All geek questions in one place

Form Authentication, ASP.NET MVC Service, and WCF RESTful

One test web server with the following applications

service.ganymedes.com:8008 - WCF RESTful service, basically a FormsAuth sample from WCF 2 Preview Starter Kit

mvc.ganymedes.com:8008 - ASP.NET MVC 2.0 application

web.config for service.ganymedes.com:

<authentication mode="Forms"> <forms loginUrl="~/login.aspx" timeout="2880" domain="ganymedes.com" name="GANYMEDES_COOKIE" path="/" /> </authentication>

web.config for mvc.ganymedes.com:

 <authentication mode="Forms"> <forms loginUrl="~/Account/LogOn" timeout="2880" domain="ganymedes.com" name="GANYMEDES_COOKIE" path="/" /> </authentication>

Trying my darndest, GET (or POST, for that matter) via jQuery $ .ajax or getJson does not send my cookie (according to Firebug), so I get HTTP 302 returned from WCF service:

 Request Headers Host service.ganymedes.com:8008 User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 (.NET CLR 3.5.30729) Accept application/json, text/javascript, */* Accept-Language en-us,en;q=0.5 Accept-Encoding gzip,deflate Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive 300 Connection keep-alive Referer http://mvc.ganymedes.com:8008/Test Origin http://mvc.ganymedes.com:8008

It is dispatched when mucking on the MVC website:

 Request Headers Host mvc.ganymedes.com:8008 User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 (.NET CLR 3.5.30729) Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language en-us,en;q=0.5 Accept-Encoding gzip,deflate Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive 300 Connection keep-alive Referer http://mvc.ganymedes.com:8008/Test Cookie GANYMEDES_COOKIE=0106A4A666C8C615FBFA9811E9A6C5219C277D625C04E54122D881A601CD0E00C10AF481CB21FAED544FAF4E9B50C59CDE2385644BBF01DDD4F211FE7EE8FAC2; GANYMEDES_COOKIE=D6569887B7C5B67EFE09079DD59A07A98311D7879817C382D79947AE62B5508008C2B2D2112DCFCE5B8D4C61D45A109E61BBA637FD30315C2D8353E8DDFD4309

I also set the same settings in the web.config files of both applications (self-generated validationKey and decryptionKey).

In the WCF binding configuration, the FormsAuth example does not have an explicit <bindings> element, but I added the following:

 <system.serviceModel> <serviceHostingEnvironment aspNetCompatibilityEnabled="true"> <baseAddressPrefixFilters> <add prefix="http://service.ganymedes.com:8008" /> </baseAddressPrefixFilters> </serviceHostingEnvironment> </system.serviceModel>

or the service will not communicate at all. I can use the same data URI as in the jQuery call directly in the browser, it will send a cookie and WCF will return the data. I just can't use it in cross-calling subdomains and include the auth cookie.

+4
source share
1 answer

OK, I assume this is a known security restriction (Same Origin Policy). I knew about cross-domain blocks, but I thought that would be normal for subdomains.

I spent about 2 weeks learning WCF and REST (and also using MVC as a RESTful web service) always with AJAX thinking, and this never happened before the proof concept was implemented. Go figure.

Obviously, basic authentication will not work across subdomains through AJAX. JSONP will work with authentication / cookie forms, it seems, but it won’t work with basic authentication (I don’t want to limit myself to HTTP GET anyway ...). Changing document.domain did not crouch for me.

I suppose that I still have to put everything in the same domain or manually send authentication information as request parameters for each call, but both of these solutions look like shitty workarounds (and this is also not more secure). Well.

Now I feel stupid.

+1
source

Source: https://habr.com/ru/post/1310742/

More articles:


All Articles