When a user logs in, I give them a cookie named auth with a value that is a GUID, which expires in 2 weeks. I save the hashed GUID in the database with a salt of their userID and then date when it expires. When a user accesses the site, I check for the cookie and log them in if it matches and hasn't expired in the database. At some poin...
I've been tasked with building a basic admin app. The app needs an ASP.NET front end which talks to a number of back end services using WCF. One requirement is that the users of the app are authenticated using Windows authentication. I can do this no problem if the app logic were contained in the ASP.NET app, but I have no idea how to p...
I'm designing a RESTful Web app that will provide an authentication system for several other apps. The other apps will query this app through HTTP and get back XML describing authenticated users. The authentication app needs to keep track of which users are allowed to do what on which applications. I'm working out the DB schema. Below ...
My company is in need of a federated identity solution, and being a Microsoft shop, we're looking to use MS technologies to accomplish this goal. We don't have Server 2008 or .NET 3.5 in production, so we're limited to a .NET 2.0/Server 2003-based solution. This means (in terms of a federated identity solution), Active Directory Federa...
How can I cause a redirect in ASP (pre .NET) to carry the Basic Authorization header as the ASP request. We tried using the following code . response.setHeader( "Authorization", "Basic " + strAuth ); response.sendRedirect( src ); response.flushBuffer(); The header is set on the response of the .asp, but not passed on to the request t...
Hi all I am prototyping a AJAX based web application running up against ASP.NET, where I need to have general authorization to different parts of the site, and also have to make sure that various web methods/web services can't be called by unauthorized users (from a rouge html page for example). Is there anything I need to be aware of,...
Hi all, I have the following situation: my application's authorization mechanism is implemented using Spring security. The central class implements AccessDecisionManager and uses voters (each of which implements AccessDecisionVoter) to decide whether to grant access to some method or not. The algorithm that tallies the votes is custom: ...
Does anyone know of any good screenscasts or documentation covering the integration Active Directory Federation Services (ADFS) with Authorization Manager (AzMan)? ...
What is the best method for user authorisation/authentication in ASP.NET MVC? I see there are really two approaches: Use the built-in ASP.NET authorisation system. Use a custom system with my own User, Permission, UserGroup tables etc. I'd prefer the second option, because User is part of my domain model (and I have zero experience...
Hi all I have a web service running in IIS 6.0 on Windows 2003. It's authentication mode is Integrated Windows security (anonymous disabled), and authorization is done with Authorization Manager and an XML authorization store. My test user is a domain user (admin, actually) with membership in an authorized role. I am testing this (for ...
I have a WCF service that is using a custom ServiceAuthorizationManager. The custom auth manager is already set up to handle Windows and Forms authentication. However, if I connect with a client that is set to UserName auth, I can't seem to find the username anywhere. The client code looks like this: this.ClientCredentials.UserName.Us...
How can I authorise a client (in this case a client is an application) to use a web service within .NET, For example: I want a 3rd pary application to call a method but not allow other applications within the network to call this method. I want to avoid transport layer authorisation and use message based authorisation. ...
I have an ASP.Net Web Forms application in which I'm using forms-based authentication with Membership and Role providers, which is fine for authenticating and controlling access to directories and/or files. Now I find myself needing to control read, write and delete access on individual entity instances, for example being able to update ...
I am building a web based application written in ASP.NET and Flex. One of my biggest challenges is implementing security for the application in a flexible and maintainable way. This challenge is compounded when different technologies are involved. I'll try to describe what I have below. The website is laid out as follows: /mydomain....
Whenever I restrict anonymous access in my MVC site I get a 404 error: Server Error in '/' Application. The resource cannot be found. Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the followin...
User Login functionality is very common to many applications. I would like to see how people implement this functionality in Object oriented way. I have a User and I need to validate the userId and password against a system(this could be ldap, database, etc.). So what kind of classes and operations you would create to achieve this funct...
This might seem like a basic question and back to Http protocol 101. But I am having difficulty in understanding how Basic Authentication works. I am implementing a windows service and need it to be secure. I would like to obtain the user name and password and authenticate the user to a custom user store. I also want to minimize the n...
Hello , Got some problem with settings up the Authorization. First i got : <authorization> <deny users="?" /> </authorization> So i deny all unknown users and then allow them to view those pages: <location path="Default.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </locat...
Whenever a web request is made by Visual Studio to TFS, Fiddler will show a 401 Unauthorized error. Visual Studio will then try again with a proper Authorization Negotiate header in place with which TFS will respond with the proper data and a 200 status code. How can I get the correct headers to be sent the first time to stop the 401? ...
Scenario I'm using a Custom IPrincipal and IIdentity to do asp.net authorization. I set the Principal and Identity during the PostAuthenticateRequest event using an IHttpModule. The web.config looks approximately like the following: <system.web> <authorization> <allow verbs="GET,POST" roles="domain\group"/> <deny verbs="*" ...