WCF deny unauthenticated users on certain endpoints - c#

I have a WCF service project where I've implemented custom basic authentication by following the guidelines here, and all is working great! However, I can't find if there is a way to deny unauthenticated users access to only specific endpoints.
In my project, I have about 5 endpoints and only want users to be authenticated against a couple of them. The others, I want to allow anonymous access to.
My web.config (snippet) is as such:
<system.web>
<customErrors mode="Off"/>
<authentication mode="None"/>
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
</assemblies>
</compilation>
<httpModules>
<add name="CustomBasicAuthentication" type="WebServices.Auth.CustomBasicAuthenticationModule, WebServices"/>
</httpModules>
<authorization>
<deny users="?"/>
</authorization>
<membership defaultProvider="defaultProvider">
<providers>
<add name="defaultProvider" type="WebServices.Auth.WSMembershipProvider, WebServices"/>
</providers>
</membership>
</system.web>
The endpoints are fairly plain as such:
<service name="WebServices.Distance" behaviorConfiguration="defaultBehavior">
<endpoint address="" binding="webHttpBinding" bindingConfiguration="defaultBinding" contract="WebServices.IDistance" behaviorConfiguration="rest" />
</service>
.... more endpoints below here ....
So instead of hitting all endpoints, can I say to deny unauthenticated users for endpoint #1 (or by name, or whatever).
I hope this makes some sense. If not, feel free to snark. :)

Okay, easy solution.
Remove the section and put the following immediately below the section.
<location path="Secure">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Then just create a folder called "Secure" and put the desired services, along with their interfaces, into that folder.
Perhaps I should have done a little more investigating before posting my question here.

Related

HTTP Error 401.0 - Unauthorized error message

I have developed a simple ASP.Net MVC 4 application using Windows Authentication to run on our company's local network. It works fine when deployed on IIS. But if I run the application through Visual studio, I get error message
Here is how my Web.Config file looks like
<system.web>
<authentication mode="Windows" />
<roleManager defaultProvider="WindowsProvider" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="WindowsProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime maxUrlLength="32767" maxQueryStringLength="32767" targetFramework="4.5" />
</system.web>
<system.webServer>
<modules>
<!--<remove name="FormsAuthenticationModule" />-->
</modules>
<security>
<requestFiltering>
<requestLimits maxUrl="32767" maxQueryString="32767" />
</requestFiltering>
</security>
For debugging, Application is configured to run using "Local IIS Web Server" with "Use IIS Express" option checked in Applications's Properties ->Web tab.
It turns out to be that I had to Enable Windows Authentication, Disable Anonymous Authentication in the Development Server Properties of my Project.
You need to add to project Web.config this:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="1" />
</authentication>
</system.web>
Where /Account/Login is your login method from controller.
Make sure your Directory Browsing is enabled.
See this link for adding user in IIS.

Images, css not loading after session timeout on login screen page load.

I am adding a check for session timeout and added this code to the web.config file.
<deny users = "?">
and it works and redirects users to the login page when the session expires. When I build the project from Visual Studio the first time, its missing the images and css files. Here is the warning I am seeing in the console.
CSS was ignored due to mime type mismatch
When I remove the deny users code it works as expected. I am not sure why this would cause any issues. Does it have something to do with users not being able to access the content since its denied? What would be the best way to handle this issue?
I have tried adding Sessionstate
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="1" defaultUrl="~/" />
</authentication>
<sessionState mode="InProc" customProvider="DefaultSessionProvider" timeout="1">
<providers>
<add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionStateProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" />
</providers>
</sessionState>
and
<modules runAllManagedModulesForAllRequests="true" >
<remove name="UrlRoutingModule"/>
</modules>
to the config file and it does not fix the issue. I also verified that the static content is hosted in IIS. Any help will be appreciated. thank you.
I suspect the reason it is giving you a mime type mismatch is because when you request the css file or images the server is responding with your login screen because they are not authenticated. Something like this:
Browser requests CSS File -> Not Authenticated -> Cancel Request -> Respond with login screen
To fix this you need to allow unauthenticated access to your static resources.
Deny access to unauthenticated users
<authorization>
<deny users="?"/>
</authorization>
Allow access to css/images for unauthenticated users
<location path="App_Themes/Default/DefaultStyleSheet.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
The location path attribute can either be the path to a single file or add to the folder where they are all stored. Alternatively, you can add a web.config file to the folder that contains your css/images.
Here is what I tried and it seems to work on Chrome but not IE. Will need to do more testing but here is my latest changes
<location path="~/Account/Login">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
and added to the authorization for session timeout check.

Forms Authentication not Applying to static files

I have successfully set up a test area on my website which is authenticated using forms auth on iis 8. I am using this in integrated mode with asp.net which as I understand should mean that with the correct web.config file I am able to make the server use the asp.net auth on everything not just URLs. If I try and navigate to a page that I haven't entered the credentials for it returns an error 403, which is what I expect. However if I put in the path of a file stored on the site exactly, it downloads the file without the need for credentials to be provided. Here is my current top level web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="false">
</compilation>
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" loginUrl="default.aspx" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="staff/test/test">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<system.webServer>
<modules>
<remove name="FormsAuthenticationModule" />
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="RoleManager" />
<add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
</system.webServer>
The area /staff/test/test has a word document in it. If I type www.website.com/staff/test/test/test.doc into my browser is downloads the file.
What should I change to secure that file?
Thanks for your replies. In the end it turned out to be the security permissions on the root of the website. The code I originally pasted on here worked fine I had the server\users group having read permissions where as I only needed iis_iusers having read permissions.
Thanks again

