I don't have much understating how make existing old ASP.NET MVC 4 app(claim-based auth, windows identity foundation, ws-federation, old thinktecture identity server) to use new Identity Server 4 with WS-Federation plugin.
Does it require to substitute WIF's Authentication and Session modules with OWIN middleware as stated here or use both?
Here's configs from web.config:
<httpModules>
<add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</httpModules>
...
<microsoft.identityModel>
<service>
<audienceUris>
<add value="https://localhost/" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="https://localhost/LoginEndpoint/issue/wsfed" realm="https://localhost/" requireHttps="false" />
<cookieHandler requireSsl="true" hideFromScript="true" />
</federatedAuthentication>
<applicationService>
<claimTypeRequired>
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
</claimTypeRequired>
</applicationService>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="XXXXXXXXXXXX" name="https://localhost/LoginEndpoint/" />
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode="None" />
<serviceCertificate>
<!--Needed for cookie encyption in web-farm environment. -->
<certificateReference x509FindType="FindByThumbprint" findValue="XXXXXXXXXXXXXXXXX" />
</serviceCertificate>
</service>
</microsoft.identityModel>
Any help will be appreciated! Even suggestions if there are better frameworks or approaches for modern SSO solutions that can be used with old ASP.NET MVC 4 clients.
On the client side, you can use the OWIN stack.
Note this is .NET Core but the principles are the same.
You can still use WIF if you want to. You just need to change the IDP URL and wtrealm parameters.
On the server side you need the Rock Solid Knowledge WS-Fed plugin.
Follow this approach.
The other way is to change to OpenID Connect that idsrv4 supports out of the box.
There's a good walk-through here.
Related
I have an ASP.NET Core 1.0 project running. When I add the ClaimsPrinciplePermission attribute to my action methods I get the following error when navigating to any action method having that attribute.
An exception of type 'System.InvalidOperationException' occurred in
System.IdentityModel.Services.dll but was not handled in user code
Additional information: ID7024: Use of ClaimsPrincipalPermission
attribute has been attempted and possibly there is no
configuration section defined, see inner
exception for details. Also make sure a ClaimsAuthorizationManager
element is defined under the section.
This is the inner exception
ID7027: Could not load the identity configuration because no
configuration section was found.
This is my web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<!--
Configure your application settings in appsettings.json. Learn more at http://go.microsoft.com/fwlink/?LinkId=786380
-->
<configSections>
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</configSections>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" />
</federationConfiguration>
</system.identityModel.services>
<system.identityModel>
<identityConfiguration>
<claimsAuthorizationManager type="wApp.ClaimManager, wApp" />
</identityConfiguration>
</system.identityModel>
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified"/>
</handlers>
<aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="false"/>
</system.webServer>
</configuration>
As you can see, I have added all the required sections. The same code and configuration works well in my MVC 5 projects and also my Web Api project. Is there something different to be done in Asp.Net Core projects?
I have also added the required DLL references in the Core 1.0 MVC project as well duplicated the same configuration sections in the App.config file under the core 1.0 MVC project. Still getting the same error.
What am I missing?
ClaimsPrincipalPermission, and WIF/System.IdentityModel is not part of .NET Core at all. I'm surprised that even compiles.
From the comments it appears you're parsing a JWT, presumably with the JWT bearer token middleware.
So, all identities in ASP.NET Core are ClaimsIdentities. You can go for Simple claims based checks, or, more fully to code expressed policies which give a lot more flexibility.
BaseLine: ServiceStack sample works for me in a stock MVC 4 app. I am using the variant, followed all the instructions in the readme, no problems.
