yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial install which now uses Identity middleware to perform the back office auth (no longer done in our module). Created custom data secure classes that use the legacy Forms auth logic for backwards compat. This means that the cookie can still be written the old way and still auth the new way if required. Now need to clean a lot of this up.

Browse Source
This commit is contained in:
Shannon
2015-02-06 13:47:00 +11:00
parent 028ddfe290
commit 93df2edec2
22 changed files with 454 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
src/Umbraco.Core/Security/AuthenticationExtensions.cs
View File

@@ -1,10 +1,15 @@
using System;
using System.Collections;
using System.Collections.Generic;
using System.Collections.Specialized;
using System.Linq;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Security.Principal;
using System.Threading;
using System.Web;
using System.Web.Security;
using Microsoft.Owin;
using Newtonsoft.Json;
using Umbraco.Core.Configuration;
@@ -268,6 +273,23 @@ namespace Umbraco.Core.Security
return new HttpContextWrapper(http).GetUmbracoAuthTicket();
}
internal static FormsAuthenticationTicket GetUmbracoAuthTicket(this IOwinContext ctx)
{
if (ctx == null) throw new ArgumentNullException("ctx");
//get the ticket
try
{
return GetAuthTicket(ctx.Request.Cookies.ToDictionary(x => x.Key, x => x.Value), UmbracoConfig.For.UmbracoSettings().Security.AuthCookieName);
}
catch (Exception)
{
//TODO: Do we need to do more here?? need to make sure that the forms cookie is gone, but is that
// taken care of in our custom middleware somehow?
ctx.Authentication.SignOut();
return null;
}
}
/// <summary>
/// This clears the forms authentication cookie
/// </summary>
@@ -301,16 +323,18 @@ namespace Umbraco.Core.Security
private static FormsAuthenticationTicket GetAuthTicket(this HttpContextBase http, string cookieName)
{
if (http == null) throw new ArgumentNullException("http");
var formsCookie = http.Request.Cookies[cookieName];
if (formsCookie == null)
var allKeys = new List<string>();
for (var i = 0; i < http.Request.Cookies.Keys.Count; i++)
{
return null;
allKeys.Add(http.Request.Cookies.Keys.Get(i));
}
var asDictionary = allKeys.ToDictionary(key => key, key => http.Request.Cookies[key].Value);
//get the ticket
try
{
return FormsAuthentication.Decrypt(formsCookie.Value);
return GetAuthTicket(asDictionary, cookieName);
}
catch (Exception)
{
@@ -320,6 +344,21 @@ namespace Umbraco.Core.Security
}
}
private static FormsAuthenticationTicket GetAuthTicket(IDictionary<string, string> cookies, string cookieName)
{
if (cookies == null) throw new ArgumentNullException("cookies");
if (cookies.ContainsKey(cookieName) == false) return null;
var formsCookie = cookies[cookieName];
if (formsCookie == null)
{
return null;
}
//get the ticket
return FormsAuthentication.Decrypt(formsCookie);
}
/// <summary>
/// Renews the forms authentication ticket & cookie
/// </summary>

6
src/Umbraco.Core/Umbraco.Core.csproj
View File

@@ -54,6 +54,9 @@
<SpecificVersion>False</SpecificVersion>
<HintPath>..\packages\log4net-mediumtrust.2.0.0\lib\log4net.dll</HintPath>
</Reference>
<Reference Include="Microsoft.Owin">
<HintPath>..\packages\Microsoft.Owin.3.0.0\lib\net45\Microsoft.Owin.dll</HintPath>
</Reference>
<Reference Include="Microsoft.Web.Infrastructure, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<Private>True</Private>
<HintPath>..\packages\Microsoft.Web.Infrastructure.1.0.0.0\lib\net40\Microsoft.Web.Infrastructure.dll</HintPath>
@@ -70,6 +73,9 @@
<SpecificVersion>False</SpecificVersion>
<HintPath>..\packages\Newtonsoft.Json.6.0.4\lib\net45\Newtonsoft.Json.dll</HintPath>
</Reference>
<Reference Include="Owin">
<HintPath>..\packages\Owin.1.0\lib\net40\Owin.dll</HintPath>
</Reference>
<Reference Include="System" />
<Reference Include="System.ComponentModel.DataAnnotations" />
<Reference Include="System.Configuration" />

