Show UI element based on authentication

Often it’s necessary to show or hide UI elements based on the users authentication. This short post will show a way to use an application context to work as source.


The application context is a class I have placed in the root of my project. It contain a static property called Current used to gain easy access to it’s properties. It implements INotifyPropertyChanged so it’s possible to notify if a property is changed. In this sample I have added a bool property called IsAuthenticated.





To actually use the application context in bindings in the xaml it’s necessary to point to a resource that points to the class. In the sample below I have called the namespace root and called the resource Context. Furthermore I have added a resource to a bool to visibility converter from the Quebec framework and called it BoolToVisibilityConverter.

More Here

Courtesy:http://xamlgeek.net/2011/01/08/show-ui-element-based-on-authentication/

LDAP Authentication & Authorization Dissected and Digested

The steps below are general enough to be used by anyone and will hopefully shed some light into the steps performed in LDAP authentication.  The process below also includes some steps for authorization.

Authentication

1.  Get a connection to the LDAP server.
With the host and port for the LDAP server, create a connection to it.  This can be  a simple direct connection or a pooled connection.  If more than a basic test, it is best to use a pooled connection.  Log and fail if a connection cannot be created.

2.  Bind as the application user.
Bind the connection to the application user.  This user should have enough permissions to search the area of LDAP where users are located.  This user may also have permissions to search for things outside of the users area (groups, authorization).  Log and fail if the application user cannot bind.

3.  Search for the DN (distinguished name) of the user to be authenticated.
This is where we verify the username is valid.  This does not authenticate the user but simply makes sure the requested username exists in the system.  Log and fail if the user’s DN is not found.

4.  Bind as user to be authenticated using DN from step 3.
Now for the moment of truth.  Bind to the connection using the DN found in step 3 and the password supplied by the user.  Log and fail if unable to bind using the user’s DN and password.

Authorization

5.  Re-bind as application user.
To check the authorization of a user, we need to read attributes from the user’s account. To do this, we need to re-bind as the application user.

6.  Search for user and require attributes.
A filter is used to search for the user like was done in step 3 but we’ll add an extra check to the query to look for the attributes that show we’re authorized.

Example Code

More Here

Courtesy:http://thecarlhall.wordpress.com/2011/01/04/ldap-authentication-authorization-dissected-and-digested/

IIS – Digest Authentication

Here is the third one from my closet.

The following steps would help you configure Digest Authentication on IIS

* Launch IIS Management Console.

* Right click on the website for which Digest authentication should be enabled and select the properties.

* Click on the Directory Security Tab and Edit the Authentication and Access control

* In the Authentication Methods, Disable Anonymous access and select Integrated Windows authentication and Digest authentication for Windows Domian servers.

* Pass the alert and apply the settings.

* Restart IIS

Digest Authentication is now setup on IIS.

Just remember one thing that in order to configure Digest authentication in IIS, the server that hosts IIS should be in a Domain that provides the user access for that machine

More Here

Courtesy:http://technodesk.wordpress.com/2009/10/23/iis-digest-authentication/

IIS Authentication Model and Options

IIS 6.0 Authentication Model: An important part of many distributed applications is the ability to identify someone, known as a principal or client, and to control the client’s access to resources. Authentication is the act of validating a client’s identity. Generally, clients must present some form of evidence, known as credentials, proving who they are for authentication. Typically, credentials include a username/password pair.

SharePoint Portal 2003 is built upon IIS 6.0. Lets first take a look at the authentication model of IIS.

IIS provides a variety of authentication schemes:

Anonymous (enabled by default):

Anonymous authentication allows a user to access web and FTP sites without having to provide a username and password. When a client user accesses a web or FTP site, IIS uses the Internet Guest Account to authenticate that user.

The Internet Guest Account is created when IIS is installed, and it is named IUSR_, where is the name of the host machine. Having an account to use for anonymous access allows you to configure which resources all anonymous users can access on your server. The anonymous account is also added to the Guests group when IIS is installed, so any restrictions or permissions applied to that group also apply to the account.