Authentication from session into members folder

I have set up member folders in c# asp.net webforms before to only allow certain users and to redirect if the user is not authenticated. I am wondering is this possible / how would I implement the authentication based on weather a Session variable is present(filled with a value) or not authenticate if the Session is null.
I was hoping that something like this would be possible similar to how you can set permissions in we.config for entire folder.
It can be done with help of standart asp.net features. I will try to advice one possible solution for it. First you need to setup "web form authentication" ASP.NET Authentication, you should modify your web.config.
<system.web>
<authentication mode="Forms">
<forms name="Custom" loginUrl="/login.aspx" />
</authentication>
</system.web>
Then you need to specify members locations in the web.config also ASP.NET Authorization.
<location path="folders/memberN">
<system.web>
<authorization>
<allow roles="memberN"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
This will allow all users in group "memberN" to work under "folders/memberN" path.
Next we need to add membership and role providers to your web.config. Membership and role providerse configured based on sql server provider.
<configuration>
<connectionStrings>
<add name="SqlServices"
connectionString="Data Source=MySqlServer;Integrated Security=SSPI;Initial
Catalog=aspnetdb;" />
</connectionStrings>
<system.web>
<roleManager defaultProvider="SqlProvider"
enabled="true"
cacheRolesInCookie="true"
cookieName=".ASPROLES"
cookieTimeout="30"
cookiePath="/">
<providers>
<add
name="SqlProvider"
type="System.Web.Security.SqlRoleProvider"
connectionStringName="SqlServices"
applicationName="SampleApplication" />
</providers>
</roleManager>
<membership
defaultProvider="SqlProvider"
userIsOnlineTimeWindow="20">
<providers>
<remove name="AspNetSqlProvider" />
<add name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="SqlServices"
applicationName="/" />
</providers>
</membership>
</system.web>
</configuration>
Finnaly we need to create special tabels in the database (more details).
%WINDOWS%\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe -S <server> -E -d <database> -A all

C# REST webservice authentication problem

In my previous question here i was experiencing difficulties with Authenticating webservices. With the use of the WcfRestContrib library which i found here i was able to solve this issue. I build a small testapplication and the authentication works like a charm.
But while i'm implementing this in the webapplication where i want to use the webservice authentication part, i keep getting the problem that the used Forms Authentication in the webapplication keeps redirecting me to the login page.
I've got the following configuration part in the web.config of my webapplication. This is the application where i'm trying to call the service by it's url;
http://website.localhost/Services/Info.svc/account
The web.config for the website.localhost contains the following parts;
<location path="Services">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.serviceModel>
<extensions>
<behaviorExtensions>
<add name="webAuthentication" type="WcfRestContrib.ServiceModel.Configuration.WebAuthentication.ConfigurationBehaviorElement, WcfRestContrib, Version=1.0.6.107, Culture=neutral, PublicKeyToken=89183999a8dc93b5"/>
<add name="errorHandler" type="WcfRestContrib.ServiceModel.Configuration.ErrorHandler.BehaviorElement, WcfRestContrib, Version=1.0.6.107, Culture=neutral, PublicKeyToken=89183999a8dc93b5"/>
<add name="webErrorHandler" type="WcfRestContrib.ServiceModel.Configuration.WebErrorHandler.ConfigurationBehaviorElement, WcfRestContrib, Version=1.0.6.107, Culture=neutral, PublicKeyToken=89183999a8dc93b5"/>
</behaviorExtensions>
</extensions>
<behaviors>
<serviceBehaviors>
<behavior name="Rest">
<webAuthentication requireSecureTransport="false" authenticationHandlerType="WcfRestContrib.ServiceModel.Dispatcher.WebBasicAuthenticationHandler, WcfRestContrib" usernamePasswordValidatorType="CMS.Backend.Services.SecurityValidator, CMS.Backend" source="CMS.Backend"/>
<errorHandler errorHandlerType="WcfRestContrib.ServiceModel.Web.WebErrorHandler, WcfRestContrib"/>
<webErrorHandler returnRawException="true" logHandlerType="CMS.Backend.Services.LogHandler, CMS.Backend" unhandledErrorMessage="An error has occured processing your request. Please contact technical support for further assistance."/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
</system.serviceModel>
I'm excluding the Services directory from authentication by giving all anonymous users acces, this is the part causing problems i think.
My service (Info) contains the following attributes
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
[ServiceConfiguration("Rest", true)]
public class Info : IInfo
{
//Some foo hapens
}
The web.config of the service contains this;
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
Whenever i try the above supplied url to make a call to the service i'm being redirected to the login page of the website on http://website.localhost/Logon. How can i prevent this from happening? As far as i know the web.config should be correct.
--THE FINAL SOLUTION--
I modified the web.config to look like this;
<sytem.web>
//site config
</system.web>
<location inheritInChildApplications="false">
<system.web>
<authentication mode="Forms">
<forms name="AllPages" loginUrl="~/Logon/" timeout="360" enableCrossAppRedirects="false" />
</authentication>
</system.web>
</location>
I Also removed this rule from the web.config which i added in an earlier state. Apperently it conflicted with the added location tag and the web.config in the service itsself
<location path="Services" >
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
You should prevent inheritance of the settings that are specified in the associated configuration section and inherited by applications that reside in a subdirectory of the relevant application.
Try to put your site "system.web" section into "location" section:
<location inheritInChildApplications="false">
<system.web>
<!-- your site system web settings -->
</system.web>
</location>
Hope it helpful.

Categories

Resources