tags:

views:

64

answers:

2
+1  Q: 

Invoke an action that is using ASP.NET MVC [Authorize] from outside the application

Is this possible?

I'd like to expose a URL (action) such as http://mysever/myapp/UpdateHeartbeat/.

In my MVC application it looks like

[Authorize]
[AcceptsVerbs(HttpVerbs.Post)]
public ActionResult UpdateHeartbeat()
{
    // update date in DB to DateTime.Now
}

Now, in my MVC application the user has logged in via FORMS authentication and they can execute that action to their hearts content.

What I want to do, is hit that URL from a Console application and be able to authenticate (as part of an API that I wouldl like to build) -- is there a way I can do that without removing the [Authorize] attribute and adding username/password as parameters to the POST?

A: 

The Authorize filter actually gets the IPrincipal for the user from the current context so this would not be possible. You will want an alternate form of auth for that method.

A quick google search provides a link to the following blog post that may be of use:

http://davidhayden.com/blog/dave/archive/2009/04/09/CustomAuthorizationASPNETMVCFrameworkAuthorizeAttribute.aspx

Bradley Mountford  2010-03-30 19:00:09
So, would I then use Basic HTTP Authentication (over https/ssl obviously) and check those credentials in the overridden `AuthorizeCore();` method??
Nate Bross  2010-03-30 19:42:15
Sure. You are writing the logic in the override so you can do whatever you want to make it return true or false.
Bradley Mountford  2010-03-30 20:05:53
I know, I guess my question is, are there any implications to doing that, which I might not be aware? Is it secure? assuming the URI is HTTPs and ssl encrypted, are the credentials then also encrypted?
Nate Bross  2010-03-30 20:11:39
As long as you are sending the credentials within the SSL payload, then you are secure (at least as secure as SSL can be considering its known vulnerabilities i.e. MITM etc.). Don't put your credentials in a query string, obviously (I've actually seen that done).
Bradley Mountford  2010-03-30 20:17:57
+1  A: 
Luke  2010-03-30 19:49:21
This isn't for testing, this is for building an API which will be accessed by non .NET clients, but it still needs to be secure.
Nate Bross  2010-03-30 19:54:47
I understand that. The same principles apply, however, in that you are asking to call a controller action that requires forms authentication. This code mocks the forms authentication. You still have the ability to authenticate the users via your API in any way you choose, prior to passing in the "authenticated" user.
Luke  2010-03-30 20:00:38
Sorry, I missed the portion you had mentioned about adding the username/password as part of the post. If that is the case, I would personally create a separate action that takes username/password as parameters, does the authentication, then redirects to the UpdateHeartbeat() action.
Luke  2010-03-30 20:05:49

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps