I've been working lately on my own WCF AtomPub service (based on the example in the "WCF REST Starter Kit") for using WLW with my custom written blog. All basic actions such as adding, updating, retrieving and deleting an entry are working "fine".
Although, right now I'm a little stuck when trying to implement the authentication. I can't seem to understand how WLW manages the authentication with AtomPub services.
I've tried to implement it on my side by checking the Authorization header. If not present sending the Unauthorized header etc... but their fails WLW on me.
I also checked all headers send by WLW (for exemple when adding an entry) but I can't seem to find anything related to authentication.
I must say that the WCF service currently is hosted in the same site as my website. And the IIS authentication is set to Unauthorized and Forms. All others are disabled.
Can anyone help me into the right direction? Some interesting websites for example explaining this? (something I have missed in my searches on the web).
Thanks
I had to write an atompub service for the Live Writer about an year ago. These blog posts helped me a lot at that time: http://jcheng.wordpress.com/2007/10/15/how-wlw-speaks-atompub-introduction/. For your case you may look at part 2. In short - "Use Basic, Digest, or X-WSSE over HTTP or HTTPS". I used the basic authentication and had to use this library MADAM http://msdn.microsoft.com/en-us/library/aa479391.aspx to get forms and basic authentication work together. I hope this helps.
Related
It appears that Onvif authentication is a bit of a minefield!
I read that SOAP WS-security was deliberately not included in Microsoft Web Services so people have to code it up...
Not sure if this applies to HTTP digest as well?
Before I begin to port one of the c# code examples of the authentication over to my vb.net application, has anyone already done this?
Have there been any updated services, dlls etc that include WS-security?
I have yet to find any vb.net examples of working with ONVIF, but maybe I haven't searched hard enough yet!
I'm having a lot of trouble finding an example of how to wire up a client to use external auth in a web api service. Any questions I find similar to this have responses pointing to the same couple of blog entries:
This one with an Angular front end
And this one on the Microsoft website
I really just want to know what AJAX calls I need to make to the service in order to register and login to it using external authentication. If anyone can help me, I'd really appreciate it. This has turned into a frustrating ordeal that should have been pretty straight forward.
I'm trying to use the new WCF Web API Preview 6 with Basic Authentication. But don't really know where to begin.
zanewill apparently had the same issue:
https://stackoverflow.com/questions/8304367/how-to-use-basic-authentication-with-wcf-web-api
But the question is not a dup. I'm using this with mvc and don't really see how
Wcf Basic authentication
should apply?
I've tried out this:
http://cacheandquery.com/blog/2011/03/customizing-asp-net-mvc-basic-authentication/
But can't get it to work.
Should there not be an official solution from MS?
I have to note, that we are using our custom membership provider and that I basically just wanna pass an API token to the service. So the built in Windows Basic Authentification cannot be used.
I actually figured out a way myself. I've built my custom HttpOperationHandler and combined it with an Attribute, so I get a similar functionality as the MVC AuthorizeAttribute.
You can have a look at the solution here:
http://remy.supertext.ch/2012/02/basic-authentication-with-wcf-web-api-preview-6/
I think the recommended approach is to implement custom message handler. See my blog post for an example that works with ASP.NET Web API RTM:
http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-message-handlers/
I've read several entries on the web about securing WCF Data Services (OData). I would be glad to hear your recommendation about securing WCF DS assuming it will be consumed by Java client.
I think you have a number of options available. Since it's all REST requests, the client doesn't really matter too much (except that it rules out any Windows-specific integrated stuff). :)
I've done some prototypes where I have an encrypted token in my request header which I grab in the OnStartProcessingRequest event handler. You have access to HttpContext.Current, so you can just grab the request header, validate it against your token store, and then either let the request continue or not. The client, whether it's Java, C#, JavaScript or whatever would be responsible for creating the token and appending it to your request headers.
Last year, the WCF Data Services team put out a series of blog posts responding to some community criticism that WCF Data Services weren't not that secure. They listed out a number of different scenarios on securing your WCF Data Services. Two entries in particular that I think are appropriate for your situation are these:
OData and Authentication – Part 4 – Server Side Hooks
OData and Authentication – Part 5 – Custom HttpModules
You can find all blogs in the series here.
I think those two links are useful because it's all about the server-side configuration. OData support is also contained within RESTlet extension, but being a .NET guy, I can't give you much more info that that. :)
I hope this helps. Good luck!
I'm rather new to the WCF/IIS/MS web stack corner of the world so I'm hoping for some help evaluating my design.
What I need is a system that presents a number of resources as URIs. Each resource is a WCF web service providing a number of read and write operations. I need to provide username/password security for different resources.
How I'm hoping to make this work is to have IIS handle the security using the normal devices it uses for everything else. Then uses URL rewriting to remap everything to a single web service that will provide the correct resource based on the rewritten query string.
Will this work?
Am I missing something?
Is there a better way to do this?
If you happen to known of a really good tutorial for the bits and peaces (like what file does the security settings go in?) I would appreciate links?
For now there will be only a handful (2 to 20) users so static config files would be preferred for that as along as it won't cause problems later.
As I said, I hardly known jack in this domain so I don't really known what I don't known.
A few links I have found (don't even known yet if I'm looking in the right direction)
Fundamentals of WCF Security (assumes a bit more familiarity than I have)
Improving Web Security: Scenarios and Implementation Guidance for WCF (really long, book length)
Yes this sounds sane. For authentication you want to use ASP.NET membership module it provides a generic security API which can use intergrated (windows user), web form login, even LiveID or some custom authentication. In my experience MSDN has proven a good resource, here's a hands on article.
For web http binding WCF provides Uri rewriting out of the box using WebGet attribute.
for SOAP, the end point URL is the same, so I assume you want RESTful endpoint. If so, you need Basic auth over https not WS-Security.