I am trying to implement a custom authorization attribute on my Web API controllers, but came across an unexpected behavior.
<Authorize(Users:="myUser")>
Public Function GetTodoItems() As IQueryable(Of TodoItem)
The above code works very well: It will allow "myUser" to retrieve the items, bot nobody else is allowed access. However, when I try the same approach with my custom authorization, the entire check is skipped, and any user can access the resource. Neither the AuthorizeCore nor the OnAuthorization overridden methods in my derived class are called.
<MyAuth(Users:="myUser")>
Public Function GetTodoItems() As IQueryable(Of TodoItem)
The derived class inherits from System.Web.Mvc.AuthorizeAttribute, and the project is deployed on IIS, with Windows Authentication & Impersonation enabled, and Anonymous Authentication disabled.
If I add the same custom authorization to an MVC Controller, then it works. But on the API Controllers, nothing. If the Authorize attribute wouldn't have worked either, it would have made more sense. Am I missing something? Is this an expected behavior, or a bug in the Beta?
You should use System.Web.Http.AuthorizeAttribute from System.Web.Http.dll for Web API instead of System.Web.Mvc.AuthorizeAttribute.
That is, because namespace System.Web.Http.AuthorizeAttribute is derived from AuthorizationFilterAttribute. The filters are handled automatically by the Web API. In my own implementation I derived directly from AuthorizationFilterAttribute for handling of the basic HTTP authentication.
I've built my own custom implementation for Basic Authorization:
http://remy.supertext.ch/2012/04/basic-http-authorization-for-web-api-in-mvc-4-beta/
Maybe this helps.
Related
Hello i have an application on which i am doing a custom authentication on the server side.
Now i need to port this logic to a Blazor Client.I do not know how i can access HttpContext data such as:
HttpContext.Request.Host.Value
HttpContext.User.Identity.IsAuthenticated
and also how to use the extension method Microsoft.AspNetCore.Authentication.SignInAsync extension method.
How can i get the HttpContext from the client ?
Sending the HttpContext object to the client-side Blazor is a bad idea. HttpContext Accessor is used to inject the HttpContext into classes that have no direct access to the HttpContext object. If you still want to do it, see comment by # Flores.
I'm not sure what custom authentication system you want to create, but I'd suggest you learn first how to do that the Blazor way. See comment by #dani herrera for a sample by the Blazor team. This sample will also give you the idea of what data you should pass to the client-side Blazor. Of course you can extend this authentication system in many ways: Jwt authentication can be a good exercise for you in extending the Blazor Auth System.
I am implementing an OData endpoint on an ASP.NET application, and am working right now on the authentication part. I looked at the example at http://odata.github.io/WebApi/05-01-basic-auth/ for implementing HTTP Basic authentication. However, the example looks very weird to me, even though it the article gives an impression that this is how you implement generic custom authentication on a RESTful API.
e.g.:
It implements authentication on the stage of a pipeline where you are supposed to implement authorization. My understanding is that when OnAuthorization is called, you are supposed to already have the principal set and the only thing left to do is checking if the principal has enough access to perform the requested action.
What is the deal with that call to IsAuthorized? Isn't that supposed to be a side-effect free method?
So I basically would like to check from somebody who is more familiar with ASP.NET Web API to confirm if this is a) the correct way to do things b) a hackish but safe way to do things or c) something dangerous that should never be present in production code.
You are right, authentication should be implemented in separate AuthenticationFilter or even in HttpModule. You can find example here: authentication filter, http module.
I am trying to create secured MVC4 web API project. In this application knockout Js will access API service directly. I need authentication on his. I am confused how to apply authentication only on web api. I can’t use MVC authentication because other projects also share same API services.
Any one please suggest a good solution using knockout js and web api. I tried Thinktecture.IdentityModel but I am not able to use knockout Js in it.
this project is in .net 4.0.
Thanks in advance
thanks for the support
got solution
Use the [Authorize] attribute on the WebApi controllers
[Authorize(Roles="WebApiAccess")]
public class FooController : ApiController
{
}
You can send authN tokens before your Ajax request. Here is a similar SO question (with answer). You can add auth for your entire client app by creating a global 401 error handler (AngularJS, but the original question is generic jQuery).
Context:
There are a few threads here on Stack and on Bing that talk about WCF and session sharing with ASP.NET. None satisfy my issue fully. So here goes:
I have an MVC site which also has a few services in the RouteTable under the path "/services". This all works really nice. I can call Controller actions and WCF service methods both.
I have enabled WIF and Federated Authentication with the Windows Azure Access Control Service (ACS). This also works nicely. I can login using Facebook, Google etc. and a session is clearly established on my site. I can call the MVC controller actions and the WCF methods. Inside the body of those the IPrincipal for the current user is set to my current session.
Now I want to be a good boy and use a custom ClaimsAuthenticationManager and a custom ClaimsAuthorizationManager. A weird problem now occurs:
The setup:
For this scenario I am logged in. I have a session. I can confirm this inside of the method bodies of my MVC controller methods and my WCF service methods. This means we can leave the custom ClaimsAuthenticationManager out of this since it is not being touched when I already have a session.
It's the custom ClaimsAuthorizationManager which causes my headache.
When I make a call to the MVC site I am authenticated with my session inside of the ClaimsAuthorizationManager.CheckAccess method AND also inside of the body of my MVC controller actions. So far so good.
The problem:
When I make a call to the WCF services I am NOT authenticated with my session inside of the ClaimsAuthorizationManager.CheckAccess method but I am authenticated (suddenly) as I hit my breakpoint inside of the WCF service method.
This just does not make any sense! It seems my session is not inflated inside of the ClaimsAuthorization manager but further down the pipeline when I hit my own WCF code the session is in place!
How can this be?
Cheers,
Magnus
It might be the Stackoverflow's problem, but when I copied your config into notepad++ I saw some junk characters in the AuthenticationManager type value:.
As the rest of the question goes, do you have <clear /> element before the elements that you show here?
Here's the end game... I need a wcf service application with username/password security over ssl. Pretty basic stuff, but I'm at my wit's end trying to make this work. I'm trying to implement the HOWTO guide from microsoft's patterns and practices as listed here:
How to: Use Username Authentication with Transport Security in WCF Calling from Windows Forms.
I've follwed each of the steps exactly... except steps 9 - 12. Those steps implement a custom authentication and authorization class. I'm having errors both with the implmentation of these custom classes and without.
First, without the custom classes... Without the custom authorization and authentication I can compile my wcf project and create the service reference in the console client application. When I run my console application it works, but when I decorate my wcf method to restrict the permissions, it appears that the client is never passing the credentials to the wcf service. If it leave the decoration off the method and step trace into the wcf method, if find that the ServiceSecurityContext.Current.PrimaryIdentity.Name is blank. I'm decorating with:
[PrincipalPermission(SecurityAction.Demand, Role = "sysadmin")]
(and yes, I've used the ASP.net configuration to create the role and the account in that role.)
Second, with the custom classes... If I include the HttpModules element as listed in step 10, I get an error stating that IIS express 7.5 doesn't do it this way any more and I need to move the configuration. With a little bit of hunting I found that I needed to move the item to . But it still complains that is can't reference the module. If I leave out the authentication module and try to just reference the authorization module, I get the same error.
I tried to include the entire web.config, but this editor didn't want to take it all. Suffice it to say that it's exactly like the msdn article except for moving the module tag.