- \n
- It uses Forms Authentication. For example when you purchase an album. <\/li>\n
- It has a Entity Framework model that is clearly separated into two types of entities: \n
- \n
- Those that anyone should be able to browse (Albums, Artists, Genres). <\/li>\n
- Those that are more sensitive (Orders, OrderDetails, Carts). <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
The rest of this post assumes you\u2019ve downloaded and installed the MVC Music Store sample.<\/p>\n
<\/h3>\n
Enabling Forms Authentication:<\/h4>\n
The MVC Music Store sample already has Forms Authentication enabled in the web.config like this:<\/p>\n
<authentication mode="Forms">
<forms loginUrl="~\/Account\/LogOn" timeout="2880" \/>
<\/authentication><\/font><\/p>\nWith this in place any services we add to this application will also be protected.<\/p>\n
Adding a Music Data Service:<\/h4>\n
If you double click the StoreDB.edmx file inside the Models folder you\u2019ll see something like this:<\/p>\n
![\"MvcMusicStoreModel\"](\"https:\/\/devblogs.microsoft.com\/odatateam\/wp-content\/uploads\/sites\/23\/2010\/07\/2438.MvcMusicStoreModel_thumb.png\" "\\"MvcMusicStoreModel\\"")
<\/a> <\/p>\nThis is want we want to expose, so the first step is to click \u2018Add New Item\u2019 and then select new WCF Data Service:<\/p>\n
![\"CreateMusicStoreService\"](\"https:\/\/devblogs.microsoft.com\/odatateam\/wp-content\/uploads\/sites\/23\/2010\/07\/6254.CreateMusicStoreService_thumb.png\" "\\"CreateMusicStoreService\\"")
<\/a> <\/p>\nNext modify your MusicStoreService to look like this:<\/p>\n
public class MusicStoreService : DataService<MusicStoreEntities>
{
\/\/ This method is called only once to initialize service-wide policies.
public static void InitializeService(DataServiceConfiguration config)
{
config.SetEntitySetAccessRule("Carts", EntitySetRights.None);
config.SetEntitySetAccessRule("OrderDetails", EntitySetRights.ReadSingle);
config.SetEntitySetAccessRule("*", EntitySetRights.AllRead);
config.SetEntitySetPageSize("*", 50);<\/font>
config.DataServiceBehavior.MaxProtocolVersion =
DataServiceProtocolVersion.V2;
}
}<\/font><\/p>\nThe PageSize is there to enforce Server Driven Paging<\/a>, which is an OData best practice, we don\u2019t like to show samples that skip this\u2026 \ud83d\ude42<\/p>\n
Then the three EntitySetAccessRules in turn:<\/p>\n
- \n
- Hide the Carts entity set \u2013 our service shouldn\u2019t expose it. <\/li>\n
- Allow OrderDetails to be retrieved by key, but not queried arbitrarily. <\/li>\n
- Allow all other sets to be queried by not modified \u2013 in this case we want the service to be read-only. <\/li>\n<\/ul>\n
Next we need to secure our \u2018sensitive data\u2019, which means making sure only appropriate people can see Orders and OrderDetails, by adding two QueryInterceptors to our MusicStoreService:<\/p>\n
[QueryInterceptor("Orders")]
public Expression<Func<Order, bool>> OrdersFilter()
{
if (!HttpContext.Current.Request.IsAuthenticated)
return (Order o) => false; <\/font><\/p>\nvar username = HttpContext.Current.User.Identity.Name;
if (username == "Administrator")
return (Order o) => true;
else
return (Order o) => o.Username == username;
} <\/font><\/p>\n[QueryInterceptor("OrderDetails")]
public Expression<Func<OrderDetail, bool>> OrdersFilter()
{
if (!HttpContext.Current.Request.IsAuthenticated)
return (OrderDetail od) => false; <\/font><\/p>\nvar username = HttpContext.Current.User.Identity.Name;
if (username == "Administrator")
return (OrderDetail od) => true;
else
return (OrderDetail od) => od.Order.Username == username;
}<\/font><\/p>\nThese interceptors filter out all Orders and OrderDetails if the request is unauthenticated.<\/p>\n
They allow the administrator to see all Orders and OrderDetails, but everyone else can only see Orders \/ OrderDetails that they created.<\/p>\n
That\u2019s it – our service is ready to go. <\/p>\n
NOTE:<\/strong> if you have a read-write service and you want to authorize updates you need <\/font>ChangeInterceptors<\/font><\/a>.<\/font><\/p>\n
Trying it out in the Browser:<\/h3>\n
The easiest way to logon is to add something to your cart and buy it:<\/p>\n
![\"ShoppingCart\"](\"https:\/\/devblogs.microsoft.com\/odatateam\/wp-content\/uploads\/sites\/23\/2010\/07\/4604.ShoppingCart_thumb.png\" "\\"ShoppingCart\\"")
<\/a> <\/p>\nWhich prompts you to logon or register:<\/p>\n
![\"LogonOrRegister\"](\"https:\/\/devblogs.microsoft.com\/odatateam\/wp-content\/uploads\/sites\/23\/2010\/07\/4201.LogonOrRegister_thumb.png\" "\\"LogonOrRegister\\"")
<\/a> <\/p>\nThe first time through you\u2019ll need to register, which will also log you on, and then once you are logged on you\u2019ll need to retry checking out.<\/p>\n
This has the added advantage of testing our security. Because at the end of the checkout process you will be logged in as the user you just registered, meaning if you browse to your Data Service\u2019s Orders feed you should see the order you just created:<\/p>\n
![\"OrdersAuthenticated\"](\"https:\/\/devblogs.microsoft.com\/odatateam\/wp-content\/uploads\/sites\/23\/2010\/07\/7762.OrdersAuthenticated_thumb.png\" "\\"OrdersAuthenticated\\"")
<\/a> <\/p>\nIf however you logoff, or restart the browser, and try again you\u2019ll see an empty feed like this:<\/p>\n
![\"OrdersUnauthenticated\"](\"https:\/\/devblogs.microsoft.com\/odatateam\/wp-content\/uploads\/sites\/23\/2010\/07\/0830.OrdersUnauthenticated_thumb.png\" "\\"OrdersUnauthenticated\\"")
<\/a> <\/p>\n<\/p>\n<\/p>\nPerfect. Our query interceptors are working as intended.<\/p>\n
This all works because Forms Authentication is essentially just a HttpModule, which sits under our Data Service, that relies on the browser (or client) passing around a cookie once it has logged on.<\/p>\n
By the time the request gets to the DataService the HttpContext.Current.Request.User is set. <\/p>\n
Which in turn means our query interceptors can enforce our custom Authorization logic.<\/p>\n
Enabling Active Clients:<\/h3>\n
In authentication terms a browser is a passive client, that\u2019s because basically it does what it is told, a server can redirect it to a logon page which can redirect it back again if successful, it can tell it to include a cookie in each request and so on… <\/p>\n
Often however it is active clients \u2013 things like custom applications and generic data browsers \u2013 that want to access the OData Service.<\/p>\n
How do they authenticate?<\/p>\n
They could mimic the browser, by responding to redirects and programmatically posting the logon form to acquire the cookie. But no wants to re-implement html form handling just to logon.<\/p>\n
Thankfully there is a much easier way.<\/p>\n
You can enable an standard authentication endpoint, by adding this to your web.config:<\/p>\n
<system.web.extensions>
<scripting>
<webServices>
<authenticationService enabled="true" requireSSL="false"\/>
<\/webServices>
<\/scripting>
<\/system.web.extensions><\/font><\/p>\nThe endpoint (Authentication_JSON_AppService.axd) makes it much easier to logon programmatically.<\/p>\n
Connecting from an Active Client:<\/h3>\n
Now that we\u2019ve enabled the authentication endpoint, lets see how we use it. Essentially for forms authentication to work the DataServiceContext must include a valid cookie with every request. <\/p>\n
A cookie is just a http header and, as we saw in part 3<\/a>, it is very easy to add a custom header with every request.<\/p>\n
Using Client Application Services:<\/h4>\n
But before we get down to setting cookies, in some scenarios there is an even easy way: using Client Application Services<\/a>. These services are not available in the .NET Client Profile (or Silverlight) so you may need to change your Target Framework to use them:<\/p>\n
![\"ClientProfile\"](\"https:\/\/devblogs.microsoft.com\/odatateam\/wp-content\/uploads\/sites\/23\/2010\/07\/1016.ClientProfile_thumb_1.png\" "\\"ClientProfile\\"")
<\/a> <\/p>\nOnce you\u2019ve done that you enable Client Application Services like this:<\/p>\n
