stackoom
  简体   繁体   中英

ASP.Net Identity 2.0 Unattended Login

 原文  2016-11-15 14:42:26       c#/ asp.net/ asp.net-identity/ asp.net-identity-2

Question

I'm using ASP.Net Identity 2.2 in a web application and it's working great.

What I want to do is have a background service that accesses the web application in order to generate Thumbnails and / or pdfs of some of the pages. This service may end up running as within the w3wp.exe process and is triggered by certain web requests made by users, eg the user changes some settings and the background service is triggered to regenerate the thumbnails.

The problem is allowing the background service to access the pages without opening a back-door that others could use to access the pages. Currently I have code that can copy the authentication cookies from a web request and use them to request the pages and generate thumbnails but I need to be able to do this WITHOUT any existing connection to copy the cookies from. It needs to be able to get its own cookies.

The libraries I am using to generate PDFs / Thumbnails work by making normal web requests to the web server and use headless browsers. I need to go through the web server as the pages include a lot of javascript and ajax so static pages would be difficult to generate.

Ideally it should use a "system" user that nobody on the web can log in as.

I don't want to be storing the password for a user in a form that can be revseribly decoded (all passwords are hashed in the database).

Does anyone have any idea how to do this?

I had the idea that if there were a solid way to identify a request was coming from the thumbnail service then the server could just call the signin() function without needing a password but that is of course a difficult problem in itself as we would want to protect against people running web browsers on the server to bypass security. I wasn thinking maybe a shared (single use) secret but not sure if this can be done securely enough.

1 answers

solution1
 0  2016-11-15 14:56:42

You could make the service run with a particular user of your web service and then allow that user to access the specified resources of your web site, adding to your web.config something like this: 

<location path="yourdomain/yourresource">
  <system.web>
    <authorization>
      <allow users="domainname\user" />
      <deny users="*" />
    </authorization>
  </system.web>
</location>

In this way you will not have to create a fake user that has zero business value, nor hardcode or configure username and password in your service.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Asp.net Identity 2.0 custom login method Token based login logic change in ASP.NET Identity 2.0 ASP.NET Identity 2.0 Signout not working Ninject and ASP.NET Identity 2.0 ASp.net Role management in Identity 2.0 ASP.Net Identity 2.0 AccessFailedCount not incrementing Asp.net Identity 2.0 temporary password Updating Identity in ASP.NET Core 2.0 ASP.NET Core 2.0 Identity, 2 controllers redirect each to different login page Asp.net Identity 2.0 - redirect externally authenticated user based on role at login
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM