My current project constists of 2 components:
a WCF server application
a purely client-sided (javascript, jQuery, TypeScript etc) website which consumes the service.
When the client saves data to my database via the WCF service, I need to log who made the last modification to that data.
To do this I need the username of the account the client website's browser is running under.
Browser support needs to be:
Chrome
Firefox
IE 10/11.
I don't want to create a login form for my website, I want the user to be able to open the website and be logged on using their Windows/Citrix account.
Javascript can't get to the account username because of security concerns obviously.
Any suggestions?
I have a experimental answer for you. Not sure but posible to work correctly. I think, you can activate impersonation and basic authentication on iis. Then client(browsers) ask credentials to client. In service layer, you can enable impersonation too. but only iis impersonation may enough.
Related
Good afternoon in my timezone
I am new to SPA and i am learning Angular.
I am in the Route Guards chapters.
My question is :
How can we prevent the users from change the code through the browser Dev tools for instance ? In the back end , the code is in the server machine, but in this applications , the code is sent open to the client machine.
If this is not possible to prevent why should we used it ?
If there is some blogs or book regarding this subject it be very appreciated
Thanks in advance
Best Regards
You can't do that, but your (let's say admin page) which is guarded, enables the user to access some APIs in the backend, now those APIs should require authorization on the server, using tokens or however you implemented your authentication.
So that only valid users (in this case admins) can use that API.
So if the user is hacky enough, he will be able to access that page on the frontend, however all API calls will be denied by your backend.
I am working on a MEAP (Mobile Ent. Application platform) which uses PHP on server side and javascript on client side. The web application is consumed through an appshell (hybrid app) on IOS devices. The application also stores the userid and password so user doesn't have to enter it again.
We also have a portal link (portal in SharePoint) in this application which user click and it launches the Safari which again presents login prompt to user. (windows authentication to sharepoint).
Is it possible to somehow pass the userid/password to safari so it will automatically login to sharepoint portal??
I just need to know the best approach to follow in this scenario?
According to my knowledge, the sharepoint uses NTLM authentication so I tried creating Ajax call by passing NTLM authorization header, but it doesn't work?
I used below js to create NTLM authentication.
https://github.com/erlandranvinge/ntlm.js
Since you are launching safari, you can pass it a url. Why not pass query parameters to the url and get the credentials from there?
Ofcourse, this will require a slight modification of the sharepoint side, a small javascript will do.
I have tried using the node-xmpp package and blather gem. I got the furthest with blather, but succeeded with neither.
Blather attempt:
https://github.com/adhearsion/blather/issues/119
Node-xmpp attempt:
https://github.com/astro/node-xmpp/issues/149
From the Facebook API Docs:
Authenticating with Username/Password
The DIGEST-MD5 SASL mechanism is available to support traditional XMPP
or multi-protocol IM clients that are not customized for (or even
aware of) Facebook. This mechanism requires prompting the user for his
or her password; therefore, it should only be used when necessary. In
particular, it MUST NOT be used for any client that:
Proxies the XMPP connection (the connection must be directly from the user's computer to Facebook).
Reports messages or any other information about user activity to a third party (including the client developer).
Integrates with Facebook, or has a Facebook Application ID. If your application does any of the above, you must use Facebook Platform authentication instead.
I think your application is doing one of the following, correct me if I'm wrong but based on the links you provided for your blather and node-xmpp issues I think you may be trying to violate the third criteria.
Integrates with Facebook, or has a Facebook Application ID. If your application does any of the above, you must use Facebook Platform authentication instead.
Link: https://developers.facebook.com/docs/chat/
I want to rewrite business application using asp.net web api as service layer and use javascript to call the web api and get data, display etc.
I understand all the scenrios work fine, but main bottleneck is security. We have database for the user name and password. We want that user enter user name and password, validate it using web api. Then for each request pass the user name and password to check rights etc. What is the best way to secure this communication if any.
You're best bet is going to be implementing HTTPS with SSL. You would consider using an encryption algorithm, but everything will be expose anyone if you're using JavaScript which would make encrypting and decrypting on the client quiet pointless.
Here's is a good blog post reference you can review on the matter http://goo.gl/QkZOf
I work on a mobile web app in Javascript(Sencha)/HTML5 with WCF Rest services that needs to use authentication to authenticate users from a custom (MySQL) database in order to customize services responses during the user session.
I search about WCF authentication and founded so many ways that i'am really lost to find the best way to answer my constraints...
Can i really authenticate my user from the WCF web service (with his username and password) and then keep a token or a cookie or whatever that can be used in the following request in order to identify my user and make my response according to that user ?
Thanks in advance for your help !
Authentication as you many know can be done in many ways. Username/password, Certificate etc. It really depends upon your requirement.
For e.g.
If you have a mobile application which is dealing with financial information for a user (such as Bank account) then I would use both user credentials as well as X509Certificates.
If you have an application which is public facing then you can get away with using just certificates (Just client certi).
If you have a B2B application (which I would doubt in this case) then you can use Asymantic certificates (Client and server) in which you will create Both Client and Server certifcates (X509) and give to the client and let the client manually install it on their client devices.
For the simplest senario you can start by try using username and password. So your client app will user username/password to authenticate with a WCF Service at server.
Follwing my give you a good starting point
http://msdn.microsoft.com/en-us/library/ms733131.aspx
http://www.codeproject.com/KB/WCF/CustomUserNamePassAuth2.aspx