I need to set up a testing website on Windows Azure, and typically to prevent random people from looking at it I would have set up basic authentication with some sort of trivial password to filter people. Windows Azure, seemingly, does not have this option.
What are the alternatives? So far I am considering implementing another level of forms authentication but this is a lot of work and would need to be stripped out in the production version of the site.
The documentation on implementing Basic-Authentication in the web.config is also shockingly sparse.
I think you should be able to use the IIS7 demo BasicAuthenticationModule to achieve what you want - see full code and instructions in
http://learn.iis.net/page.aspx/170/developing-a-module-using-net/
Related
I am implementing a WebApp in our company's intranet with Blazor WebAssembly. I need to make API-Calls to our DevOps Server hosted in our intranet and need to use Windows Authentication to access the API. In the former used WPF Client it was enough to just add the UseDefaultCredentials-Flag on the HttpClient, but that does not work in WebAssembly anymore since the App is running in the browser. The Microsoft Docs state We don't recommend using Windows Authentication with Blazor Webassembly, but not recommend does not mean not support, so it has to be possible somehow, to attach the current App-User's Windows Credentials(Token) to the API Call. Unfortunately there exists no example on the docs page on how to implement this and I have not found any code on how to tackle this, although on some forums people wrote that it is possible, but did not include the How in their comments.
I am using .NET5 for both Server and Client and need to make the Api-Call with Windows Authentication from the Client, not the Server as most examples are using it, as my Server-Project uses the same User for all Requests but I need the User of the Client-Project.
Any kind of help is appreciated.
I am building a service-oriented system for personal use (plus few friends may have limited access as well) - the aim is to have a dashboard for controlling my apps running on various machines such as Raspberry Pis (and potentially to be expanded to a VPS or few in future).
The architecture itself is pretty simple. For authentication I want to use AWS Cognito. Services would communicate with WebAPI (and potentially with eachother) using gRPC within a VPN, and dashboard would be served by Blazor server-side (may move to Blazor WASM Hosted model if I find a need for it). Each of the processes may or may not be on the same machine as any other (depending on the purpose). Blazor server may or may not run within VPN (I might want to move it to a separate web hosting later).
I created a simple diagram to visualize it:
The problem comes with authentication. I want to have Blazor server-side and API as a separate processes (for now they're going to run on the same machine, but I may want to move it elsewhere eventually). Ideally authentication should be handled by API, so authentication is client-agnostic, and the API can use it to verify if the logged in user can perform an action - which by itself is simple.
However, I want Blazor server to use and validate that token as well in order to determine what to display to the user. I want to do with the least amount of calls possible - ideally avoiding querying API for every 'should I display it or not?' choice.
I could easily do it by sacrificing possibility to move API elsewhere, and just merge Blazor Server and API Gateway into one project. For my current purpose it would be enough, but it's not an ideal solution, so first I want to look into how could I achieve my original vision.
How could I achieve this (with minimal amount of Blazor server to API queries)?
I was googling for solution a lot, but so far only found either examples of using Blazor server and API as one project, or using client-side calls to API directly.
Thank you good folks in advance.
Is there a single sign-on solution with completely RESTful API installable on my server? I have looked at OpenAM, which have some of the API available through HTTP/JSON, but not all (and seems too heavy, but if it had all the API, I'd not care).
Do you know of solution for authorization, authentication and identity management that can be used for single sign-on and has all (maybe without setting admin password and such critical issues) its API available though HTTP(S)/JSON?
I have no need for Java API etc., HTTP(S)+CLI for setup is only thing I look for. That is, I doin;t realkly care what the solution is implemented in (no need for Java EE etc.) as far as it does its job and it is secure.
Have you seen Mozilla's new Persona solution built on BrowserID? It does a lot, but it's hard to know if it's sufficient for you without more details about how integrated you need the authorization to be.
You might want to look at Stormpath. They're the largest identify management service (for developers) -- and they are all REST + JSON API backed.
I am going to run a Web App on JBoss App Server 7. Does JBoss have some sort of inbuilt user management module/API which I can use rather than code my own? Or do I have to make this module myself. I know about the default JAAS pieces providing authentication AND authorisation, however I am looking to manage, add, edit, delete users from the datasource as well.
I'm not being lazy or anything, just want to know if JBoss has an easy inbuilt way before I start :)
Google implies no so I want to make sure by asking here.
As far as I know they don't provide any easy to managed identity provider, they "only" provide way to connect to identity provider using standard protocol like LDAP, SAML and WS-trust, openid to provide container managed authentication.
They have a idm project but it seems to provide standard protocol SSO identity backed by some identity store but doesn't provide way to manage the users.
PicketBox and PricketLink are the tow JBoss project you should look for more information.
These element can be used if you want to use global identity system, existing one, new product deployment or custom build.
(disclaimer: I have sped some time on Picket* projects documentation and I still don't think I get a good knowledge on how it works... )
There is a web interface and a command line interface for management operations. See the Management Clients section of the documentation.
The security realms could be what you're after. I'm not really a security expert though.
Maybe a security domain could be helpful too.
Classic Asp (as I understand it) is not really “encouraged” by Microsoft (e.g. there is no classic ASP project in VS) and essentially is a collection of asp pages that contain HTML and some kind of scripting. There’s no .config file as such.
That being the case., can classic ASP sites be integrated into WIF?
How do you “force” the application to authenticate using a STS? (There’s no .config file for FedUtil to change).
How do you approach the problem of a large customer that still has a lot of legacy classic ASP sites and wants to move to federated authentication using a STS?
P.S. There is a reference on the Internet i.e. “In IIS7 you select the URLAuthorisation Module and untick the use for managed code only setting. I have used this to protect static files and a cgi exe, so I assume it will also protect .asp files too”.
I’m still confused as to where the STS comes into this solution? How does IIS 7 know where the STS is?
The issue here is that as you are using ASP, IIS doesn't run in pipeline mode. Therefore, it won't execute the HTTPModules required by ADFS. (Or any .NET httpmodules...)
In your case, I have two idea (both aren't pleasant, I am afraid)
You could implement the WIF protocol in ASP. It's documented. Well, you certainly could do it, but beware of errors in your implementation, which could damage the security of your application. The bright side is that you will be able to leverage all the WIF goodies in your apps.
You could attempt to host CGI/ ASP in an IIS HttpModule, in pipeline mode. Perfs would probably decrease, and you would need to send to CGI all the required request infos (and server parameters). It was the idea of this guy. I don't know if he succeded.
The first proposition is probably the good one. Hem. Good luck, WIF isn't a trivial piece of code. (Even if understanding the protocol is not very difficult. As always, hell lies in the details)