dotnetnuke - How to handle security/authentication on a DNN-based web API -

-

i building rest api dotnetnuke 6 website, making use of dnn's mvc-based services framework. however, don't have background in authentication, i'm not sure start.

basically, want our clients able make requests portal's data, , want clients (but not all) able post simple updates user data.

i've been trying search information, trouble i'm not sure i'm searching for. dnn has different logins , roles, i'm not sure if or how factor in. i've heard of things oauth understanding of @ basic level. don't know if it's need or not , if or how applies dnn. can point me in right direction?

update: based on answer below tying module , further research, here have done:

i created module service, , added 2 special permissions it: "apiget" , "apipost." assigned these test roles/test accounts in dnn. wrote custom authorize attribute that, given module id, checks if current user has necessary permission (either through roles or directly). far can tell, tab id irrelevant in case.

it appears working both web browser (based on dnn account i'm logged into) , php script sends http request account username/password.

the authorize attribute:

using dotnetnuke.entities.modules; using dotnetnuke.entities.portals; using dotnetnuke.security; using dotnetnuke.security.permissions; using system.web;  public class myauthorize : dotnetnuke.web.services.authorizeattributebase {     public const string authmodulefriendlyname = "myauthmodule";     public const string getpermission = "apiget";     public const string postpermission = "apipost";      public string permission { get; set; }      protected override bool authorizecore(httpcontextbase context)     {         modulecontroller mc = new modulecontroller();          moduleinfo mi = mc.getmodulebydefinition(portalcontroller.getcurrentportalsettings().portalid, authmodulefriendlyname);          modulepermissioncollection permcollection = mi.modulepermissions;          return modulepermissioncontroller.hasmodulepermission(permcollection, permission);     } }

the controller: ("mytest" endpoint both , post)

public class mycontroller : dnncontroller {     [actionname("mytest")]     [acceptverbs(httpverbs.get)]     [dnnauthorize(allowanonymous = true)]     [myauthorize(permission = myauthorize.getpermission)]     public string myget(string id = "")     {         return "you have permission get";     }      [actionname("mytest")]     [acceptverbs(httpverbs.post)]     [dnnauthorize(allowanonymous = true)]     [myauthorize(permission = myauthorize.postpermission)]     public string mypost(string id = "")     {         return "you have permission post";     } }

the main way tie service in dnn services framework dnn permissions associate permissions module instance. is, you'll require users of service identify module they're calling from/about (by sending moduleid , tabid in request [headers, query-string, cookies, form]), can indicate permissions need on module take particular action on service.

you can use supportedmodules attribute on service, , pass in comma-delimited list of module names, ensure own modules being allowed. then, add dnnmoduleauthorize attribute @ service or individual action level permission user needs on module. in instance, can add allowanonymous attribute on get actions, , have 1 dnnmoduleauthorize on service, post methods (and else). note cannot put allowanonymous attribute on controller; override authorizations put @ action, making impossible make actions more restrictive.

you'll want add validateantiforgerytoken attribute on post actions, protect against csrf attacks.

if don't have module naturally associates permissions service, can create 1 purpose, solely expose permissions management utility.

once you've figured out authorization piece above, dnn take care of authentication using forms cookie (i.e. ajax scenarios taken care of automatically), or via basic or digest authentication (for non-ajax scenarios). said, if you're doing non-ajax, you'll need figure out way validate anti-forgery token when applies.


Comments

  1. Anonymous17 November 2017 at 03:58

    Dotnetnuke Web Services is being an emerging and growing field and with a huge scope in the IT industry!

    ReplyDelete

Post a Comment

Popular posts from this blog

ASP.NET/SQL find the element ID and update database -

-
basically i've got update query runs when click submit button. i have asp:repeater in page layer inside this <asp:repeater id="dgbookings" runat="server" onitemdatabound="itemdb"> <itemtemplate> <div class="bookingscontent"> <div class="bookingdetails" id="<%# databinder.eval(container.dataitem, "booking_ref") %>"> <p class="infotext"><%# databinder.eval(container.dataitem, "adults") %> <asp:linkbutton onclick="editdetails" text="edit..." runat="server"></asp:linkbutton></p> <p class="infotext"><asp:linkbutton onclick="submitdetails" text="submit..." runat="server"></asp:linkbutton></p> </div> </div> </itemtemplate> <asp:repeater> and outputs ...
Read more

c++ - Compiling static TagLib 1.6.3 libraries for Windows -

-
i having super hard time compiling , using taglib 1.6.3 in qt project. i've tried can think of. taglib claims supported through cmake i'm not having luck. furthermore, i'm confused kinds of files need qt libs! i've built *.a files, *.lib, , *.dll. understand far... believe since i'm working in windows *.lib want. no matter do, end "undefined references" taglib functions try use when try compile qt project. have tried mingw32, msys, visual studio 2008, , cross-compiling windows on linux. turning nothing. what makes less sense me if compile same taglib source qt on mac (g++ think?) works fine! somewhere in windows compilation procedures have going wrong. have been smacking face on desk 30 (on , off) hours trying figure out. since qt uses mingw must compile taglib same compiler? if compile *.lib's visual studio not compatible? are *.a libraries usable in windows? (assuming mingw) i'm still trying handle on c++ stuff, after reading coun...
Read more

PostgreSQL 9.x - pg_read_binary_file & inserting files into bytea -

-
i have been looking everywhere (google, stackoverflow, etc.) documentation on how use postgresql pg_read_binary_file() function. the meaningful thing can find this page in official documentation. every time try use function error. for example: select pg_read_binary_file('/some/path/and/file.gif'); error: absolute path not allowed or select pg_read_binary_file('file.gif'); error: not stat file "file.gif": no such file or directory do need have file in specific directory postgres have access it? if directory? if matters, reason looking @ function because trying insert file database without doing crazy things . as stated @a_horse_with_no_name , @guedes solution ensure file being uploaded on server in pgdata directory. the postgres documentation state file location requirement. additionally, made symlink directory pgdata directory not disturb of postgres data structure. seems working , don't have of above...
Read more