How Do I Get User-Entered Credentials and/or Permissions from the DssHost?

Question

  

When AuthenticationRequired is set to true in the SecuritySettings.xml file how can my code get the username and/or password entered by the user when they signed in? How can I get their roles? Is this even possible?

Really all I'm trying to do is secure my HttpGet and HttpPost messages by adding authentication/user roles data to the message headers but I don't know how to get it from the DssHost.

Answer 1

This information is not available to services.

Trevor

Answer 2

ok then, that's clear and simple. Thanks for the quick response.

I must be mis-understanding something in the answer to this forum question then:

http://social.msdn.microsoft.com/Forums/en-US/roboticsdss/thread/0d19f5bb-ba2b-4326-bacd-74194492fd9a

where do the 'security tokens' that are placed in the message headers come from then? I guess I assumed they must have been some-how related to the authentication, but your short and simple response now leads me to believe otherwise.

Also, another question about that post, where are the samples and/or documentation on how to extended the list of forwarders? I can't seem to find anything on how to "write my [your] own forwarder and add it to the forwarder "path"".

Answer 3

Instead of getting the log-in credentials from the DssHost, is there some way to add a hook to the Dss Node Homepage that would allow me to pop-up my own user log-in screen?

Similarly, is there a way to configure the DSS-specific web server (that I am told is independent from IIS) to re-direct page requests if some (security) condition is not met?

Answer 4

The issue is that the information is in the Headers, but the Headers are not documented. Maybe I should have elaborated a little more. The information is there (obviously) but not easy to get at. If you are interested, poke around in the message itself. There is a HasHeaders flag and a Headers collection. You can use reflection in Visual Studio to look at the Microsoft.Dss.ServiceModel.Dssp.DsspOperation class.

The web server component of DssHost is in code that we only ship in binary form. You can't modify it. (That's part of the security design).

You could do some interesting things with an XSLT page associated with a service. Some of the samples that are included in the package have forms that can be used to input data to a service. However, typing credentials into a form this way would not be secure.

I can't guarantee that the Headers you want will be available and now I am getting out of my depth, so I might have to get somebody else to answer your questions.

Trevor

Answer 5

Hmm. I take back what I just said about documentation. There is a small amount of documentation here:

http://msdn.microsoft.com/en-us/library/bb870541.aspx

Hopefully this will help you to figure out what you want.

Trevor

Answer 6

Thanks Trevor, that was a very helpful response.

If there is another team member that can provide more information, I would really appreciate their help as well.

Specifically, I am still puzzled about why Trevor Taylor said he can't guarantee that the Headers I want will be available.