This essay is going to tell you how to develop a protected site (Site B) which the login authenticated by Site A. User is going to authenticated by login process in site A. For the site A authentication method could be AD or simple Login Process.
Server Configuration :
IIS 7.5
Site A :
URL : http://www.example.com
IDE : Visual Studio 2008
.NET Framework 3.5
IIS application pool version : 2.0, Integrated
Site B :
URL : http://www.example.com:8000
IDE : Visual Studio 2012
.NET Framework 4.5
IIS application pool version : 4.0, Integrated
Objective :
- CORS setting for the site A
User access site B protected resource by site A login authentication
Solution
Step 1: Change the Machine Key to custom key from auto generate of site A
Open IIS of site A
Double Click
Encryption Method : SHA1
Decryption Method : Auto
Click
and click "Apply"Copy the validationKey and decryptionKey to a notepad.
Step 2: Configure web.config of site B
site B Web.config
<system.web>
<machineKey compatibilityMode="Framework20SP2" validationKey="{Key copy from website A IIS}" decryptionKey="{Key copy from website A IIS}" validation="SHA1" />
<authentication mode="Forms">
<forms name="{Cookie Name of Website A Form Auth}" loginUrl="Login.aspx" protection="All" timeout="120" path="/">
</forms>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
....... // other configuration
</system.web>
where cookie write from site A code behind
// create the authentication cookie
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket));
Response.Cookies.Add(cookie);
Step 3: Configure Web.config of site A
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="{specified url with port number for access this website resource}" />
<add name="Access-Control-Allow-Credentials" value="true" />
</customHeaders>
</httpProtocol>
...... // other configuration
</system.webServer>
Testing
scenario A:
1. Goto Site B protected page
2. Authentication Fail
3. Redirect to Default page (configure in site B web.config file)
scenario B:
1. Goto Site A Login Page
2. Login Site A Successfully
3. Goto Site B protected page
4. Load Site B protected page successfully
5. Goto Site A and Logout
6. Reload Site B protected page
7. Redirect to Default page (configure in site B web.config file)
Others Reference
A. Send a request to site with credentials
<script type="text/javascript">
$(document).ready(function () {
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://lacsuat.hkcic.org', true);
xhr.withCredentials = true;
xhr.send(null);
});
</script>
B. Excluded Page from form authentication
<configuration> <location path="ExcludedPage.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> </configuration>
沒有留言:
張貼留言