2
src/Umbraco.Core/packages.config
View File

@@ -10,10 +10,12 @@
<package id="Microsoft.Bcl" version="1.1.9" targetFramework="net45" />
<package id="Microsoft.Bcl.Build" version="1.0.14" targetFramework="net45" />
<package id="Microsoft.Net.Http" version="2.2.28" targetFramework="net45" />
<package id="Microsoft.Owin" version="3.0.0" targetFramework="net45" />
<package id="Microsoft.Web.Infrastructure" version="1.0.0.0" targetFramework="net40" />
<package id="MiniProfiler" version="2.1.0" targetFramework="net45" />
<package id="MySql.Data" version="6.6.5" targetFramework="net40" />
<package id="Newtonsoft.Json" version="6.0.4" targetFramework="net45" />
<package id="Owin" version="1.0" targetFramework="net45" />
<package id="SharpZipLib" version="0.86.0" targetFramework="net40" />
<package id="SqlServerCE" version="4.0.0.0" targetFramework="net40" />
</packages>

8
src/Umbraco.Tests/App.config
View File

@@ -152,6 +152,14 @@
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="Microsoft.Owin" publicKeyToken="31bf3856ad364e35" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>

61
src/Umbraco.Web.UI/App_Code/OwinStartup.cs Normal file
View File

@@ -0,0 +1,61 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Microsoft.Owin;
using Microsoft.Owin.Security.Cookies;
using Owin;
using Umbraco.Web.Security.Identity;
using Umbraco.Web.UI;
[assembly: OwinStartup(typeof(OwinStartup))]
namespace Umbraco.Web.UI
{
/// <summary>
/// Summary description for Startup
/// </summary>
public class OwinStartup
{
public void Configuration(IAppBuilder app)
{
////Single method to configure the Identity user manager for use with Umbraco
//app.ConfigureUserManagerForUmbraco<UmbracoApplicationUser>();
//// Enable the application to use a cookie to store information for the
//// signed in user and to use a cookie to temporarily store information
//// about a user logging in with a third party login provider
//// Configure the sign in cookie
//app.UseCookieAuthentication(new CookieAuthenticationOptions
//{
// AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
// Provider = new CookieAuthenticationProvider
// {
// // Enables the application to validate the security stamp when the user
// // logs in. This is a security feature which is used when you
// // change a password or add an external login to your account.
// OnValidateIdentity = SecurityStampValidator
// .OnValidateIdentity<UmbracoMembersUserManager<UmbracoApplicationUser>, UmbracoApplicationUser, int>(
// TimeSpan.FromMinutes(30),
// (manager, user) => user.GenerateUserIdentityAsync(manager),
// identity => identity.GetUserId<int>())
// }
//});
//Ensure owin is configured for Umbraco back office authentication - this must
// be configured AFTER the standard UseCookieConfiguration above.
app.UseUmbracoBackAuthentication();
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
}
}
}

2
src/Umbraco.Web.UI/Umbraco.Web.UI.csproj
View File

@@ -2579,7 +2579,7 @@ xcopy "$(ProjectDir)"..\packages\SqlServerCE.4.0.0.0\x86\*.* "$(TargetDir)x86\"
<AutoAssignPort>True</AutoAssignPort>
<DevelopmentServerPort>7300</DevelopmentServerPort>
<DevelopmentServerVPath>/</DevelopmentServerVPath>
<IISUrl>http://localhost:7300</IISUrl>
<IISUrl>http://localhost:7301</IISUrl>
<NTLMAuthentication>False</NTLMAuthentication>
<UseCustomServer>False</UseCustomServer>
<CustomServerUrl>

