Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I add token authentication to my IIS so as to secure files in a folder?

I have a Windows Azure WebAPI application with

  • OWIN
  • Oauth 2
  • token authentication
  • Identity 2 Framework
  • VS2013 Update 2
  • IIS (I am not sure which version. As I just updated everything in the stack then I assume the latest version)

Before a user is authenticated when there's a <script> in my index.html file I notice cookies sent to the server looking like this:

Accept-Language: en-US,en;q=0.8
Cookie: .AspNet.Cookies=GWLL4LgeFkn7jDndAwf-Pk_eZAPZ5LYZugSmv- ...

After a user is authenticated I notice the cookies change:

Accept-Language: en-US,en;q=0.8
Cookie: .AspNet.Cookies=OqLMSpIv2aQ8KUcw3pWdAYtPYUI_tYMl4rEYKe16N ...

I thought I was using token authentication so my first question is "why do the cookies get changed and why are they sent at all"?

Once a user is authenticated then with each $http request to the server I send a header like this:

Authorization: Bearer abcdefgetc....

My authorization on the server works when I have WebAPI methods decorated like:

[Authorize(Roles = "Admin")]

Here is the main web-config that shows the security settings:

<system.web>
    <authentication mode="None" />
    <compilation debug="true" targetFramework="4.5.1" />
    <httpRuntime targetFramework="4.5.1" />
</system.web>
<system.webServer>
    <modules>
      <remove name="FormsAuthenticationModule" />
    </modules>
</system.webServer>

Now I would like to add some security to some static javascript files that I have on the server. I know how I can code it so the files can be retrieved by my client and added to the DOM in two ways. Either way is okay for me to use although I prefer the first way if when I do that way then there can be authentication happen through cookies or otherwise:

With a script tag and a load

var el = doc.createElement("script"),
loaded = false;
el.onload = el.onreadystatechange = function () {
  if ((el.readyState && el.readyState !== "complete" && el.readyState !== "loaded") || loaded) {
    return false;
  }
  el.onload = el.onreadystatechange = null;
  loaded = true;
  // done!
};
el.async = true;
el.src = path;
document.getElementsByTagName('head')[0].insertBefore(el, head.firstChild);

With a $http call and then adding it directly to the DOM (I can supply bearer token)

$http({
    url: '/Bundles/admin/admin1Bundle.js',
    method: "GET"
})
.success(function (result) {
   var m = document.createElement('script');
   m.appendChild(document.createTextNode(result));
   document.getElementsByTagName('head')[0].appendChild(m);

Once added the javascript becomes available. To add security I created a web.config in the folder to protect these files and allow only users with Admin role to have access:

Here is the folders web-config that shows the security settings:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <security>
      <authorization>
        <remove users="*" roles="" verbs="" />
        <add accessType="Allow" roles="Admin" verbs='GET'/>
      </authorization>
    </security>
  </system.webServer>
</configuration>

When a user with the role of Admin tries to access files in the folder with a GET that a has a bearer token they get a message saying:

Most likely causes:
•No authentication protocol (including anonymous) is selected in IIS.
•Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication.
•Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server.
•The Web server is not configured for anonymous access and a required authorization header was not received.
•The "configuration/system.webServer/authorization" configuration section may be explicitly denying the user access.

This error occurs when the WWW-Authenticate header sent to the Web server is not supported by the 
server configuration. Check the authentication method for the resource, and verify which authentication 
method the client used. The error occurs when the authentication methods are different. To determine 
which type of authentication the client is using, check the authentication settings for the client.

It seems like my IIS (the version I am using on my development environment when I click Debug > Start Debugging) is using a different kind of authentication from that used by my WebAPI. Can someone explain to me:

  • Should I be using <system.web> or <system.webServer> for the security?
  • How can I make the IIS use the same security path as WebAPI is using when I decorate my WebAPI methods? Note that I need a way to do this with web.config as I don't have access to make changes to the IIS directly once the application is published to the cloud.
  • I am using token authentication so why is the cookie information sent? Could I just use this cookie information to secure my javascript files from getting downloaded?

Notes:

Here is the way I have authentication set up in Startup.Auth.cs

        // Configure the application for OAuth based flow
        PublicClientId = "self";
        OAuthOptions = new OAuthAuthorizationServerOptions
        {
            TokenEndpointPath = new PathString("/Token"),
            Provider = new ApplicationOAuthProvider(PublicClientId),
            AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
            AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
            AllowInsecureHttp = true
        };

        // Enable the application to use bearer tokens to authenticate users
        app.UseOAuthBearerTokens(OAuthOptions);
like image 632
Samantha J T Star Avatar asked Apr 26 '14 14:04

Samantha J T Star


1 Answers

Should I be using or for the security? How can I make the IIS use the same security path as WebAPI is using when I decorate my WebAPI methods? Note that I need a way to do this with web.config as I don't have access to make changes to the IIS directly once the application is published to the cloud.

You could use the authorization attribute in the webconfig to restrict files and folders, the example below restricts restricts a specific js file to admins only.

<location path="resources/scripts/yourtopsecretjsfile.js">
     <system.webServer>
         <security>
             <authorization>
                 <remove users="*" roles="" verbs="" />
                 <add accessType="Allow" roles="Administrators" />
             </authorization>
         </security>
     </system.webServer>
 </location>

I am using token authentication so why is the cookie information sent?

It is used by the server to identify the authenticated user. If you don't want to do without sending the cookie info you can look at doing at sending a signed token with every request instead. Check out this article, loosely covers how to do that (but that with an angular JS/ Web API 2 point of view) http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/

like image 158
Isuru Fonseka Avatar answered Nov 03 '22 21:11

Isuru Fonseka