I am creating a secure (SSL) public service where the users credentials reside in Active Directory. I want to leverage ServiceStack's Authentication and have read over the wiki article. I already have code written to verify the user credentials with AD. I have a few questions.
- Which Auth provider do I use? Credentials, Basic Auth or Custom? The service requires SSL so Basic Auth would be safe, however passwords would be encrypted for added safety.
- Do I still need to store the UserAuth and cache the AuthUserSession?
- Will the monotouch client support authentication?
Update 2: I did end up making a test SS service that integrated with AD, using CredentialsAuthProvider. However my ultimate goal it to have 1 site that is an api when called by clients. So basically a SS MVC site.
Update:
It is my understanding after doing some more research that SS is considering doing a commercial product that may support Windows Authentication in the future. I read this in a comment from mythz on the SS Google group. The reason I asked this SO question is that my company builds internal applications using IWA and adopting SS MVC is hard without IWA. I think I read that you could host the SS MVC site off of a ASP.NET site that uses IWA but I have not tried that yet.
I've also hooked up ServiceStack with Integrated Windows Authentication (for a corporate application), and the key was to skip trying to integrate it with ServiceStack's AuthProviders entirely, since the general approach of IWA doesn't deal with credentials in your application code -- it's handled by the web server. What I did was:
Configure the site/application in IIS so that Windows Authentication was the only enabled option. (No Anonymous access allowed.) This means IIS itself will take care of the challenge-response (HTTP 401/200) sequence with unauthenticated users, and handles the authentication part of the process for you.
Implement ServiceStack's
IHasRequestFilter(an HTTP pre-request filter) as an Attribute (e.g., [AdminOnly]). This filter's RequestFilter method fetches the current username from HttpContext (HttpContext.User.Identity.Name), looks it up from a repository (which could be a SQL database, flat file, etc.), caches results using ServiceStack'sICacheClient(memory cache, Redis, etc.), and throws a 403 HttpError if unauthorized.
With this done, all that was necessary was to add the attribute to classes or methods where desired (which gets this authentication/authorization into the service pipeline where desired), and register my desired cache provider in my AppHost implementation, e.g.:
container.Register<ICacheClient>(new MemoryCacheClient() { FlushOnDispose = false });
It works beautifully.
Here is what Demis Bellot said on twitter. Probably possible but needs more research.
Not something I've investigated, don't work in the Win/Active Directory anymore. Requires some R&D to find/resolve the issue
I did eventually get a prototype service working with AD. I implemented the CredentialsAuthProvider. Now this is not tied to ASP.NET IWA at all, but does easily check to see if the user is in AD. Hopefully this might help someone.
public class LDAPAuthProvider : CredentialsAuthProvider
{
public override bool TryAuthenticate(IServiceBase authService, string userName, string password)
{
//Check to see if the username/password combo is valid, an exception will be thrown if the username or password is wrong
try
{
DirectoryEntry entry = new DirectoryEntry(ConfigurationManager.AppSettings["TargetOU"], userName, password);
object nativeObject = entry.NativeObject;
}
catch (Exception)
{
//This means the username/password combo failed
return false;
}
return true;
}
}
来源:https://stackoverflow.com/questions/13074668/how-to-use-servicestack-authentication-with-active-directory-windows-authenticat