0

If I follow the example outlined on this page "http://xsockets.net/docs/installing-xsocketsnet" and install the controller as a self hosted application on a different server from the web server hosting the website that would communicate with the XSocket controller, how can I make sure that only authenticated users from my website can access the XSocket controller.

I am new to XSockets architecture and this is puzzling me. It seems like I would need to pass some login credentials to the Controller when this line of code is called peerBroker = new XSockets.WebSocket("ws://127.0.0.1:4502/CustomBroker"); in JavaScript. I have not found any documentation outlining how to get this information securely to the Controller. As a background, the website side is running MVC5.

The main point of confusion is that the broker is on a different server as the mvc5 application that will access the broker. I am trying to make sure that the broker only allows users currently logged into the system access to the broker.

halfer
  • 19,824
  • 17
  • 99
  • 186
user1790300
  • 2,143
  • 10
  • 54
  • 123
  • What kind of information do you have about the user? FormAuth ticket? Token of some kind? – Uffe May 30 '14 at 12:12
  • you could only create the broker and launch it if they are authenticated. There are many ways to check authentication in asp.net – Benjamin Trent May 30 '14 at 12:51
  • I have FormsAuth ticket and I have their username/password. If the controller(broker) is self hosted on a different server, would that eliminate FormsAuth as an option? I am trying to force authentication on the broker side, so this seems to be outside of normal asp.net authentication, as I want to eliminate the possibility of anyone trying to access the broker without being logged into the website. I already have authentication on the mvc side; I just want it on the other side. – user1790300 May 30 '14 at 15:58

1 Answers1

0

To share the auth ticket between servers is actually not that hard.

  1. See to it that you have the same machine key in both configs.

    //Machine key in web
<machineKey compatibilityMode="Framework45" validationKey="validation-key-here" decryptionKey="decryption-key-here" validation="SHA1" decryption="AES" />

//Machine key in app-server
<machineKey compatibilityMode="Framework45" validationKey="same-as-on-webserver" decryptionKey="same-as-on-webserver" validation="SHA1" decryption="AES" />

//Do note that compabilityMode will be different between 4.5 and other .NET versions see [MSDN][1]

  2. When you login with forms-auth you will get a cookie like

    .ASPXAUTH=DFE811295BABA98CFE94040...

  3. To get that cookie in XSockets.NET just do like this

    public class MyController : XSocketController
{
    public MyController()
    {            
        this.OnOpen += MyController_OnClientConnect;
    }

    void MyController_OnClientConnect(object sender, XSockets.Core.Common.Socket.Event.Arguments.OnClientConnectArgs e)
    {
        var ticket = GetFormsAuthenticationTicket();
        //Validate ticket & maybe extract user info as shown below...
        //If not valid just call this.Close();
    }
}

  4. It is not nessesary, but as you see you can pass along custom client information. I do so by using a custom pricncipal

    public class CustomPrincipal
{
    public Guid Id { get; set; }
    public string Email { get; set; }
    public string[] Roles { get; set; }
}

  5. In that case you can extract user info from the ticket with

    var userinfo = this.JsonSerializer.DeserializeFromString<CustomPrincipal>(ticket.UserData);

Note: Read http://xsockets.net/docs/security where you will see that you can also use the Authorize attribute and also use the OnAuthorization method (override)

EDIT: To be able to access the cookies on the xsockets server you will have to connect to the same origin as the cookie was set on. For example: If you connect to localhost (web) you will have to use ws://localhost:port to be able to access to the cookie.

Uffe
  • 2,275
  • 1
  • 13
  • 9