11
src/Umbraco.Web/Editors/AuthenticationController.cs
View File

@@ -9,6 +9,9 @@ using System.Web.Http;
using System.Web.Http.Controllers;
using System.Web.Security;
using AutoMapper;
using Microsoft.AspNet.Identity;
using Microsoft.Owin;
using Microsoft.Owin.Security;
using Umbraco.Core;
using Umbraco.Core.Configuration;
using Umbraco.Core.Models.Membership;
@@ -109,6 +112,14 @@ namespace Umbraco.Web.Editors
//TODO: Clean up the int cast!
var ticket = UmbracoContext.Security.PerformLogin(user);
//TODO: Normally we'd do something like this for identity, but we're mixing and matching legacy and new here
// so we'll keep the legacy way and move forward with this in our custom handler for now, eventually replacing
// the above legacy logic with the new stuff.
//OwinContext.Authentication.SignOut(DefaultAuthenticationTypes.ExternalCookie);
//OwinContext.Authentication.SignIn(new AuthenticationProperties() { IsPersistent = isPersistent },
// await user.GenerateUserIdentityAsync(UserManager));
var http = this.TryGetHttpContext();
if (http.Success == false)
{

8
src/Umbraco.Web/Security/Identity/AppBuilderExtensions.cs
View File

@@ -7,6 +7,7 @@ using Microsoft.Owin.Extensions;
using Owin;
using Umbraco.Core;
using Umbraco.Core.Configuration;
using Umbraco.Core.Logging;
namespace Umbraco.Web.Security.Identity
{
@@ -52,7 +53,12 @@ namespace Umbraco.Web.Security.Identity
app.Use(typeof (UmbracoBackOfficeAuthenticationMiddleware),
//ctor params
app, new UmbracoBackOfficeAuthenticationOptions(), UmbracoConfig.For.UmbracoSettings().Security);
app,
new UmbracoBackOfficeCookieAuthenticationOptions(
UmbracoConfig.For.UmbracoSettings().Security,
GlobalSettings.TimeOutInMinutes,
GlobalSettings.UseSSL),
LoggerResolver.Current.Logger);
app.UseStageMarker(PipelineStage.Authenticate);
return app;

62
src/Umbraco.Web/Security/Identity/FormsAuthenticationSecureDataFormat.cs Normal file
View File

@@ -0,0 +1,62 @@
using System;
using System.Web.Security;
using Microsoft.Owin.Security;
using Newtonsoft.Json;
using Umbraco.Core.Security;
namespace Umbraco.Web.Security.Identity
{
/// <summary>
/// Custom secure format that uses the old FormsAuthentication format
/// </summary>
internal class FormsAuthenticationSecureDataFormat : ISecureDataFormat<AuthenticationTicket>
{
private readonly int _loginTimeoutMinutes;
public FormsAuthenticationSecureDataFormat(int loginTimeoutMinutes)
{
_loginTimeoutMinutes = loginTimeoutMinutes;
}
public string Protect(AuthenticationTicket data)
{
//TODO: Where to get the user data?
//var userDataString = JsonConvert.SerializeObject(userdata);
var ticket = new FormsAuthenticationTicket(
5,
data.Identity.Name,
data.Properties.IssuedUtc.HasValue ? data.Properties.IssuedUtc.Value.LocalDateTime : DateTime.Now,
data.Properties.ExpiresUtc.HasValue ? data.Properties.ExpiresUtc.Value.LocalDateTime : DateTime.Now.AddMinutes(_loginTimeoutMinutes),
data.Properties.IsPersistent,
"", //User data here!! This will come from the identity
"/"
);
return FormsAuthentication.Encrypt(ticket);
}
public AuthenticationTicket Unprotect(string protectedText)
{
FormsAuthenticationTicket decrypt;
try
{
decrypt = FormsAuthentication.Decrypt(protectedText);
if (decrypt == null) return null;
}
catch (Exception)
{
return null;
}
var identity = new UmbracoBackOfficeIdentity(decrypt);
return new AuthenticationTicket(identity, new AuthenticationProperties
{
ExpiresUtc = decrypt.Expiration.ToUniversalTime(),
IssuedUtc = decrypt.IssueDate.ToUniversalTime(),
IsPersistent = decrypt.IsPersistent
});
}
}
}

