Windows Server 2012 R2, IIS 8
I did some more diagnostics. What is it about this line in the web.config file which overrides the Authentication configuration specified in IIS?
<configuration>
<system.webServer>
<modules>
<add name="Webhook" type="MyApp.Webhook" preCondition="" />
</modules>
</system.webServer>
</configuration>
I copied my Webhook folder to a Webgate folder and mapped the Webgate site to the Webgate folder. Through trial and error I can see that as long as that module is defined in the web.config file, the site can be accessed anonymously. As soon as I remove that line, I see the 401 Unauthorized on an anonymous request. Strange, why should the specification of my module which handles request, override the IIS specification which stipulates that request must be authenticated before they can be executed?
Here is the original question with the background on what I've been trying to do and the problem I've been having:
I have a web application - Webgate - set up to Disallow Anonymous access. Here's what this looks like:
The problem is, when I use Postman to interact with this application without any Authentication, the transaction succeeds. Here's what this looks like:
How can this be?
One more screenshot to confirm that this is the application which answers to that URL:
Here is the one complexity, although I fail to see how this could have anything to do with the issue. Both Webgate and Webhook (see screenshot above) are two sites within IIS which are mapped to the same web application in the filesystem. Webgate is configured to insist on Authentication, Webhook is configured to allow Anonymous access. Again, I fail to see how Webhook's allowance of Anonymous access could have any impact on a transaction which comes in on the Webgate binding. Some background for context: Application capabilities when coming in via Webgate will be a superset of what is accessible via Webhook. Security can't be short-circuited by coming in on the wrong interface because transactions are checked at the application level to confirm whether the current transaction is identified or anonymous. The whole purpose of the two sites is so that accesses via the open interface - Webhook - are never challenged for identity, whereas transactions coming in on the protected interface - Webgate - are always challenged for Authentication.
I've done this before, although not recently, and I've never run into this problem. There is that little complexity, but bottom line, if a site is set up to disallow Anonymous access and insist on Basic Authentication, how are transactions getting through without being challenged? That is something I have never seen before. Thank you for your advice.
The Issue Revisited
To summarize what we learned so far,
You wrote a managed module for ASP.NET.
This module hooks to pipeline event OnBeginRequest to perform some business logic and calls ctx.ApplicationInstance.CompleteRequest() when finishing.
Anonymous authentication was used on IIS side.
Everything works fine there, but you found that,
When Basic authentication is used on IIS side things started to break in integrated pipeline mode
Switching back to classic mode seems to solve it.
The Cause
Your module works in classic mode no matter what authentication method is used, because the whole ASP.NET pipeline runs behind IIS authentication module.
However, integrated mode works differently from classic mode, where your module no longer executes behind authentication but ahead of.
You confirmed that by collecting FRT.
The Solution
Like we discussed, the solution is to simply change your module so that it hooks to OnPostAuthenticateRequest instead.
References
Microsoft published the pipeline changes in an important article, so everyone should get familiar with the details.
Migrating from classic to integrated requires a good guide
FRT is always a handy helper for module/handler developers
Related
We're experiencing some slowdown with a web application running in IIS on Windows Server 2016. I'm sysadmin and trying to poke around further after the software team determined it was not an issue between IIS and MS-SQL.
The actions that are suffering delay have been determined to be ones that send credentials to Active Directory every time they are used. I'm hoping to determine which domain controller the web app is using.
I poked around in some config files, but the only thing I found related to authentication was:
<authentication mode="Windows" />
How does the domain controller used by an IIS web app for authentication get determined? Is it still somewhere within the application itself? Is it a global setting in IIS? Is it a global setting determined by Windows Server 2016?
I want to create a simple login module which authenticates users so they can, through a servlet using the weblogic client, access EJB's methods annotated with #RolesAllowed. As you probably noted, I have two seperate tiers - one with a webapp (Tomcat) and one containing business logic (WebLogic).
Generally speaking, I followed this JAAS tutorial (setting things accordingly).
According to the answer to this question, the principals should be propaged to the business tier (even having the tiers on separate machines?)
However, what I'm getting is an error page with following header: HTTP Status 500 - [EJB:010160]Security violation: User <anonymous> has insufficient permission to access EJB type=<ejb>
Also, I created corresponding roles in the WebLogic console.
Some tests from the servlet's GET method (without calling Bean's annotaed method):
request.getUserPrincipal().getName(): ADMIN
request.getParameter("role"): null
request.isUserInRole("admins"): true
(request is obtained from the argument #Context HttpServletRequest request)
Is there any additional thing to do to make it work? Or is it sufficient but there may be an error somewhere?
Let me also point I'm quite new in creating Java EE applications.
Help appreciated
The integration of security information between a servlet container and an EJB container is vendor specific. The question that you cited refers to remote calls between containers from the same vendor.
In your case, you have two different vendors - Apache Tomcat and Oracle WebLogic. Therefore, you are going to have more work to do.