Basic Authentication:
When a server uses Basic Authentication, the Web browser (or the FrontPage client) prompts the user for a name and password. The user name and password are then transmitted across HTTP, in clear text. Using this user name and password, IIS authenticates the corresponding Windows NT user.
To use Basic authentication, a user account must be defined on either the local machine or on a trusted domain controller. The account-based access control is all done through the NT File System (NTFS) permissions on the file system.

Integrated Windows authentication:
Integrated Windows authentication is the most secure method of authentication, but it is available only with Internet Explorer. In Integrated Windows authentication, the user’s browser proves itself to the server using a cryptographic exchange during the authentication process.

Integrated Windows authentication supports both the Kerberos v5 and the NTLM (NT LAN Manager) protocols for authentication through the Negotiate package.

Digest Authentication:
Like Basic Authentication, Digest Access Authentication is based on a simple challenge-response method. The Digest scheme challenges using a nonce value (a server-specified data string which may be uniquely generated each time a 401 error is made.). A valid response contains a checksum of the user name, the password, the given nonce value, the HTTP method, and the requested URL. In this way, the password is never sent as easily decoded text, which is Basic Authentication’s biggest weakness.

.NET Passport Authentication:
IIS 6 can use Microsoft’s .NET Passport to authenticate users requesting resources from a web site or a web site virtual directory. The benefit that this solution offers is that the credentials are stored and managed on another server that you are not responsible for building or maintaining. Users can authenticate using the .NET Passport service and then be allowed access to the web site hosted on your WS03 server.

More Here

Courtesy:http://sharenotes.wordpress.com/2007/10/16/iis-authentication-model-and-options/

LDAP Authentication & Authorization Dissected and Digested

LDAP is one of those things that I’ve integrated with a few times but never put enough energy into to really get the details or understand it much.  There’s always been someone I can bounce questions off of and thankfully those people were available again as I started working out the details of performing LDAP authentication.
The steps below are general enough to be used by anyone and will hopefully shed some light into the steps performed in LDAP authentication.  The process below also includes some steps for authorization.

Authentication

1.  Get a connection to the LDAP server.
With the host and port for the LDAP server, create a connection to it.  This can be  a simple direct connection or a pooled connection.  If more than a basic test, it is best to use a pooled connection.  Log and fail if a connection cannot be created.

2.  Bind as the application user.
Bind the connection to the application user.  This user should have enough permissions to search the area of LDAP where users are located.  This user may also have permissions to search for things outside of the users area (groups, authorization).  Log and fail if the application user cannot bind.
3.  Search for the DN (distinguished name) of the user to be authenticated.
This is where we verify the username is valid.  This does not authenticate the user but simply makes sure the requested username exists in the system.  Log and fail if the user’s DN is not found.
4.  Bind as user to be authenticated using DN from step 3.
Now for the moment of truth.  Bind to the connection using the DN found in step 3 and the password supplied by the user.  Log and fail if unable to bind using the user’s DN and password.

Authorization

5.  Re-bind as application user.
To check the authorization of a user, we need to read attributes from the user’s account. To do this, we need to re-bind as the application user.
6.  Search for user and require attributes.
A filter is used to search for the user like was done in step 3 but we’ll add an extra check to the query to look for the attributes that show we’re authorized.

Example Code

The code shown here is using the JLDAP library from Novell.  Interesting includes are noted at the top. The utility class used for escaping the search filter can be found in the Sakai Project’s Nakamura codebase.

view source

print?

001	import com.novell.ldap.LDAPAttribute;

002	import com.novell.ldap.LDAPConnection;

003	import com.novell.ldap.LDAPEntry;

004	import com.novell.ldap.LDAPException;

005	import com.novell.ldap.LDAPSearchResults;

006

// ...

007	String baseDn = "ou=People,o=MyOrg";

008	String userFilter = "uid = {}";

009	String authzFilter = "authzAttr=special:Entitlement:value";

010

// ...