179
src/Umbraco.Web/Security/Identity/UmbracoBackOfficeAuthenticationHandler.cs
View File

@@ -1,26 +1,35 @@
using System;
using System.Reflection;
using System.Security.Principal;
using System.Threading;
using System.Threading.Tasks;
using System.Web;
using System.Web.Security;
using Microsoft.Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.Infrastructure;
using Newtonsoft.Json;
using Umbraco.Core.Configuration.UmbracoSettings;
using Umbraco.Core.Security;
using Umbraco.Core;
using Umbraco.Core.Logging;
namespace Umbraco.Web.Security.Identity
{
/// <summary>
/// Used to allow normal Umbraco back office authentication to work
/// </summary>
public class UmbracoBackOfficeAuthenticationHandler : AuthenticationHandler<UmbracoBackOfficeAuthenticationOptions>
public class UmbracoBackOfficeAuthenticationHandler : AuthenticationHandler<UmbracoBackOfficeCookieAuthenticationOptions>
{
private readonly ISecuritySection _securitySection;
private readonly ILogger _logger;
private bool _shouldRenew;
private DateTimeOffset _renewIssuedUtc;
private DateTimeOffset _renewExpiresUtc;
public UmbracoBackOfficeAuthenticationHandler(ISecuritySection securitySection)
public UmbracoBackOfficeAuthenticationHandler(ILogger logger)
{
_securitySection = securitySection;
_logger = logger;
}
/// <summary>
@@ -33,24 +42,165 @@ namespace Umbraco.Web.Security.Identity
/// so that it assigns the new Principal object on the OWIN request:
/// http://brockallen.com/2013/10/27/host-authentication-and-web-api-with-owin-and-active-vs-passive-authentication-middleware/
/// </remarks>
protected override Task<AuthenticationTicket> AuthenticateCoreAsync()
protected override async Task<AuthenticationTicket> AuthenticateCoreAsync()
{
if (ShouldAuthRequest())
{
var authTicket = GetAuthTicket(Request, _securitySection.AuthCookieName);
if (authTicket != null)
var ticket = GetAuthTicket(Request);
if (ticket == null)
{
return Task.FromResult(new AuthenticationTicket(new UmbracoBackOfficeIdentity(authTicket), new AuthenticationProperties()));
_logger.Warn<UmbracoBackOfficeAuthenticationHandler>(@"Unprotect ticket failed");
return null;
}
DateTimeOffset currentUtc = Options.SystemClock.UtcNow;
DateTimeOffset? issuedUtc = ticket.Properties.IssuedUtc;
DateTimeOffset? expiresUtc = ticket.Properties.ExpiresUtc;
if (expiresUtc != null && expiresUtc.Value < currentUtc)
{
return null;
}
if (issuedUtc != null && expiresUtc != null && Options.SlidingExpiration)
{
TimeSpan timeElapsed = currentUtc.Subtract(issuedUtc.Value);
TimeSpan timeRemaining = expiresUtc.Value.Subtract(currentUtc);
if (timeRemaining < timeElapsed)
{
_shouldRenew = true;
_renewIssuedUtc = currentUtc;
TimeSpan timeSpan = expiresUtc.Value.Subtract(issuedUtc.Value);
_renewExpiresUtc = currentUtc.Add(timeSpan);
}
}
var context = new CookieValidateIdentityContext(Context, ticket, Options);
await Options.Provider.ValidateIdentity(context);
return new AuthenticationTicket(context.Identity, context.Properties);
}
return Task.FromResult<AuthenticationTicket>(null);
return await Task.FromResult<AuthenticationTicket>(null);
}
protected override async Task ApplyResponseGrantAsync()
{
AuthenticationResponseGrant signin = Helper.LookupSignIn(Options.AuthenticationType);
bool shouldSignin = signin != null;
AuthenticationResponseRevoke signout = Helper.LookupSignOut(Options.AuthenticationType, Options.AuthenticationMode);
bool shouldSignout = signout != null;