You don't state which version of WebLogic that you're using, however the article Using JAAS Authentication in Java Clients describes the additional steps that you need to do in order to correctly propogate the security context from Tomcat to WebLogic 11g. You will likely be able to find similar information for other WebLogic versions.
I have an ASP.NET MVC/WebAPI mixed project which runs just fine in the VS2012 development server. It has a standard MVC {controller}/{action}/{id} route, as well as an additional WebAPI route api/{controller}/{id}. Requests which start with /api/... are directed to WebAPI, the others to normal MVC.
When I deploy it to the local IIS, the normal MVC routes are working. However, /api calls to WebAPI are resulting in the exception
Access to the path 'C:\inetpub\wwwroot\myapp\web.config' is denied.
Then I tried to set the proper security permissions on the inetpub folder and its subfolders. This didn't help anything, and because the normal MVC requests are working, I don't suspect the problem to be security-related.
Then I started Sysinternals Process Monitor to see what w3wp.exe is doing during the request. As it turns out, IIS looks for web.config here:
C:\inetpub\wwwroot\myapp\api\web.config
C:\inetpub\wwwroot\myapp\api\mycontroller\web.config
Of course, there is no web.config there.
How can I set up IIS to recognize both routes?
I do not believe this is a problem with your routing. the problem is the permissions given to IIS I run into this error from time to time. Depending on the app pool identity you are running under you need to provide permissions to that entity. Here is a link to a very thorough explanation
IIS AppPoolIdentity and file system write access permissions
Basically right click your project folder, go to properties, click the security tab and and you will see Group or user names. These are the allowed entities to perform read and/or write actions to that directory. Click Edit then Add; from here you will then "Enter the object names to select" typically IIS follows under IIS_IUSRS again this depends on your app pool configuration from here you should move on from the error mentioned!
I hope this helps!
My server side contains WCF4 REST services and I'm going to add RIA services for my future SL4 application. Currently I'm doing Basic authentication like this:
var auth = HttpContext.Current.Request.Headers.GetValues("Authorization");
And so on.. You get the idea.. I call this on every request. If header not present or I can't validate UN/Password - I do this:
outgoingResponse.Headers.Add("WWW-Authenticate: Basic realm=\"Secure Area\"");
That got me by so far but I'm refactoring my server side. Implementing IoC for linked services. Created custom ServiceHost, ServiceHostFactory, InstanceProvider and all is well.
Now I need to figure how to properly handle authentication and authorization with WCF so I don't have to manually inspect headers. I do have my custom MembershipProvider so there have to be some method that get's UN/PW to process.
Any pointers? I looked at http://www.codeproject.com/KB/WCF/BasicAuthWCFRest.aspx but it uses RequestInterceptor and it is not available in WCF4. I found ServiceAuthenticationManager and ServiceAuthorizationManager but there is no samples available on how to code and wire those..
Can anybody suggest which way I should go?
Try to use this custom HTTP module. It will add new authentication mode to IIS and it will allow you using custom credentials validation.
I had all types of issues using the built-in annotations for WCF in a recent SOAP/C# project. I know this isn't the best solution, but for my purposes, I enabled basic authentication in IIS7 for my application, disabled anonymous authentication and created Active Directory users for the external clients that would call the web service endpoints. I then changed the application's permissions in IIS7 (it uses file system permissions) to allow a group containing those users.
This moves authentication outside your application, which may not be what you want, but does allow you to easily add users via the IIS7 console and deployment tools that can copy those permissions. The advantage is that you don't have to redeploy your application for permission changes. The disadvantage is you can't do fine grained permission control per function.
Here's the end game... I need a wcf service application with username/password security over ssl. Pretty basic stuff, but I'm at my wit's end trying to make this work. I'm trying to implement the HOWTO guide from microsoft's patterns and practices as listed here:
How to: Use Username Authentication with Transport Security in WCF Calling from Windows Forms.
I've follwed each of the steps exactly... except steps 9 - 12. Those steps implement a custom authentication and authorization class. I'm having errors both with the implmentation of these custom classes and without.
First, without the custom classes... Without the custom authorization and authentication I can compile my wcf project and create the service reference in the console client application. When I run my console application it works, but when I decorate my wcf method to restrict the permissions, it appears that the client is never passing the credentials to the wcf service. If it leave the decoration off the method and step trace into the wcf method, if find that the ServiceSecurityContext.Current.PrimaryIdentity.Name is blank. I'm decorating with:
[PrincipalPermission(SecurityAction.Demand, Role = "sysadmin")]
(and yes, I've used the ASP.net configuration to create the role and the account in that role.)
Second, with the custom classes... If I include the HttpModules element as listed in step 10, I get an error stating that IIS express 7.5 doesn't do it this way any more and I need to move the configuration. With a little bit of hunting I found that I needed to move the item to . But it still complains that is can't reference the module. If I leave out the authentication module and try to just reference the authorization module, I get the same error.
I tried to include the entire web.config, but this editor didn't want to take it all. Suffice it to say that it's exactly like the msdn article except for moving the module tag.