont. Illusion.
you can not know which country a request comes frmo, only where the IP address is registere, pretty much. More information is avaialble parsing the reverse dns SOMETIMES if you are smart at this.
This ignores little issuesl ike large international providers that may use a central pool of addresses, like VPN providers etc. Or satellite phone providers (which may be used out of a country but not be resident there).
At the end this will be of RELATIVELY limtied use, depending what your exact busienss case is it may be totally useless.
How can I do this in C#.
Programming.
Get a GeoIP database (look up the term in google, a provider will show up, otherwise try it in combination with "maxmind"). THen query the IP against the database. Decide how to handle "maybe" scenarios like international businesses. Example... IBM has address space. They use it for all their oprations. How you want to deal with this?
One thing you can do to encourage local indexing and participation is deploy your website with a Lebanon country code suffix.
www.example.co.lb
Here's a list of country suffix domains.
I would like to identify if an email address comes from a public provider or is from an established business. I consider public email addresses to be things such as:
Open email service providers, such as
gmail, hotmail and yahoo.
Anonymization services, such as mailinator or dispostable.
I'm aware that there is no foolproof way to do this, and obviously any list based solution would require constant updates.
Is there a public listing or .NET library that can do this for me?
Are there really that many free webmail providers out there? I would go with a 'blacklisting' style solution.
For example, flag everything in this wikipedia list as free (heck I would think covering gmail/hotmail/yahoo/aol would cover a huge % of users anyway). Then if you get more than 2 (or higher number if your site has high throughput) registrations from the same email domain, it notifies the admin to check the domain to see if it needs to be added to the 'blacklist'.
I would imagine there are much more reliable ways to detect business customers though. For example in Australia you could just ask for an ABN and then check that it's valid. Are you willing to punish small business who don't have email providing and just use a generic #gmail account?
Here is a link to SpamAssasin's freemail list: http://svn.apache.org/repos/asf/spamassassin/trunk/rules/20_freemail_domains.cf.
I suppose, checking against this list is a good start.
You might want to talk to the Better-Business-Bureau ( http://www.bbb.org ) and see if they provide some kind of a feed or API. I had a quick look at their site and couldn't see anything obvious, but it would be this kind of organisation I would head to first if I wanted to find out domain names belonging to established businesses. They do have a form on their site to search by email address ( http://www.bbb.org/us/Find-Business-Reviews/ )
Consider using HubSpot blocked domains list. It is not a guarantee that it is 100% accurate or complete.
They also provide a CSV file that you can download and parse programmatically. Link to CSV file is in the linked page.
I am guessing the ultimate goal is to clean your database from unwanted contacts that will increase the monthly bill. What you can do is the following:
Create a webhook that is triggered whenever a new contact is added.
In that webhook (which can be written in any language), check if the contact is in a blacklist (which is gmail/etc...).
Remove the contact if it is in a blacklist using an API call (you will need to first get the contact ID, which can be easily retrieved using API).