I am beginning a project that will have three layers to it: a web front-end, a mobile front-end and WCF back-end. Authentication needs to be done via Active Directory, but both web front-ends will be using forms authentication to grant/reject access to certain areas, and all user control will be handled via groups inside AD. This specifically applies in the WCF side where I would like to be able to utilize the built-in Permission.Demand() functionality.
I have two questions with this. First, does anyone know of any best practice examples for doing this? Specifically in regards to passing the credentials (without the password) to the WCF service so it knows the context under which it is being accessed. Secondly, the future includes creating an Android app (and probably iPhone/Windows Phone versions as well) so I need to make sure the method used will work cross-platform with those.
set the PrincipalPermissionMode to Custom, write a custom Authorization Policy (http://msdn.microsoft.com/en-us/library/ms729794.aspx) and in the implementation of the Evaluate method do the following:
evaluationContext.Properties["Principal"]=HttpContext.Current.User;
http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/8f424d4f-2f47-4f85-a6b0-00f7e58871f1/
Related
I already have an ASP MVC web application with authentication and authorization.
and now I am working on an android application which will perform almost the same thing as my web application does.
I can use my ASP MVC web application to return json data to my android application, but as I've searched a lot and I was suggested to use Web API for android application.
my question is does it worth to make a dedicated web API with Authentication and Authorization (coz ASP MVC's Authorization is different from Web API's).
Please advice me, would it be any problem if I kept using my ASP MVC web application as json API for android application ?.
you can use an MVC application, you can have some controllers which return JSON data only and call those from anywhere. You still need to authenticate the access to them when you call them from another app though.
Your other option would be to rework your architecture a little. Create a proper WebApi, sort out the authentication to it.
Once you do that, you can call it from both your MVC and any other app that you have, the same way. This way you keep things consistent and your data comes from one place.
If you call your MVC controllers from another app you are basically putting the pressure on the MVC app which now needs to serve an external app as well. Too many calls will then affect the performance of your MVC app.
It's much easier to scale an API properly instead.
I prefer to add JWT security to my APIs. Then your MVC app becomes a client, the mobile app another client, if you need to add some user information, you can, you can also add extra claims to your tokens if and when needed.
Have a look here :
https://jwt.io/introduction/
https://devblogs.microsoft.com/aspnet/jwt-validation-and-authorization-in-asp-net-core/
I used IdentityServer 3 7 4 with good results in the past: https://github.com/IdentityServer/IdentityServer4
I'm developing a standard Azure .NET cloud service with a sql backend. The sql db holds various bits of information including username and password details. I've a .NET app that communicates with Azure using message encryption over WCF using a custom username/password validator. Also I've got two mobile apps written for Android and iOS which currently use some web services I've defined in an small .asmx file (legacy code to enable the mobile apps to easily call the API). I was wanting to add authentication into the mobile apps, but am slowly sinking under the weight of information :)
I had thought Azure mobile services were the way to go (meaning I would have to rewrite the .asmx file using custom API presumably) but this only seems to offer authentication against identity providers like Google, Facebook etc. Ideally I'd want to use our sql backend as an identity provider, but have read various articles saying this is very tricky to do. In fact one article suggested using a commercial solution called Auth0.
I'm not averse to commercial solutions, but really just wondered what the simplest approach to this should be. Azure mobile services or something else?
Any help steering me in the right direction would be great.
You can do "custom" authentication using your own database as the identity provider if you want to but as noted it does require a bit of work (at least more than just turning on Facebook / Twitter / etc). I have two articles that explain how to set up custom auth using Mobile Services here:
http://chrisrisner.com/Authentication-with-Windows-Azure-Mobile-Services
http://chrisrisner.com/Custom-Authentication-with-Azure-Mobile-Services-and-PikShare
The second link provides information on simplifying the scripts involved as well as using the custom API functionality of Mobile Services to handle registration / logging in. For the most part these scripts can be dropped into your mobile service. However, since you have an existing database you'll want to connect your Mobile Service to, you may run into issues making sure the table structures match up with what Mobile Services expect. You may need to massage your schema / create a table specifically for your Mobile Service with the necessary user information if adding the existing table doesn't work right away.
So I am planning on building a web service that an Android app will connect to. I am trying to come up with a way to secure this web service so it will only be used via the App.
I was thinking just passing a secret key along with each call I make. But this can easily be compromised with an http sniffer. Then the web service can be used with anyone at that point.
Are there any other ways to make this work?
Thank you!
I don't know that you can FORCE Android only. Whatever method you use can be worked around if they know what it is.
Depending on how the app is written, it should be simple enough to check the User-Agent of the request. Apps that use the HttpUrlConnection (as recommended by the Android docs) should have a user-agent string that says Android in it.
I'm working a mobile application for Android and iOS (native in both cases) that will be using Database.com behind the scenes as the database. I need this intergration to be tansparent to the user. The users of the app will not be logging into or authenticating with Database.com at all, it should simply be working behind the scenes a cloud database. I will simply be using an integration user hardcoded into the application.
I've been having an extremely difficult time of finding any of examples of how to build an app with the MobileSDK where I don't have to take advantage of the user-agent OAuth flow that displays a view to the app user. zkSforce has been mentioned as a possible solution for iOS (and it looks like it could be) but I haven't found even any basic tutorials on how to implement this with inconjunction with the mobile sdk to get access to the REST API (by bypassing the login view for the user). I also have yet to find anything at all for Android other than just taking advantage of the standard Java SDK or importing the web service wsdl and working from there through SOAP.
So is there anyone out there who can point me in the direct of some examples of behind the scenes authentication and use of the Mobile SDK REST methods or is my best option here to go to using the SOAP solutions behind the scenes?
Take a look at the OAuth 2.0 Username-Password Flow, which will allow you to use already known username and password with an OAuth-style flow. This is preferred to making a SOAP call in an app that is using the REST API everywhere else.
I have a website and i need to make an app on android and iphone and the app has to communicate with the server,similar to facebook app.Do i need web services like SOAP for this.I read their documentation but how necessary are they and what is their main purpose? Can I do the same without using web services? my website is in codeigniter
If you need to implement web services for your app, I recommend taking a look at CodeIgniter Rest Server. This provides an easy way to implement REST web services, which are lighter weight, easier to work with, and more flexibile than SOAP.
Benefits of using a Web Service:
1 - Usability: You can develop Android and iOS apps, and both of them can use the same Web Service. Other smart phone platforms can also be developed later and use the same Web Service.
2 - Flexibility: For instance, you need to have a mechanism to talk with the database. You can implement the database transaction in your Web Service. (I have experience in using hibernate) You do not have to create a database configuration in every smart phone app. If you decide to change your database, then you just need to modify your database configuration in the Web Service - nothing changes on the client sides.
3 - Security: It is not a good mechanism to connect directly from a Mobile app to your database server. You need to have some kind of Authentication mechanism that can be provided by a Web Service.
Which kind of Web Service is better? I agree with #Justin that REST is a good approach since it is lighter, simpler to implement and more flexible.
SOAP can be a better approach when Security is the most important thing, for instance in certain enterprise scenarios. REST vs. SOAP
Are webservices necessary? Well the correct answer to your question is it depends on the app. Most apps that connect to a server to get some information use web services. However, no you don't need to write your own web services. Increasingly people are using platforms like agigee
http://apigee.com/about/products/usergrid/
So no you would not need to write your own api if you used usergrid, but you might want to if you wanted to keep the data all within your own infrastructure.