4

We have an asp.net MVC application where users connect through azure active directory. They can manage files through their sharepoint online accounts.

To access sharepoint online, we use CSOM.We want the user connected to azure active directory use his account to manipulate files without fill credentials. To do that we attach an access token to the request's header to be authenticated. It works fine.

Now we want to use excel services SOAP API in sharepoint online. To be authenticated we must fill credentials. How can we bypass it and be authenticated with the user logged ?

EDIT : You can see below the code to access sharepoint resources with the current user context.

using (ClientContext context = new ClientContext("https://myServer.sharepoint.com"))
{
      context.ExecutingWebRequest += ExecutingWebRequest;

       context.Load(context.Web.Lists);
       context.ExecuteQuery();

       // Do some stuff with lists ...
 }

private void ExecutingWebRequest(object sender, WebRequestEventArgs e)
{
   e.WebRequestExecutor.WebRequest.Headers.Add("Authorization", "Bearer " + accessToken);
}

I need to do something like this to access excel services webservices with the current user context.

toast
  • 103
  • 1
  • 6

1 Answers1

0

While most applications require authentication to gain access to private information or to execute tasks, not every authentication method is able to provide adequate security. Negligence, ignorance, or simple understatement of security threats often result in authentication schemes that can be bypassed by simply skipping the log in page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.

In addition, it is often possible to bypass authentication measures by tampering with requests and tricking the application into thinking that the user is already authenticated. This can be accomplished either by modifying the given URL parameter, by manipulating the form, or by counterfeiting sessions.

Problems related to the authentication schema can be found at different stages of the software development life cycle (SDLC), like the design, development, and deployment phases:

In the design phase errors can include a wrong definition of application sections to be protected, the choice of not applying strong encryption protocols for securing the transmission of credentials, and many more. In the development phase errors can include the incorrect implementation of input validation functionality or not following the security best practices for the specific language. In the application deployment phase, there may be issues during the application setup (installation and configuration activities) due to a lack in required technical skills or due to the lack of good documentation.

if ( isset($HTTP_COOKIE_VARS[$cookiename . '_sid']) ||
{
$sessiondata = isset( $HTTP_COOKIE_VARS[$cookiename . '_data'] ) ?
unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();
$sessionmethod = SESSION_METHOD_COOKIE;
}
if( md5($password) == $row['user_password'] && $row['user_active'] )
{
$autologin = ( isset($HTTP_POST_VARS['autologin']) ) ? TRUE : 0;
}
Navnish Bhardwaj
  • 1,687
  • 25
  • 39
  • Thanks for the reply but you don't really answer my question. I need to access excel services webservices (hosted in sharepoint) with the current context of the user logged via Azure Active Directory. – toast Sep 03 '14 at 13:18