I have a web service defined as:
[ScriptService]
public class LoginController : ApiController
{
[HttpGet]
[WebMethod]
public IEnumerable<string> getUsers()
{
try
{
using (var context = new questionanswerEntities())
{
var users = context.users.ToList();
string[] result = new string[users.Count];
for (int i = 0; i < users.Count; ++i)
{
user u = users[i];
result[i] = u.id + " " + u.name + " " + u.email;
}
return result;
}
}
catch (MySqlException ex)
{
throw (ex);
}
catch (EntityException ex)
{
throw (ex);
}
}
}
I have published this service to my localhost and I am able to call and test it with a browser and the result is:
<ArrayOfstring>
<string>1 Olcay aaa#aaa.com</string>
<string>2 Mukaddes aaa#aaa.com</string>
<string>3 Saduman sadumanertas#gmail.com</string>
<string>4 Bernam bernella#bb.com</string>
<string>8 Bernella bernella#gmail.com</string>
<string>9 Bernella bernella#gmail.com</string>
<string>10 Bernella bernella#gmail.com</string>
<string>11 Bernella bernella#gmail.com</string>
<string>12 Bernella bernella#gmail.com</string>
<string>13 Bernella bernella#gmail.com</string>
<string>14 lala loorrrrr#gmail.com</string>
<string>15 lala loorrrrr#gmail.com</string>
</ArrayOfstring>
What I need is to call this service from JavaScript. I am trying this:
function callService() {
var url = "http://localhost:1903/QATest/login/getUsers";
var xhr = new XMLHttpRequest();
xhr.open('GET', url, true);
xhr.setRequestHeader("Content-type", "application/json");
xhr.onload = function () {
var response = xhr.responseText;
console.log("XHR - onload - Result of getUsers: " + response);
document.getElementById('response').innerHTML = "Response: " + response;
};
xhr.onerror = function () {
console.log("XHR - onerror - Web servis cagirilirken hata olustu!");
};
xhr.send();
};
But getting this error:
XMLHttpRequest cannot load http://localhost:1903/QATest/login/getUsers. Invalid HTTP status code 405
My ASP.NET service is hosted on my localhost and client side codes are hosted at my remote host at 'www.olcayertas.com'.
What am I doing wrong?
UPDATE:
I have started this project as ASP.NET Web application and then selected Web API option. So there is no any asmx files as web service projects. But Exposing Web Services to Client Script suggests adding following to client side for ASP.NET web pages:
<asp:ScriptManager runat="server" ID="scriptManager">
<Services>
<asp:ServiceReference
path="~/WebServices/SimpleWebService.asmx" />
</Services>
</asp:ScriptManager>
But I have to call my services using JavaScript from a PHP page.
How can I do that?
You are being blocked because you are attempting a Cross-Origin XMLHttpRequest which fails because of the Same-origin policy
You will need to configure CORS on you local host to allow requests from 'www.olcayertas.com'. With IIS you might just need to add this to the web.config;
<add name="Access-Control-Allow-Origin" value="*" />
Be careful though as this opens up your service to requests from any domain. You should probably only allow requests from 'www.olcayertas.com' if you know this is the only consumer of your web service.
Related
Good morning,
I need to have in same project both web api and web app mvc.
Web api has to be protected via bearer token and web app mvc has to be authenticated via identity server.
Is it possible protecting a scope and a client in same project?
I think I have to do something like this in startup
//this to protect scope api1
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = "http://localhost:5000/";
options.RequireHttpsMetadata = false;
options.Audience = "api1";
});
//this to authenticate mvc client
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies", options =>
{
options.AccessDeniedPath = "/account/denied";
})
.AddOpenIdConnect("oidc", options =>
{
options.SignInScheme = "Cookies";
options.Authority = "http://localhost:5000",
options.RequireHttpsMetadata = false;
options.ResponseType = "id_token token";
options.ClientId = "mvc-implicit";
options.SaveTokens = true;
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("api1");
options.GetClaimsFromUserInfoEndpoint = true;
options.ClaimActions.MapJsonKey("role", "role", "role");
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "role"
};
});
Now, I have to call my Api1 using client_credential with an external client.
But it returns me at login page.
Is it possible to do what I want?
Protected WebApi and Authenticated MVC client in same project?
Now, I have to call my Api1 using client_credential with an external client. But it returns me at login page.
