Writing a suite of IIS hosted WCF webservices (both GET and POST), and I need to be able to read a cookie for an authentication token so I know the user has been auth'd previously.
Will HttpContext.Current.Cookies give me what I need or is there something cleaner and more appropriate for a WCF web service with WebGet and WebInvoke attributes?
string cookieHeader = WebOperationContext.Current.IncomingRequest.Headers[HttpRequestHeader.Cookie];
works for me
Related
I'm beginning to have doubts as to if this is possible but I'm hoping that someone out there has a deeper understanding of the mechanics than I do.
We are planning to host a pure javascript form in a SharePoint site that is secured using ADFS. This form needs to make calls to a WCF REST service. We want to be able to use the same FedAuth cookie / SAML token issued to the user from ADFS in the WCF service for authentication but so far I have not really found a way to pass it using javascript.
So to break it down, how do you call a WIF / SAML secured WCF REST service from javascript?
When i try to invoke a WCF service from an asp.net application (RP) which is authenticated by another asp.net application(IP) , I'm getting an error message with content of Login page (It is trying to reach the login page because it could not authenticate the request).
Identity Provider : _http://localhost/AuthenticatonWS/Login.aspx
Relying party Website : _http://localhost/RPWebsite/Default.aspx
WCF Service : _http://localhost/RPWebsite/Service1.svc
(In my solution I'm calling service1.svc from default.aspx.cs)
I don't want the service to be anonymous. Currently the site (RPWebsite) uses STS and trusts local Identity provider, but in production it can trust any external identity provider thru ADFS.
Can any one guide me how i can pass the token information to the service from aspx page, I did try several examples from internet but i could not get it working.
The problem could very well be that the RPWebsite uses ClaimsAuthorizationModule in <system><httpModules> or <system.webserver><modules> in web.config. This causes any web service call to be redirected to the STS for authentication, as if it were an interactive browser request, as you observed.
Alternatively, this module can be added in the WIF-specific section of web.config, that is, in <microsoft.identityModel><service>, and in this case this module is only used for claims-based WCF web service calls. You add it in the following form: <claimsAuthorizationManager type="MyNamespace.CustomClaimsAuthenticationManager, MyAssembly"/>. (This type must extend ClaimsAuthorizationManager, as described in the WIF documentation page "ClaimsAuthenticationManager, ClaimsAuthorizationManager, and OriginalIssuer".)
Reference: Vittorio Bertocci, "Programming WIF", p. 43.
I think there are several options:
Using Persistent Authentication Cookies that support multiple client sessions. Or support sharing session between your RP and WCF service, so that WCF can re-utilized the authentication cookies issued for RP when RP makes a call to WCF service. To be honest, I have never tried to implement this in action. It is just my theory.
Create an separate authentication service which require no user-interaction (such as entering username/password). And then you have plenty of way to call WCF from your RP:
From your RP, ask the authentication service to issue a token for WCF; attach the token into request header of WCF call (e.g.: Authorization); then call WCF service. This requires a custom HttpModule to accept custom request header containing token at WCF service.
From your RP, you can also store UserName/Password, or an unique user identity claim which could identify the user; attach those information into request header of WCF call (e.g.: Authorization); then call WCF service. This also requires custom HttpModule to accept custom request header at WCF service.
I would recommend the second option, which you could find more useful information and guideline from Dominick Baier's blog.
Just my 2 cents.
We write a WCF web service.
How can we call it's methods in JSON format?
An additional issue is how can we secure our web services.
I'd like to use Microsoft Membership and Roles providers for users authentication and authorization. The question is how to do this. Is it possible to do authentication and authorization behind-the-scenes (in context of WCF), or I must call ValidateUser() and IsUserInRole() in every web method for every user call?
Whether I restricted to use webHttpBinding (over wsHttpBinding) because our client-side programmer familiar with AJAX/JSON? Whether there are any restrictions of webHttpBinding concerning using Membership/Roles comparably comparably to wsHttpBinding?
