I have a MVC project with windows authentication and i want to use Claims.
I see that claims inherit from IPrincipal. I think that used for authentication reasons, because in every request before code will be executed validate users credentials.
I this possible? Where have to define claims?
Related
Is it possible to implement token authentication and basic authentication in a single web API application. I have two different post methods. I need one method to use Token authentication (OWIN) and another one method to use without authentication ( or basic authentication). In the Startup.auth.cs we have configured the token authentication details. how to implement this or Is this possible and what will be the solution for this.
How can I limit the access to a method, base on the authentication method, in Sprint Security?
For example, I want two methods of authentication to my service: basic and LDAP. But for one method in my service I only want access to be allowed if the user authenticated using basic-authirization.
I know I can add Authentication to the method signature and then check if it's an instance of UsernamePasswordAuthenticationToken, but that seems a but ugly and not really using the full power of the framework.
I guess I can do the same with PreAuthorize.
Another ugly way to do this is to add a rule to every authenticated user that tells the authentication method. I can the authorize base on the role. Again, ugly
But is there a more out-of-the-box/Springy way of doing this?
I am trying to create the smsession without giving the password. Can I do that by just passing the user id and any other user information of the user but not password and create the smsession?
No. Siteminder uses full credentials to create the smsession.
Raj, You can do that by creating a custom authentication scheme in Java. In code you can always return for authentication so SiteMinder will create a session.
I'm not sure what your overall use case is but the IWA Authentication Scheme will let you do perform attribute based authentication. Using the SM SDK, CoreBlox [Note: I work for CoreBlox] has written a Token Service which exposes a RESTful API interface for SiteMinder that allows for this type of integration. You can find out more about it here -- https://www.coreblox.com/products/coreblox-token-service/
I have a Single Page Application for non-/mobile html5 browsers getting data from a RESTful HTTP API with asp.net web api. We use OWIN self hosting running in a windows service.
I do not want cookie based authentication. I would like to authenticate the user and give him a json based access token with its claims/permissions to edit/create/delete/show certains things in the UI.
I do not need external login provider. Our user will authenticate with username and password not their google email...
Now I askmyself should I go in direction thinktecture and identyserver, or asp.net identity or...OWIN and ExternalBearer authentication, I am lost here.
What would be your recommendation basing on my information?
IdentityServer is suitable for scenarios where you have multiple applications and want them to authenticate against a single STS, basically if you want SSO. The scenario you described is achieved in IdentityServer by OAuth. That is you define an application you wish to use IdentityServer to authenticate, and then create an OAuth client to get access tokens for accessing that application. If that's not the case then you're probably better off avoiding the complexity of introducing a 3rd party component to do that work. We're using IdentityServer to authenticate users of 3 different apps 2 SPAs and an MVC application. Also, you realy can't seperate OWIN and ASP.NET identity in this case. The OWIN middleware will give you the tokens and it will be using ASP.NET Identity as a user repository to authenticate users, so OWIN is just doing the job of providing tokens and using ASP.NET Identity to authenticate users.
I am using Spring Security in my application.
I have all the pages secured. But couple of URL needs to be available both for system user and anonymous user.
But anonymous user should not have direct access to the URLs. He gets a link with unique token and gets access to some URLS if this token is valid.
What I want to do is:
In controller check if token in URL is valid
If it is - authenticate user in the system programmatically using some predefined login and password. This user will be configured to have authority to access necessary URLs.
The question is:
Is this a correct approach to perform user authentication programatically with some roles in controller if token is valid? Is this safe approach?
Security is an aspect. An aspect can be decoupled from your main code (controller) to reduce code duplication and improve flexibility. Move authentication code from controller to new filter (be sure that this filter executed after spring security filter chain). You will be able secure new URLs via web.xml (zero lines of code).
I think the better way to do this is:
move the shared operations into service layer
define a controller for those anonymous user and make its authority
as anonymous
check the validity of token in this controller
if valid, call some services method to perform the operations.
render the result in this controller