That seems you misunderstand the scenario . Your MVC application is client also is a resource application which protected by Identity Server (in Config.cs):
public static IEnumerable<ApiResource> GetApis()
{
return new List<ApiResource>
{
new ApiResource("api1", "My API")
};
}
I assume you have api controller in your MVC application :
[Route("api/[controller]")]
[ApiController]
public class ValuesController : ControllerBase
{
// GET: api/Values
[HttpGet]
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
public IEnumerable<string> Get()
{
return new string[] { "value1", "value2" };
}
}
And you have config to protect the api actions by using AddJwtBearer :
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = "http://localhost:5000/";
options.RequireHttpsMetadata = false;
options.Audience = "api1";
});
That means any request to access the Get action should have an authentication bearer header with access token append , the access token is issued by your Identity Server(endpoint is http://localhost:5000/) and the audience is api1 .
Now your another client could use client credential flow to acquire access token to access your web application :
var client = new HttpClient();
var disco = await client.GetDiscoveryDocumentAsync("http://localhost:5000");
if (disco.IsError)
{
Console.WriteLine(disco.Error);
return;
}
// request token
var tokenResponse = await client.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
{
Address = disco.TokenEndpoint,
ClientId = "client",
ClientSecret = "secret",
Scope = "api1"
});
And call your protected actions :
var apiClient = new HttpClient();
apiClient.SetBearerToken(tokenResponse.AccessToken);
var response = await apiClient.GetAsync("http://localhost:64146/api/values");
if (!response.IsSuccessStatusCode)
{
Console.WriteLine(response.StatusCode);
}
else
{
var content = await response.Content.ReadAsStringAsync();
Console.WriteLine(JArray.Parse(content));
}
So it won't redirect to login page , since client credential in fact is sending HTTP POST request to get access token with app's credential . There is no login page in this scenario .
I have a Web API service hosted in Microsoft Azure. I need a certain POST method to be only accessible with one unique username and password.
I understand the [Authorize] method does a token based authentication but its not tied to a single username and password. In my app, the web api also does the login authentication, so anyone who registers can access this post method if im not mistaken. (Please correct me if im wrong)
I am new to this could you guide me the right way please.
This is my WebAPI Post method i want to secure access to with specific unique username&pass:
[AllowAnonymous]
[HttpPost, Route("send")]
public async Task<NotificationOutcome> Post([FromBody]string message)
{
string hubName = "myHub";
string hubNameDefaultShared = "myHubNameDefaultShared";
NotificationHubClient hub = NotificationHubClient
.CreateClientFromConnectionString(hubNameDefaultShared, hubName, enableTestSend: true);
string installationId = string.Empty;
var templateParams = new Dictionary<string, string>
{
["messageParam"] = message
};
NotificationOutcome result = null;
if (string.IsNullOrWhiteSpace(installationId))
{
result = await hub.SendTemplateNotificationAsync(templateParams).ConfigureAwait(false);
}
else
{
result = await hub.SendTemplateNotificationAsync(templateParams, "$InstallationId:{" + installationId + "}").ConfigureAwait(false);
}
return result;
}
And this is how I currently access the POST Method:
var client = new RestClient("myWebApiRouteName");
var request = new RestRequest(Method.POST);
request.AddHeader("Postman-Token", "46c23eba-8ca6-4ede-b4fe-161473dc063a");
request.AddHeader("cache-control", "no-cache");
request.AddHeader("Content-Type", "application/json");
request.AddParameter("undefined", messageBody, ParameterType.RequestBody);
try
{
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
I'm building an ASP.NET Core 2.0 website using MVC and WebAPI to provide access to a series of microservices. Where a WebAPI controller requires a user to be authenticated and authorised (using the Authorize attribute), any unauthorised or not-logged in user gets the response back as the entire HTML for the MVC login page.
When unauthorised users access the API, I would like to return the HTTP status code 401 and its associated error message in the response, instead of an entire HTML page.
I've looked at a few existing questions and noticed that they either refer to ASP.NET MVC (such as SuppressDefaultHostAuthentication in WebApi.Owin also suppressing authentication outside webapi) which is no good for ASP.NET Core 2.0. Or they are using a hackaround for Core 1.x, which just doesn't seem right (ASP.Net core MVC6 Redirect to Login when not authorised).
Has a proper solution been implemented in Core 2.0 that anyone is aware of? If not, any ideas how it could be implemented properly?