if (shouldSignin || shouldSignout || _shouldRenew)
{
var cookieOptions = new CookieOptions
{
Domain = Options.CookieDomain,
HttpOnly = Options.CookieHttpOnly,
Path = Options.CookiePath ?? "/",
};
if (Options.CookieSecure == CookieSecureOption.SameAsRequest)
{
cookieOptions.Secure = Request.IsSecure;
}
else
{
cookieOptions.Secure = Options.CookieSecure == CookieSecureOption.Always;
}
if (shouldSignin)
{
var context = new CookieResponseSignInContext(
Context,
Options,
Options.AuthenticationType,
signin.Identity,
signin.Properties);
DateTimeOffset issuedUtc = Options.SystemClock.UtcNow;
DateTimeOffset expiresUtc = issuedUtc.Add(Options.ExpireTimeSpan);
context.Properties.IssuedUtc = issuedUtc;
context.Properties.ExpiresUtc = expiresUtc;
Options.Provider.ResponseSignIn(context);
if (context.Properties.IsPersistent)
{
cookieOptions.Expires = expiresUtc.ToUniversalTime().DateTime;
}
var model = new AuthenticationTicket(context.Identity, context.Properties);
string cookieValue = Options.TicketDataFormat.Protect(model);
Response.Cookies.Append(
Options.CookieName,
cookieValue,
cookieOptions);
}
else if (shouldSignout)
{
Response.Cookies.Delete(
Options.CookieName,
cookieOptions);
}
else if (_shouldRenew)
{
AuthenticationTicket model = await AuthenticateAsync();
model.Properties.IssuedUtc = _renewIssuedUtc;
model.Properties.ExpiresUtc = _renewExpiresUtc;
string cookieValue = Options.TicketDataFormat.Protect(model);
if (model.Properties.IsPersistent)
{
cookieOptions.Expires = _renewExpiresUtc.ToUniversalTime().DateTime;
}
Response.Cookies.Append(
Options.CookieName,
cookieValue,
cookieOptions);
}
//Response.Headers.Set(
// HeaderNameCacheControl,
// HeaderValueNoCache);
//Response.Headers.Set(
// HeaderNamePragma,
// HeaderValueNoCache);
//Response.Headers.Set(
// HeaderNameExpires,
// HeaderValueMinusOne);
bool shouldLoginRedirect = shouldSignin && Options.LoginPath.HasValue && Request.Path == Options.LoginPath;
bool shouldLogoutRedirect = shouldSignout && Options.LogoutPath.HasValue && Request.Path == Options.LogoutPath;
if ((shouldLoginRedirect || shouldLogoutRedirect) && Response.StatusCode == 200)
{
IReadableStringCollection query = Request.Query;
string redirectUri = query.Get(Options.ReturnUrlParameter);
if (!string.IsNullOrWhiteSpace(redirectUri)
//&& IsHostRelative(redirectUri)
)
{
var redirectContext = new CookieApplyRedirectContext(Context, Options, redirectUri);
Options.Provider.ApplyRedirect(redirectContext);
}
}
}
}
private bool ShouldAuthRequest()
{
var httpContext = Context.HttpContextFromOwinContext();
// do not process if client-side request
if (httpContext.Request.Url.IsClientSideRequest())
return false;
@@ -62,21 +212,20 @@ namespace Umbraco.Web.Security.Identity
/// Returns the current FormsAuth ticket in the request
/// </summary>
/// <param name="request"></param>
/// <param name="cookieName"></param>
/// <returns></returns>
private static FormsAuthenticationTicket GetAuthTicket(IOwinRequest request, string cookieName)
private AuthenticationTicket GetAuthTicket(IOwinRequest request)
{
if (request == null) throw new ArgumentNullException("request");
var formsCookie = request.Cookies[cookieName];
if (formsCookie == null)
var formsCookie = request.Cookies[Options.CookieName];
if (string.IsNullOrWhiteSpace(formsCookie))
{
return null;
}
//get the ticket
try
{
return FormsAuthentication.Decrypt(formsCookie);
return Options.TicketDataFormat.Unprotect(formsCookie);
}
catch (Exception)
{