Plugin Framework
I am building a plugin framework for MVC and servicestack.net is one of the plugins, that being all the assemblies are plugins which get loaded, using BuildManager.AddReferencedAssembly(assembly);
BuildManager.AddCompilationDependency(assembly.FullName);
All the ServiceStack dlls are found and successfully loaded from my personal shawdowFolder.
webconfig:
<location path="api">
<system.web>
<httpHandlers>
<add path="*" type="ServiceStack.WebHost.Endpoints.ServiceStackHttpHandlerFactory,ServiceStack" verb="*" />
</httpHandlers>
</system.web>
<!-- Required for IIS 7.0 -->
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<add path="*" name="ServiceStack.Factory" type="ServiceStack.WebHost.Endpoints.ServiceStackHttpHandlerFactory,ServiceStack" verb="*" preCondition="integratedMode" resourceType="Unspecified" allowPathInfo="true" />
</handlers>
</system.webServer>
</location>
*NOTE: I am calling from Application_Start AppHost.Init(), and I can step it so ServiceStack is truly loaded and usable before the ASP.NET app goes into full swing.*
On first launch: /api/metadata results in:
Server Error in '/' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
Requested URL: /api/metadata
Stopping the debugger and simply relaunching, which deletes all assemblies from my personal shawdowFolder, copies them, loads them, references them, results in.
A working ServiceStack.net
StarterTemplate ASP.NET Host
The following operations are supported. For a formal definition, please review the Service XSD.
etc.
I suspect that this problable has to do with .NET's shadowfolder and appdomain, but perhaps it is something with ServiceStack. Where would I find logs to see if ServiceStacks httphanderfactory is having problems.
I Changed my config as follows :
SetConfig(new EndpointHostConfig
{ ServiceStackHandlerFactoryPath = "ss"}
and my config :
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<add type="DevExpress.Web.ASPxClasses.ASPxHttpHandlerModule, DevExpress.Web.v13.1, Version=13.1.4.0, Culture=neutral, PublicKeyToken=b88d1754d700e49a" name="ASPxHttpHandlerModule" />
<add name="FormsAuthenticationDisposition" type="ServiceStack.ServiceInterface.SuppressFormsAuthenticationRedirectModule, ServiceStack.ServiceInterface" />
</modules>
<handlers>
<add type="DevExpress.Web.ASPxUploadControl.ASPxUploadProgressHttpHandler, DevExpress.Web.v13.1, Version=13.1.4.0, Culture=neutral, PublicKeyToken=b88d1754d700e49a" verb="GET,POST" path="ASPxUploadProgressHandlerPage.ashx" name="ASPxUploadProgressHandler" preCondition="integratedMode" />
<add type="DevExpress.Web.ASPxClasses.ASPxHttpHandlerModule, DevExpress.Web.v13.1, Version=13.1.4.0, Culture=neutral, PublicKeyToken=b88d1754d700e49a" verb="GET" path="DX.ashx" name="ASPxHttpHandlerModule" preCondition="integratedMode" />
<add path="ss*" name="ServiceStack.Factory" type="ServiceStack.WebHost.Endpoints.ServiceStackHttpHandlerFactory, ServiceStack" verb="*" preCondition="integratedMode" resourceType="Unspecified" allowPathInfo="true" /></handlers>
<validation validateIntegratedModeConfiguration="false" />
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="30000000" />
</requestFiltering>
</security>
</system.webServer>
Now I have to type in the following to get to my servicestack area : http://localhost/ss/
My take on what is going wrong is that mvc/asp.net forms/ servicestack each needs one entry point to map its handler to an url route, servicestack is overriding the url route for "/" your MVC project hence no resources is found.
Thus in my application I used to seperate entries points:
*http://localhost/* .... is my normal entrypoint for webforms (in your case MVC4[stock])
http://localhost/ss .... is my servicesstack entrypoint
If you are using the MVC razor engine you won't run into this.
While developing a ASP.NET MVC4 web application with VS2010, using the Mvc.JQuery.Datatables Nuget,
I found that the EmbeddedResourceVirtualPathProvider NuGet that is referenced, worked beautifully
on my dev box, but failed miserably on my production box.
The production box is Windows 2003, with IIS6 and .NET 4.0 installed.
I searched many things on SO, and Googling, but after implementing the suggested workarounds,
it still fails:
Here's what I've done.