For reference, there's part of a controller as an example:
[Authorize]
[ApiVersion("1.0")]
[Produces("application/json")]
[Route("api/V{ver:apiVersion}/Organisation")]
public class OrganisationController : Controller
{
...
[HttpGet]
public async Task<IEnumerable<string>> Get()
{
return await _organisationService.GetAllSubdomains();
}
...
}
And the configurations within Statup.cs:
public void ConfigureServices(IServiceCollection services)
{
...
// Add API version control
services.AddApiVersioning(options =>
{
options.ReportApiVersions = true;
options.AssumeDefaultVersionWhenUnspecified = true;
options.DefaultApiVersion = new ApiVersion(1, 0);
options.ErrorResponses = new DefaultErrorResponseProvider();
});
// Add and configure MVC services.
services.AddMvc()
.AddJsonOptions(setupAction =>
{
// Configure the contract resolver that is used when serializing .NET objects to JSON and vice versa.
setupAction.SerializerSettings.ContractResolver = new CamelCasePropertyNamesContractResolver();
});
...
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
...
app.UseStatusCodePagesWithRedirects("/error/index?errorCode={0}");
app.UseStaticFiles();
app.UseAuthentication();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
...
}
There is an easy way to suppress redirect to Login page for unathorized requests. Just add following call of ConfigureApplicationCookie extension method in your ConfigureServices:
services.ConfigureApplicationCookie(options =>
{
options.Events.OnRedirectToLogin = context =>
{
context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
return Task.CompletedTask;
};
});
Or if you need custom error message in response body:
services.ConfigureApplicationCookie(options =>
{
options.Events.OnRedirectToLogin = async context =>
{
context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
await context.Response.WriteAsync("Some custom error message if required");
};
});
As far as you're using redirects to custom error pages for error codes (UseStatusCodePagesWithRedirects() call in Configure method), you should add filter for 401 error. To achieve this, remove call to UseStatusCodePagesWithRedirects and use UseStatusCodePages extension method with skip of redirect for Unauthorized code:
//app.UseStatusCodePagesWithRedirects("/error/index?errorCode={0}");
app.UseStatusCodePages(context =>
{
if (context.HttpContext.Response.StatusCode != (int)HttpStatusCode.Unauthorized)
{
var location = string.Format(CultureInfo.InvariantCulture, "/error/index?errorCode={0}", context.HttpContext.Response.StatusCode);
context.HttpContext.Response.Redirect(location);
}
return Task.CompletedTask;
});
If you're using JWT for authentication with an ASP.NET Core 2 API; you can configure the unauthorized response when you're configuring the services for Authentication & JWT:
services.AddAuthentication( JwtBearerDefaults.AuthenticationScheme )
.AddJwtBearer(options => options.Events = new JwtBearerEvents()
{
OnAuthenticationFailed = c =>
{
c.NoResult();
c.Response.StatusCode = 401;
c.Response.ContentType = "text/plain";
return c.Response.WriteAsync("There was an issue authorizing you.");
}
});
I am beginner in ASP.NET MVC and trying to get email using smtp server and ajax in webApplication. When user click on the button my code will generate the email which will be send to desired ID. I am successfully getting my all values by debug the code. But, I am not able to receive the email there. Although, I am also getting Success massage from browser. But no email is there, in my desirable account.
Index.cshtml
<div>
<a class="btn btn-primary btn-block btn-lg" onclick="SendEmail()" >Click to send Email</a>
</div>
<script>
var SendEmail = function () {
$.ajax({
type: "Post",
url: "/Feedbacks/SendMailToUser",
success: function (data) {
alert("Success");
}
})
}
</script>
FeedbacksController.cs
public JsonResult SendMailToUser() {
bool result = false;
result = SendEmail("abc#gmail.com", "Test", "<p>Hi abc,<br/>This message is for testing purpose. So don't be upset.<br/>Kind Regards,<br/>abc</p>");
return Json(result, JsonRequestBehavior.AllowGet);
}
public bool SendEmail(string toEmail, string subject, string emailBody) {
try
{
string senderEmail = System.Configuration.ConfigurationManager.AppSettings["SenderEmail"].ToString();
string senderPassword = System.Configuration.ConfigurationManager.AppSettings["SenderPassword"].ToString();
SmtpClient client = new SmtpClient("smtp.gmail.com", 578);
client.EnableSsl = true;
client.Timeout = 100000;
client.DeliveryMethod = SmtpDeliveryMethod.Network;
client.UseDefaultCredentials = false;
client.Credentials = new NetworkCredential(senderEmail, senderPassword);
MailMessage mailMessage = new MailMessage(senderEmail, toEmail, subject, emailBody);
mailMessage.IsBodyHtml = true;
mailMessage.BodyEncoding = UTF8Encoding.UTF8;
client.Send(mailMessage);
return true;
}
catch (Exception ex) {
return false;
}
}
}
Web.config
<appSettings>
<add key="SenderEmail" value="abc#gmail.com" />
<add key="SenderPassword" value="********" />
</appSettings>
Try to use SmtpClient without object initializer:
SmtpClient client = new SmtpClient();
I have solved my problem because I was using wrong port number. When I use
SmtpClient client = new SmtpClient("smtp.gmail.com", 587);
instead of
SmtpClient client = new SmtpClient("smtp.gmail.com", 578);
I got email there.