17
src/Umbraco.Web/Security/Identity/UmbracoBackOfficeAuthenticationMiddleware.cs
View File

@@ -2,25 +2,30 @@
using Microsoft.Owin.Security.Infrastructure;
using Owin;
using Umbraco.Core.Configuration.UmbracoSettings;
using Umbraco.Core.Logging;
namespace Umbraco.Web.Security.Identity
{
/// <summary>
/// Used to enable the normal Umbraco back office authentication to operate
/// </summary>
public class UmbracoBackOfficeAuthenticationMiddleware : AuthenticationMiddleware<UmbracoBackOfficeAuthenticationOptions>
public class UmbracoBackOfficeAuthenticationMiddleware : AuthenticationMiddleware<UmbracoBackOfficeCookieAuthenticationOptions>
{
private readonly ISecuritySection _securitySection;
private readonly ILogger _logger;
public UmbracoBackOfficeAuthenticationMiddleware(OwinMiddleware next, IAppBuilder app, UmbracoBackOfficeAuthenticationOptions options, ISecuritySection securitySection)
public UmbracoBackOfficeAuthenticationMiddleware(
OwinMiddleware next,
IAppBuilder app,
UmbracoBackOfficeCookieAuthenticationOptions options,
ILogger logger)
: base(next, options)
{
_securitySection = securitySection;
_logger = logger;
}
protected override AuthenticationHandler<UmbracoBackOfficeAuthenticationOptions> CreateHandler()
protected override AuthenticationHandler<UmbracoBackOfficeCookieAuthenticationOptions> CreateHandler()
{
return new UmbracoBackOfficeAuthenticationHandler(_securitySection);
return new UmbracoBackOfficeAuthenticationHandler(_logger);
}
}
}

18
src/Umbraco.Web/Security/Identity/UmbracoBackOfficeAuthenticationOptions.cs
View File

@@ -1,18 +0,0 @@
using Microsoft.Owin.Security;
namespace Umbraco.Web.Security.Identity
{
/// <summary>
/// Umbraco auth options - really just ensures that it is operating in Active mode
/// </summary>
public sealed class UmbracoBackOfficeAuthenticationOptions : AuthenticationOptions
{
public UmbracoBackOfficeAuthenticationOptions()
: base("UmbracoBackOffice")
{
//Must be active, this needs to look at each request to determine if it should execute,
// if set to passive this will not be the case
AuthenticationMode = AuthenticationMode.Active;
}
}
}

35
src/Umbraco.Web/Security/Identity/UmbracoBackOfficeCookieAuthenticationOptions.cs Normal file
View File

