c# - JWT and Web API (JwtAuthForWebAPI?) - Looking For An Example -

-

i've got web api project fronted angular, , want secure using jwt token. i've got user/pass validation happening, think need implement jwt part.

i believe i've settled on jwtauthforwebapi example using great.

i assume method not decorated [authorize] behave does, , method decorated [authorize] 401 if token passed client doesn't match.

what can't yet figure out how send token client upon initial authentication.

i'm trying use magic string begin, have code:

registerroutes(globalconfiguration.configuration.routes); var builder = new securitytokenbuilder(); var jwthandler = new jwtauthenticationmessagehandler {     allowedaudience = "http://xxxx.com",     issuer = "corp",     signingtoken = builder.createfromkey(convert.tobase64string(new byte[]{4,2,2,6})) };  globalconfiguration.configuration.messagehandlers.add(jwthandler);

but i'm not sure how gets client initially. think understand how handle on client, bonus points if can show angular side of interaction.

i ended-up having take information several different places create solution works me (in reality, beginnings of production viable solution - works!)

i got rid of jwtauthforwebapi (though did borrow 1 piece allow requests no authorization header flow through webapi controller methods not guarded [authorize]).

instead i'm using microsoft's jwt library (json web token handler microsoft .net framework - nuget).

in authentication method, after doing actual authentication, create string version of token , pass along authenticated name (the same username passed me, in case) , role which, in reality, derived during authentication.

here's method:

[httppost] public loginresult postsignin([frombody] credentials credentials) {     var auth = new loginresult() { authenticated = false };      if (trylogon(credentials.username, credentials.password))     {         var tokendescriptor = new securitytokendescriptor         {             subject = new claimsidentity(new[]             {                 new claim(claimtypes.name, credentials.username),                  new claim(claimtypes.role, "admin")             }),              appliestoaddress = configurationmanager.appsettings["jwtallowedaudience"],             tokenissuername = configurationmanager.appsettings["jwtvalidissuer"],             signingcredentials = new signingcredentials(new                  inmemorysymmetricsecuritykey(jwttokenvalidationhandler.symmetrickey),                 "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",                 "http://www.w3.org/2001/04/xmlenc#sha256")             };              var tokenhandler = new jwtsecuritytokenhandler();             var token = tokenhandler.createtoken(tokendescriptor);             var tokenstring = tokenhandler.writetoken(token);              auth.token = tokenstring;             auth.authenticated = true;         }      return auth; }

update

there question handling token on subsequent requests. did create delegatinghandler try , read/decode token, create principal , set thread.currentprincipal , httpcontext.current.user (you need set both). finally, decorate controller methods appropriate access restrictions.

here's meat of delegatinghandler:

private static bool tryretrievetoken(httprequestmessage request, out string token) {     token = null;     ienumerable<string> authzheaders;     if (!request.headers.trygetvalues("authorization", out authzheaders) || authzheaders.count() > 1)     {         return false;     }     var bearertoken = authzheaders.elementat(0);     token = bearertoken.startswith("bearer ") ? bearertoken.substring(7) : bearertoken;     return true; }   protected override task<httpresponsemessage> sendasync(httprequestmessage request, cancellationtoken cancellationtoken) {     httpstatuscode statuscode;     string token;      var authheader = request.headers.authorization;     if (authheader == null)     {         // missing authorization header         return base.sendasync(request, cancellationtoken);     }      if (!tryretrievetoken(request, out token))     {         statuscode = httpstatuscode.unauthorized;         return task<httpresponsemessage>.factory.startnew(() => new httpresponsemessage(statuscode));     }      try     {         jwtsecuritytokenhandler tokenhandler = new jwtsecuritytokenhandler();         tokenvalidationparameters validationparameters =             new tokenvalidationparameters()             {                 allowedaudience = configurationmanager.appsettings["jwtallowedaudience"],                 validissuer = configurationmanager.appsettings["jwtvalidissuer"],                 signingtoken = new binarysecretsecuritytoken(symmetrickey)             };          iprincipal principal = tokenhandler.validatetoken(token, validationparameters);         thread.currentprincipal = principal;         httpcontext.current.user = principal;          return base.sendasync(request, cancellationtoken);     }     catch (securitytokenvalidationexception e)     {         statuscode = httpstatuscode.unauthorized;     }     catch (exception)     {         statuscode = httpstatuscode.internalservererror;     }      return task<httpresponsemessage>.factory.startnew(() => new httpresponsemessage(statuscode)); }

don't forget add messagehandlers pipeline:

public static void start() {     globalconfiguration.configuration.messagehandlers.add(new jwttokenvalidationhandler()); }

finally, decorate controller methods:

[authorize(roles = "onerolehere")] [get("/api/admin/settings/product/allorgs")] [httpget] public list<org> getallorganizations() {     return queryabledependencies.getmergedorganizations().tolist(); }  [authorize(roles = "adifferentrolehere")] [get("/api/admin/settings/product/allorgswithapproval")] [httpget] public list<approvableorg> getallorganizationswithapproval() {     return queryabledependencies.getmergedorganizationswithapproval().tolist(); }

Comments

Post a Comment

Popular posts from this blog

php - Magento - Deleted Base url key -

-
i working on cleaning url: http://mydomain.com/shop/shop/deals i going through settings in configuration tab in admin panel on magento , change secure , unsecure base urls remove first base url "shop" web page read: http://mydomain.com/shop/deals so changed unsecure base urls mydomain.com/shop mydomain.com , secure 12.345.67.89/shop 12.345.67.89. wrong thing do. i cannot reload page or admin console. how access these files through ftp , change correctly there?? when make changes in admin panel changes made in database not in file. have make changes in database. 1.go database , select core_config_data table under table find web/unsecure/base_url , web/secure/base_url . make changes here. don't forget clear cache in var/cache folder
Read more

javascript - Tooltipster plugin not firing jquery function when button or any click even occur -

-
i want use tooltipster plugin click element in body show tooltip , want have close button inside tooltip close it. however use jquery click() function handle won't fired. tried solution in post. worked when tooltip triggered hover event. tooltipster plugin not firing jquery function when link in in tooltip clicked the original solution using hover in jsfiddle trigger: 'hover', instead using click show tooltip trigger: 'click', http://jsfiddle.net/bcqyl/7/ it won't fire click event in jquery block. can captured normal javascript function only. checked should code in tooltipster plugin locked , captured "click()" event inside tips when in click trigger mode. i tried other event onchange event of radio button fired when using code in original solution @evan right. tooltip doesn't exist in dom , can't bind/delegate action (even if go way $(document) after domready). if you're after close button inside of too...
Read more

java - WrongTypeOfReturnValue exception thrown when unit testing using mockito -

-
my test list<person> mylist; @test public void testisvalidperson() { mylist = new arraylist<person>(); mylist.add(new person("tom")); when(persondao.get(person)).thenreturn(mylist); when((persondao.get(person)).isempty()).thenreturn(false);//------exception thrown boolean result = service.isvalid("tom"); assertfalse(result); } method tested: public boolean isvalid(string person){ persondao = new persondao(); person personobj = new person(person); return (persondao.get(person).isempty())?false : true; } exception thrown: org.mockito.exceptions.misusing.wrongtypeofreturnvalue: boolean cannot returned get() get() should return list *** if you're unsure why you're getting above error read on. due nature of syntax above problem might occur because: 1. exception *might* occur in wrongly written multi-threaded tests. please refer mockito faq on limitations of concurrency testing. 2. sp...
Read more