Julian Rodriguez

My feedback

  1. 10 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Feature Requests  ·  Flag idea as inappropriate…  ·  Admin →
      Julian Rodriguez supported this idea  · 
    • 6 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        0 comments  ·  Feature Requests  ·  Flag idea as inappropriate…  ·  Admin →
        Julian Rodriguez shared this idea  · 
      • 155 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          8 comments  ·  Feature Requests  ·  Flag idea as inappropriate…  ·  Admin →
          Julian Rodriguez commented  · 

          Hi Demis, I'm a bit late to the party, but I thought I'd post some feedback here.

          - I primarily use this to leverage integrated(Kerberos/Negotiate) authentication from Windows. One early thing I needed do to was map a user's AD groups to ServiceStack Roles. Initially, I extended the LoadUserAuthInfo function to do an AD lookup to groups, then dump the list of groups to the user's AuthUserSession.Roles. This, while a common way people do AD authorization outside of Windows, is a bit expensive because of the LDAP lookup for every auth request. The original IIS request does contain the Kerberos ticket (with the AD groups already burned into the ticket), but I couldn't get the request without subclassing AspNetWindowsAuthProvider:

          public class CustomWindowsAuthProvider : AspNetWindowsAuthProvider
          {
          public CustomWindowsAuthProvider(IAppHost appHost) : base(appHost)
          {

          }

          public override IHttpResult OnAuthenticated(IServiceBase authService, IAuthSession session, IAuthTokens tokens, Dictionary<string, string> authInfo)
          {
          var request = authService.Request.OriginalRequest as System.Web.HttpRequestWrapper;

          using (WindowsIdentity userId = request?.LogonUserIdentity)
          {
          List<string> roles = new List<string>();
          if (userId?.Groups != null)
          foreach (var group in userId.Groups)
          {
          // Remove the domain name from the name of the group, if it has it, and you don't need it.
          var groupName = new SecurityIdentifier(group.Value).Translate(typeof(NTAccount)).ToString();
          if (groupName.Contains("\\"))
          groupName = groupName.Split('\\')[1];
          roles.Add(groupName);
          }
          session.Roles = roles;
          }
          return base.OnAuthenticated(authService, session, tokens, authInfo);
          }

          }

          It would be nice if something similar to the above was burned into the base AspNetAuthProvider. (I'm not sure if the above works for all scenarios).

          - Give the above scenario (IIS with integrated authentication), how does the .NET SSE client authenticate? I didn't see a Credentials property for the SSE client.

        Feedback and Knowledge Base