@@ -0,0 +1,35 @@
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.Owin;
using Microsoft.Owin.Security.Cookies;
using Umbraco.Core.Configuration;
using Umbraco.Core.Configuration.UmbracoSettings;
namespace Umbraco.Web.Security.Identity
{
/// <summary>
/// Umbraco auth cookie options
/// </summary>
public sealed class UmbracoBackOfficeCookieAuthenticationOptions : CookieAuthenticationOptions
{
public UmbracoBackOfficeCookieAuthenticationOptions()
: this(UmbracoConfig.For.UmbracoSettings().Security, GlobalSettings.TimeOutInMinutes, GlobalSettings.UseSSL)
{
}
public UmbracoBackOfficeCookieAuthenticationOptions(ISecuritySection securitySection, int loginTimeoutMinutes, bool forceSsl)
{
AuthenticationType = "UmbracoBackOffice";
TicketDataFormat = new FormsAuthenticationSecureDataFormat(loginTimeoutMinutes);
CookieDomain = securitySection.AuthCookieDomain;
CookieName = securitySection.AuthCookieName;
CookieHttpOnly = true;
CookieSecure = forceSsl ? CookieSecureOption.Always : CookieSecureOption.SameAsRequest;
CookiePath = "/";
LoginPath = new PathString("/umbraco/login"); //TODO: ??
}
}
}

2
src/Umbraco.Web/Security/WebSecurity.cs
View File

@@ -91,7 +91,7 @@ namespace Umbraco.Web.Security
/// Logs the user in
/// </summary>
/// <param name="user"></param>
/// <returns>returns the number of seconds until their session times out</returns>
/// <returns>returns the Forms Auth ticket created which is used to log them in</returns>
public virtual FormsAuthenticationTicket PerformLogin(IUser user)
{
var ticket = _httpContext.CreateUmbracoAuthTicket(new UserData(Guid.NewGuid().ToString("N"))

8
src/Umbraco.Web/Umbraco.Web.csproj
View File

@@ -138,8 +138,9 @@
<HintPath>..\packages\Microsoft.AspNet.Identity.Owin.2.1.0\lib\net45\Microsoft.AspNet.Identity.Owin.dll</HintPath>
</Reference>
<Reference Include="Microsoft.CSharp" />
<Reference Include="Microsoft.Owin">
<HintPath>..\packages\Microsoft.Owin.2.1.0\lib\net45\Microsoft.Owin.dll</HintPath>
<Reference Include="Microsoft.Owin, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<SpecificVersion>False</SpecificVersion>
<HintPath>..\packages\Microsoft.Owin.3.0.0\lib\net45\Microsoft.Owin.dll</HintPath>
</Reference>
<Reference Include="Microsoft.Owin.Security">
<HintPath>..\packages\Microsoft.Owin.Security.2.1.0\lib\net45\Microsoft.Owin.Security.dll</HintPath>
@@ -540,10 +541,11 @@
<Compile Include="Scheduling\ILatchedBackgroundTask.cs" />
<Compile Include="Scheduling\RecurringTaskBase.cs" />
<Compile Include="Security\Identity\AppBuilderExtensions.cs" />
<Compile Include="Security\Identity\FormsAuthenticationSecureDataFormat.cs" />
<Compile Include="Security\Identity\OwinExtensions.cs" />
<Compile Include="Security\Identity\UmbracoBackOfficeAuthenticationHandler.cs" />
<Compile Include="Security\Identity\UmbracoBackOfficeAuthenticationMiddleware.cs" />
<Compile Include="Security\Identity\UmbracoBackOfficeAuthenticationOptions.cs" />
<Compile Include="Security\Identity\UmbracoBackOfficeCookieAuthenticationOptions.cs" />
<Compile Include="Scheduling\TaskAndFactoryExtensions.cs" />
<Compile Include="Strategies\Migrations\ClearCsrfCookiesAfterUpgrade.cs" />
<Compile Include="Strategies\Migrations\ClearMediaXmlCacheForDeletedItemsAfterUpgrade.cs" />