Thanks a lot in advance!
Ilan.
I want to port an existing ASP.NET Web Service to WCF so the resulting Web Service (1) is RESTful, (2) uses JSON as its request/response format, (3) has a custom authentication mechanism.
After a lot of googling, random coding, and wanting to hit my head against the wall, I found that...
A webHttpBinding has to be used to make the Web Service RESTful. But...
webHttpBinding does not support HTTPS hosts.
webHttpBinding does not support UserName authentication.
webHttpBinding does not even support message security.
An endpoint behavior with <enableWebScript/> has to be used to support ASP.NET AJAX. But...
What is "ASP.NET" AJAX?
What if I want to consume the Web Service using "regular" AJAX?
And, most importantly...
Can WCF do what I want to do in first place?
If not, what other platforms could I use?
I've written WCF service that does both SOAP and REST with XML and JSON, and custom auth. I've pushed the custom authentication into HTTP module, which does basic auth over https. See Custom HTTP Basic Authentication for ASP.NET Web Services on .NET 3.5/VS 2008 and WCF POX, JSON and SOAP Coexist.
In the setup you describe, the web servier (i.e. IIS) will be responsible for encryption (HTTPS) and authentication (e.g. basic authentiction). IIS can be extended with a custom authentication mechanism (just google for "IIS module handler").
It's a bit strange that it has to be delegated to IIS and is not part of WCF. But it's no problem at all.
I recently wrote a webservice to be used with Silverlight which uses the ASP.net membership and roles.
To validate the client in the service I look at the HTTPContext.Current.User (Which works when the service is called from Silverlight)
However, I've been trying to call the same service from an asp.net postback. But when I step-thru to the service the HTTPContext.Current has an emplty string for the username.
I'm guessing there is something that I'm not doing in the web.config file which is causing the httpContext to not be sent through the proxy to my service?
Any ideas would be appreciated. I need to be able to validate the client somehow using asp.net membership and roles and have it work from both an asp.net client and a silverlight client.
I have solved it!
Looks like by default the Silverlight application was sending all the browsers cookies to the service. One of these cookies is the ".ASPXAUTH" cookie to authenticate against the membership and roles.
The asp.net application however was not sending the cookies to the service. To send the authorisation cookie I used the following code before calling my webservice method.
using (OperationContextScope scope = new OperationContextScope(ws.InnerChannel))
{
HttpRequestMessageProperty httpRequest = new HttpRequestMessageProperty();
OperationContext.Current.OutgoingMessageProperties.Add(HttpRequestMessageProperty.Name, httpRequest);
HttpCookieCollection cc = Page.Request.Cookies;
if (Request.Cookies[".ASPXAUTH"] != null)
{
HttpCookie aCookie = Request.Cookies[".ASPXAUTH"];
String authcookieValue = Server.HtmlEncode(aCookie.Value);
httpRequest.Headers.Add("Cookie: " + ".ASPXAUTH=" + authcookieValue);
}
// Webservice call goes here
}
Instead of HTTPContext try ServiceSecurityContext.Current.PrimaryIdentity
Not sure how it is working from Silverlight but not ASP.Net, but for starters here is a good blog post on how to setup WCF to work with ASP.Net membership providers. There are quite a few steps so this could be pretty easy to miss a setting.
Once you get that working correctly then I imagine both should work correctly.
I think it may be because my wcf service is in my silverlight.web project, and perhaps they are more friendly when it comes to sharing.
I may need to read up more on wcf and create a greater seperation of concerns by setting up a seperate webservice project?
Update:
Ok I've taken a look at the HTTP Post request using Fiddler
Looks like the Silverlight App is sending a 'State' with an authorization cookie and my asp.net app isn't.
Looks like I need to send the state + my authorization cookie when I call the service. I may need to formulate a new question soon...