![\"ClientApplicationServices\"](\"https:\/\/devblogs.microsoft.com\/odatateam\/wp-content\/uploads\/sites\/23\/2010\/07\/1030.ClientApplicationServices_thumb.png\" "\\"ClientApplicationServices\\"")
<\/a> <\/p>\nNOTE:<\/strong> the Authentication Services Location should be set to the root of the website that has Authentication Services enabled.<\/font><\/p>\n
Next you add a reference to System.Web to gain access to System.Web.Security.Membership.<\/p>\n
Once you\u2019ve done this you simply need to logon once:<\/p>\n
System.Web.Security.Membership.ValidateUser("Alex", "password");<\/font><\/p>\n
This logs on and stores the resulting cookie on the current thread.<\/p>\n
Next, assuming you already have a Service Reference to your Data Service \u2013 see this to learn how<\/a> \u2013 you can extend your custom DataServiceContext, in our example called MusicStoreEntities, to automatically send the cookie with each request:<\/p>\n
public partial class MusicStoreEntities
{
partial void OnContextCreated()
{
this.SendingRequest +=
new EventHandler<SendingRequestEventArgs>(OnSendingRequest);
}
void OnSendingRequest(object sender, SendingRequestEventArgs e)
{
<\/font>((HttpWebRequest)e.Request).CookieContainer =
((ClientFormsIdentity)Thread.CurrentPrincipal.Identity).AuthenticationCookies;
<\/font> }
}<\/font><\/p>\nThis works by adding the partial OnContextCreated method, which is called in the MusicStoreEntities constructor, and hooking up to the SendingRequest event, to set the cookie for each request.<\/p>\n
That\u2019s it, pretty easy.<\/p>\n
Manually setting the Cookie:<\/h4>\n
If however using Client Application Services is not an option \u2013 for example you\u2019re in Silverlight or you can only use the Client Profile \u2013 you will have to manually get and set the cookie.<\/p>\n
To do this change the example above to look like this instead:<\/p>\n
public partial class MusicStoreEntities
{
partial void OnContextCreated()
{
this.SendingRequest +=
new EventHandler<SendingRequestEventArgs>(OnSendingRequest);
<\/font> }
public void OnSendingRequest(object sender, SendingRequestEventArgs e)
{
e.RequestHeaders.Add("Cookie", GetCookie("Alex", "password"));
}
string _cookie;
string GetCookie(string userName, string password)
{
if (_cookie == null)
{
string loginUri = string.Format("{0}\/{1}\/{2}",
"<\/font>http:\/\/localhost:1397"<\/font><\/a>,
"Authentication_JSON_AppService.axd",
"Login");
WebRequest request = HttpWebRequest.Create(loginUri);
request.Method = "POST";
request.ContentType = "application\/json"; <\/font><\/p>\nstring authBody = String.Format(
"{{ "userName": "{0}", "password": "{1}", "createPersistentCookie":false}}",
userName,
password);
request.ContentLength = authBody.Length; <\/font><\/p>\nStreamWriter w = new StreamWriter(request.GetRequestStream());
w.Write(authBody);
w.Close(); <\/font><\/p>\nWebResponse res = request.GetResponse();
if (res.Headers["Set-Cookie"] != null)
{
_cookie = res.Headers["Set-Cookie"];
}
else
{
throw new SecurityException("Invalid username and password");
}
}
return _cookie;
}
}<\/font><\/p>\n<\/font><\/p>\n
This code is admittedly a little more involved. But it you break it down it all makes sense.<\/p>\n
The code adds the cookie to the headers whenever a request is issued.<\/p>\n
The hardest part is actually acquiring the cookie. The GetCookie() method checks whether we have a cookie, if not it creates a request to the Authentication endpoint, passing the username and password in a JSON body.<\/p>\n
If authentication is successful the response will include a \u2018Set-Cookie\u2019 header, that contains the cookie.<\/p>\n
Summary:<\/h4>\n
We\u2019ve just walked through using Forms Authentication with an OData service.<\/p>\n
That included: integrating security with an existing website, enabling both browser and active clients \u2013 based on DataServiceContext \u2013 and authenticating from any .NET client.<\/p>\n
Next up we\u2019ll start looking at things like OAuth and OAuthWrap\u2026<\/p>\n