you insert wrong port you can use simple 587 and also 25
I am implementing IdentityServer4 with variety of clients, One of the clients is a Javascript application, I have implemented the implicit flow for authentication and everything is working fine.
On my Javascript application , I have a button to login, once I click on the button I am redirected to IdentityServer and after successful login I am redirected back to my application along with my access token.
Now what I want to do is, move the login to the client side so that each application can have its own login UI (with its own theme).
app.js
function log() {
document.getElementById('results').innerText = "";
Array.prototype.forEach.call(arguments, function (msg) {
if (msg instanceof Error) {
msg = "Error:" + msg.message;
}
else if (typeof msg !== 'string') {
msg = JSON.stringify(msg, null, 2);
}
document.getElementById('results').innerHTML += msg + "\r\n";
});
}
document.getElementById("login").addEventListener('click', login, false);
document.getElementById('api').addEventListener('click', api, false);
document.getElementById("logout").addEventListener("click", logout, false);
//configure client
var config = {
authority: "http://localhost:5000",
client_id: "js",
redirect_uri: "http://localhost:5004/callback.html",
response_type: "id_token token",
scope: "openid profile api1 role",
post_logout_redirect_uri: "http://localhost:5004/index.html"
};
//init user manager
var mgr = new Oidc.UserManager(config);
//check if user is logged in already
mgr.getUser().then(function (user) {
if (user) {
log("User logged in", user.profile);
} else {
log("User is not logged in.");
}
});
function login() {
mgr.signinRedirect();
}
function api() {
mgr.getUser().then(function (user) {
var url = "http://localhost:5001/identity/getfree";
var xhr = new XMLHttpRequest();
xhr.open("GET", url);
xhr.onload = function () {
log(xhr.status, JSON.parse(xhr.responseText));
};
xhr.setRequestHeader("Authorization", "Bearer " + user.access_token);
xhr.send();
});
}
function logout() {
mgr.signoutRedirect();
}
IdentityServer StartUp.cs
public void ConfigureServices(IServiceCollection services)
{
// Add framework services.
var connectionString = "Server=localhost;port=3306;database=netcore;uid=root;Password=Liverpool1";
services.AddApplicationInsightsTelemetry(Configuration);
services.AddDbContext<ApplicationDbContext>(options => options.UseMySQL(connectionString));
services.AddIdentity<ApplicationUser, IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders();
services.AddMvc();
// Add application services.
services.AddTransient<IEmailSender, AuthMessageSender>();
services.AddTransient<ISmsSender, AuthMessageSender>();
services.AddIdentityServer()
.AddTemporarySigningCredential()
.AddInMemoryScopes(Config.GetScopes())
.AddInMemoryClients(Config.GetClients())
// .AddConfigurationStore(builder => builder.UseMySQL(connectionString))
//.AddOperationalStore(builder => builder.UseMySQL(connectionString))
.AddAspNetIdentity<ApplicationUser>();
}
This is not possible and breaks the whole point of implicit flow and all the other federated sign on flows. The whole point of implicit flow is that you do not pass user credentials through the client but rather it goes to the identity provider.
You have two options:
Finding out a way to serve up different logins per "tenant" in
ASP.NET Core.
Use Resource Owner flow and pass the user credentials
through the client.
Option 1 is probably the best but requires more work, option 2 is a cop out and using RO flow is an anti-pattern.