I used this question accepted answer to highjack session start.
However - when I intercept new session start, I cannot access other global services which contains data I need on every session start and user request.
On old ASP.NET MVC 5 project, I did everythin at Global.asax on Application_AcquireRequestState event.
I need to access service, that I have added at ConfigureServices in Startup.cs
services.AddSingleton<LocalisedResources>(
sp => new LocalisedResources(Configuration.GetConnectionString("DefaultConnection")));
What am I missing?
As it turns out - there was nothing to do with sessions.
Answer was found in this post and was simple.
Needed to add Required service when I added InistSession service.
services
.AddSingleton<IStartSession, InitSession>(serviceProvider =>
new InitSession(serviceProvider.GetRequiredService<LocalisedResources>()));
Related
I seem to have a circular dependency where we have a service provider that registers an object with the service container, and boots a config file and some middleware, but the middleware now needs to be passed a param parsed from requests JWT token to the service container prior to it being instantiated, as well as the guard of the user since the service provider needs to be able to get the authenticated user and there are 5 different types (Applicant, Manager, Admin, etc) so the guard is needed to Auth::guard($guard)->getUser() within the constructor since it defaults to the Applicant if null like Auth::guard()->getUser().
How do you work around something like this? If it helps I'm using tymons/JWTAuth (develop) branch to make use of Laravel's guard API.
Should I refactor and just bind to the service container directly within the middleware and not use a service provider at all so I can use the parameter to instantiate the service container object, and the guard. Seems like the only likely solution, but before I refactor all of this I wanted to ask if there was a better way.
Can I use two service providers? One that adds middleware, and a deferred one that will somehow eventually register an object with the service container??? If so how would you pass the parameter in a config? Thinking this isn't possible based on what I know.
Adding a setter to the object isn't an option to prevent anyone accidentally invoking it anywhere else.
Are you using tymon/jwt-auth? If so, your service provider could set up an event listener that fires when the token is decoded. Something like:
event()->listen('tymon.jwt.valid', function($user){
app()->singleton(YourInterface::class, function() use ($user){
//this will only register once your token is decoded
}
});
You could still listen for an event if you aren't using this package, then bind once that fires. This is basically the same as your option 1, but at least it keeps the code organized where you want it.
We are working on an internal MVC3 app that purely uses Windows Authentication. There's a view that does an AJAX call to a controller action that does some processing before calling a web service. The problem we are running into is that if Anonymous access is turned off (as in Windows Authentication is on), calling the service from the controller actions results in a 401: Unauthorized error.
We have run into a problem of the double hop issue where credentials aren't passed correctly from server to server when calling a service within a service. I'm wondering if the AJAX call is somewhat mimicing the same behavior and not transmitting the correct Windows credentials to the controller which then doesn't pass the correct credentials to the web service.
I've seen some posts that shows how to pass a username and password along with the jQuery call but nothing mentions, an effective way, to bring along Windows Authentication with it.
Has anyone run into a similar issue? We would rather not leave Anonymous access on the web service as it is somewhat sensitive data that we would like to control access to.
Do you have identity impersonation turned on as described in this question:
How to get Windows user name when identity impersonate="true" in asp.net?
A colleague did some research over the weekend and determined it may have something to do with Kerberos authentication setup on the server as well as the jQuery call. In order to get around it, we just refactored the web service into a library that the application just references. We made it a web service initially as we thought in the future this data would need to be accessed from other applications. Running into this issue, we will most likely make it into a NuGet package.
Thanks for the comments.
I need to store some information in session(or in whatever in ASP.NET Web API) that I need to retrieve in each API request. We will have one api IIS web site and multiple web site binding will be added through host header. When any request comes in for example, api.xyz.com, host header will be checked and store that website information in session that will be used in each subsequent api request when making a call to database. Hope this is clear.
I found a way to handle session in ASP.NET Web API. ASP.NET Web API session or something?.
I know lot more about asp.net web forms where we can override PreRequestHandler. I am looking for similar in ASP.NET Web API where I can have my logic to get database id for api domain(for example, api.xyz.com) and store it in session which I want to access in each API GET/POST request.
Somebody will definitely say by adding session I am making it stateful but REST is stateless. But I wanted to save database trip for each api request. If I don't use session or something similar, I end up repeating the same logic for each api request.
Is there a better way to handle this situation? how?
thanks.
If that logic needs to happen for all requests, you better use an Implementation of delegating handlers.
i have a Swing-client and a Server running on tomcat 7, which communicate with each other using Spring (3.1) HTTP invoker. The communication works fine so far (even with TSL), but now i am trying to add Spring Security.
side-note: In a typical webapplication i would use basic authentication to authenticate the user. After my CustomAuthenticationProvider returns an Authentication object for the user, everything "just works", meaning that on every further request the SecurityContext is automatically set. I guess the login returns a session-key to the client which is send on every request to identify the session.
That is pretty much what i am looking for with HTTP-Invoker. At the moment it seems like i get a new context on every request, which is bad, because my customAuthenticationManager.authenticate(Authentication auth) method is pretty costy and should really only be called once per user-session.
Any Idea?
edit i found some hints on this at http://forum.springsource.org/showthread.php?10764-Maintaing-State-while-using-HttpInvoker ,but as this link is more then 8 years old, i was hoping for an easier solution.
I found the solution now. First you need to know that the spring-security part is completely the same as it would be in a webapplication (which is great).
On client-side you need a more complex HTTP-client implementation. I used org.springframework.remoting.httpinvoker.HttpComponentsHttpInvokerRequestExecutor. On server-side you could use the create-session="always"-Attribute of the <http-element to ensure that a session is always created. However, i found it better to create the session myself (just call httpServletRequest.getSession() which creates a session if non exists), because that way you can specify when to do that. In my case i create the session in my authenticationProvider only if authentication was successful.
I have an IHttpHandler which I'm running on an Windows Server 2008R2, and IIS 7.5 with integrated mode. The handler should handle file uploads, triggered by a jQuery-Ajax call.
First It did not work on IIS at all, only in the VS 2010 Debugger. Somehow I did manage to register the Handler correctly and I was able to debug the HttpHandler - BUT: Asp.Net Authentication wasn't working: it always said I wasn't logged in. When I directly access the HttpHandler it all works like a charm. Only the jQuery-Ajax call drops dead.
For further information: I'm using FormsAuthentication and it all is running inside an MVC 3 Application.
Could it be related to a missing AuthCookie? I've also read this Article, but it doesn't seem to help me out: MVC + Ajax call to Controller Loses Authentication
If you need any further information / code, just ask for it, I'll post it asap.
Could it be related to a missing AuthCookie?
Yes, it could, especially if your file upload component uses Flash it might not send the authentication cookie. You may take a look at the following article for a sample workaround which consists into sending the authentication cookie value in addition to the file in the request.