011	public boolean authenticate(Credentials credentials) throws RepositoryException {

012	boolean auth = false;

013	if (credentials instanceof SimpleCredentials) {

014	// get application user credentials

015	String appUser = connMgr.getConfig().getLdapUser();

016	String appPass = connMgr.getConfig().getLdapPassword();

017

018	// get user credentials

019	SimpleCredentials sc = (SimpleCredentials) credentials;

020

021	long timeStart = System.currentTimeMillis();

022

023	String userDn = LdapUtil.escapeLDAPSearchFilter(userFilter.replace("{}",

024	sc.getUserID()));

025	String userPass = new String(sc.getPassword());

026

027	LDAPConnection conn = null;

028

try {

029	// 1) Get a connection to the server

030

try {

031	conn = connMgr.getConnection();

032	log.debug("Connected to LDAP server");

033	} catch (LDAPException e) {

034	throw new IllegalStateException("Unable to connect to LDAP server ["

035	+ connMgr.getConfig().getLdapHost() + "]");

036

}

037

038	// 2) Bind as app user

039

try {

040	conn.bind(LDAPConnection.LDAP_V3, appUser, appPass.getBytes(UTF8));

041	log.debug("Bound as application user");

042	} catch (LDAPException e) {

043	throw new IllegalArgumentException("Can't bind application user [" + appUser

044	+ "]", e);

045

}

046

047	// 3) Search for username (not authz).

048	// If search fails, log/report invalid username or password.

049	LDAPSearchResults results = conn.search(baseDn, LDAPConnection.SCOPE_SUB, userDn,

050	null, true);

051	if (results.hasMore()) {

052	log.debug("Found user via search");

053

} else {

054	throw new IllegalArgumentException("Can't find user [" + userDn + "]");

055

}

056

057	// 4) Bind as user.

058	// If bind fails, log/report invalid username or password.

059

060	// value is set below. define here for use in authz check.

061	String userEntryDn = null;

062

try {

063	LDAPEntry userEntry = results.next();

064	LDAPAttribute objectClass = userEntry.getAttribute("objectClass");

065

066	if ("aliasObject".equals(objectClass.getStringValue())) {

067	LDAPAttribute aliasDN = userEntry.getAttribute("aliasedObjectName");

068	userEntryDn = aliasDN.getStringValue();

069

} else {

070	userEntryDn = userEntry.getDN();

071

}

072

073	conn.bind(LDAPConnection.LDAP_V3, userEntryDn, userPass.getBytes(UTF8));

074	log.debug("Bound as user");

075	} catch (LDAPException e) {

076	log.warn("Can't bind user [{}]", userDn);

077

throw e;

078

}

079

080	if (authzFilter.length() > 0) {

081	// 5) Return to app user

082

try {

083	conn.bind(LDAPConnection.LDAP_V3, appUser, appPass.getBytes(UTF8));

084	log.debug("Rebound as application user");

085	} catch (LDAPException e) {

086	throw new IllegalArgumentException("Can't bind application user [" + appUser

087

+ "]");

088

}

089

090	// 6) Search user DN with authz filter

091	// If search fails, log/report that user is not authorized

092	String userAuthzFilter = "(&(" + userEntryDn + ")(" + authzFilter + "))";

093	results = conn.search(baseDn, LDAPConnection.SCOPE_SUB, userAuthzFilter, null,

094

true);

095	if (results.hasMore()) {

096	log.debug("Found user + authz filter via search");

097

} else {

098	throw new IllegalArgumentException("User not authorized [" + userDn + "]");

099

}

100

}

101

102	// FINALLY!

103	auth = true;

104	log.info("User [{}] authenticated with LDAP in {}ms", userDn,

105	System.currentTimeMillis() - timeStart);

106	} catch (Exception e) {

107	log.warn(e.getMessage(), e);

108	} finally {

109	connMgr.returnConnection(conn);

110

}

111

}

112	return auth;

113

}

More Here

Courtesy:http://thecarlhall.wordpress.com/2011/01/04/ldap-authentication-authorization-dissected-and-digested/