Julian Rodriguez

My feedback

  1. 10 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Feature Requests  ·  Flag idea as inappropriate…  ·  Admin →
    Julian Rodriguez supported this idea  · 
  2. 6 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Feature Requests  ·  Flag idea as inappropriate…  ·  Admin →
    Julian Rodriguez shared this idea  · 
  3. 155 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    8 comments  ·  Feature Requests  ·  Flag idea as inappropriate…  ·  Admin →
    Julian Rodriguez commented  · 

    Hi Demis, I'm a bit late to the party, but I thought I'd post some feedback here.

    - I primarily use this to leverage integrated(Kerberos/Negotiate) authentication from Windows. One early thing I needed do to was map a user's AD groups to ServiceStack Roles. Initially, I extended the LoadUserAuthInfo function to do an AD lookup to groups, then dump the list of groups to the user's AuthUserSession.Roles. This, while a common way people do AD authorization outside of Windows, is a bit expensive because of the LDAP lookup for every auth request. The original IIS request does contain the Kerberos ticket (with the AD groups already burned into the ticket), but I couldn't get the request without subclassing AspNetWindowsAuthProvider:

    public class CustomWindowsAuthProvider : AspNetWindowsAuthProvider
    {
    public CustomWindowsAuthProvider(IAppHost appHost) : base(appHost)
    {

    }

    public override IHttpResult OnAuthenticated(IServiceBase authService, IAuthSession session, IAuthTokens tokens, Dictionary<string, string> authInfo)
    {
    var request = authService.Request.OriginalRequest as System.Web.HttpRequestWrapper;

    using (WindowsIdentity userId = request?.LogonUserIdentity)
    {
    List<string> roles = new List<string>();
    if (userId?.Groups != null)
    foreach (var group in userId.Groups)
    {
    // Remove the domain name from the name of the group, if it has it, and you don't need it.
    var groupName = new SecurityIdentifier(group.Value).Translate(typeof(NTAccount)).ToString();
    if (groupName.Contains("\\"))
    groupName = groupName.Split('\\')[1];
    roles.Add(groupName);
    }
    session.Roles = roles;
    }
    return base.OnAuthenticated(authService, session, tokens, authInfo);
    }

    }

    It would be nice if something similar to the above was burned into the base AspNetAuthProvider. (I'm not sure if the above works for all scenarios).

    - Give the above scenario (IIS with integrated authentication), how does the .NET SSE client authenticate? I didn't see a Credentials property for the SSE client.

Feedback and Knowledge Base