Implement AppInitialize as suggested by https://stackoverflow.com/a/5178993
Implemented Wildcard mapping for ASP.NET as suggested by http://haacked.com/archive/2008/11/26/asp.net-mvc-on-iis-6-walkthrough.aspx
Implemented IgnoreRoute for static files as suggested by https://stackoverflow.com/a/3144841
but it still doesn't serve all of the files. I'm getting the embedded partial views, but not
the embedded css, js, and jpg files.
My web.config has an entry for the StaticFileHandler as follows:
<system.webServer>
<handlers>
<add path="*.css" verb="GET" name="Static css" type="System.Web.StaticFileHandler" />
<add path="*.js" verb="GET" name="Static js" type="System.Web.StaticFileHandler" />
<add path="*.jpg" verb="GET" name="Static jpg" type="System.Web.StaticFileHandler" />
<add path="*.gif" verb="GET" name="Static gif" type="System.Web.StaticFileHandler" />
</handlers>
</system.WebServer>
I appear to be missing something critical. Any Suggestions?
When using IIS6, all of the items listed in #1-3 are required, but additionally, you need to
recognize that IIS6 defines its handlers as httpHandlers in the system.web section,
whereas IIS7 calls them handlers and they are in the system.webServer section of the config file.
Therefore, you need to add the following to make it work in IIS6
<system.web>
....
<httpHandlers>
<add path="*.css" verb="GET" type="System.Web.StaticFileHandler" />
<add path="*.js" verb="GET" type="System.Web.StaticFileHandler" />
<add path="*.jpg" verb="GET" type="System.Web.StaticFileHandler" />
<add path="*.gif" verb="GET" type="System.Web.StaticFileHandler" />
</httpHandlers>
</system.web>
Setup:
For an ASP.NET MVC 4 app I am using Elmah.MVC 2.0.1 to log errors.
I installed Elmah.MVC using NuGet. It works fine.
Problem:
The Elmah.MVC package installs no controller or area, so I can see no obvious way to apply security via Authorize attributes, as is recommended for ASP.NET MVC.
Question:
I only want users in the Admin role to be able to view the Elmah page.
How do I do this?
Ouch!
Just found the answer;
Elmah MVC 2.0.1 NuGet package adds the following into <appSettings> (in web.config):
<add key="elmah.mvc.requiresAuthentication" value="false" />
<add key="elmah.mvc.allowedRoles" value="*" />
To achieve what I want simply:
<add key="elmah.mvc.requiresAuthentication" value="true" />
<add key="elmah.mvc.allowedRoles" value="Admin" />
I believe you can also use URL access control like this:
<location path="elmah.axd">
<system.web>
<httpHandlers>
<add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<authorization>
<allow roles="YourRole" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<handlers>
<add name="ELMAH" verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" preCondition="integratedMode" />
</handlers>
</system.webServer>
</location>
Trying to hit my RP WCF service using active WIF and receving this error. I have enabled WIF tracing and it yields:
Microsoft.IdentityModel.Tokens.FailedAuthenticationFaultException, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
ID3242: The security token could not be authenticated or authorized.
I've googled/SO'ed this one and have done many of the things recommended here. I have also set my audienceUris mode to false. Here is my config:
<microsoft.identityModel>
<service name="TestService">
<audienceUris mode="Never">
<add value="https://localhost:9080/XdsService/XDSRegistry" />
</audienceUris>
<!-- For Security Assertion Markup Language (SAML) and X.509 token authentication, you must implement an IssuerNameRegistry -->
<issuerNameRegistry type="Microsoft.IHE.XDS.Common.Federated.CustomIssuerNameRegistry, Microsoft.IHE.XDS.Common, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<claimsAuthorizationManager type="Microsoft.IHE.XDS.Common.Federated.CustomClaimsAuthorizationManager, Microsoft.IHE.XDS.Common, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
</service>
I've even created my own ClaimsAuthorizationManager and IssuerNameRegistry to debug this...