30
src/Umbraco.Web/UmbracoModule.cs
View File

@@ -180,26 +180,26 @@ namespace Umbraco.Web
/// </remarks>
static void AuthenticateRequest(object sender, EventArgs e)
{
var app = (HttpApplication)sender;
var http = new HttpContextWrapper(app.Context);
//var app = (HttpApplication)sender;
//var http = new HttpContextWrapper(app.Context);
// do not process if client-side request
if (http.Request.Url.IsClientSideRequest())
return;
//// do not process if client-side request
//if (http.Request.Url.IsClientSideRequest())
// return;
var req = new HttpRequestWrapper(app.Request);
//var req = new HttpRequestWrapper(app.Request);
if (ShouldAuthenticateRequest(req, UmbracoContext.Current.OriginalRequestUrl))
{
//TODO: Here we should have an authentication mechanism, this mechanism should be smart in the way that the ASP.Net 5 pipeline works
// in which each registered handler will attempt to authenticate and if it fails it will just call Next() so the next handler
// executes. If it is successful, it doesn't call next and assigns the current user/principal.
// This might actually all be possible with ASP.Net Identity and how it is setup to work already, need to investigate.
//if (ShouldAuthenticateRequest(req, UmbracoContext.Current.OriginalRequestUrl))
//{
// //TODO: Here we should have an authentication mechanism, this mechanism should be smart in the way that the ASP.Net 5 pipeline works
// // in which each registered handler will attempt to authenticate and if it fails it will just call Next() so the next handler
// // executes. If it is successful, it doesn't call next and assigns the current user/principal.
// // This might actually all be possible with ASP.Net Identity and how it is setup to work already, need to investigate.
var ticket = http.GetUmbracoAuthTicket();
// var ticket = http.GetUmbracoAuthTicket();
http.AuthenticateCurrentRequest(ticket, ShouldIgnoreTicketRenew(UmbracoContext.Current.OriginalRequestUrl, http) == false);
}
// http.AuthenticateCurrentRequest(ticket, ShouldIgnoreTicketRenew(UmbracoContext.Current.OriginalRequestUrl, http) == false);
//}
}

4
src/Umbraco.Web/app.config
View File

@@ -51,6 +51,10 @@
<assemblyIdentity name="System.Net.Http" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="Microsoft.Owin" publicKeyToken="31bf3856ad364e35" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>
</configuration>

2
src/Umbraco.Web/packages.config
View File

@@ -19,7 +19,7 @@
<package id="Microsoft.Bcl" version="1.1.9" targetFramework="net45" />
<package id="Microsoft.Bcl.Build" version="1.0.14" targetFramework="net45" />
<package id="Microsoft.Net.Http" version="2.2.28" targetFramework="net45" />
<package id="Microsoft.Owin" version="2.1.0" targetFramework="net45" />
<package id="Microsoft.Owin" version="3.0.0" targetFramework="net45" />
<package id="Microsoft.Owin.Security" version="2.1.0" targetFramework="net45" />
<package id="Microsoft.Owin.Security.Cookies" version="2.1.0" targetFramework="net45" />
<package id="Microsoft.Owin.Security.OAuth" version="2.1.0" targetFramework="net45" />

4
src/umbraco.MacroEngines/app.config
View File

@@ -26,6 +26,10 @@
<assemblyIdentity name="System.Net.Http" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="Microsoft.Owin" publicKeyToken="31bf3856ad364e35" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>
</configuration>

2
src/umbraco.businesslogic/packages.config
View File

@@ -4,5 +4,7 @@
<package id="Microsoft.AspNet.Mvc" version="4.0.30506.0" targetFramework="net40" />
<package id="Microsoft.AspNet.Razor" version="2.0.30506.0" targetFramework="net40" />
<package id="Microsoft.AspNet.WebPages" version="2.0.30506.0" targetFramework="net40" />
<package id="Microsoft.Owin" version="3.0.0" targetFramework="net45" />
<package id="Microsoft.Web.Infrastructure" version="1.0.0.0" targetFramework="net40" />
<package id="Owin" version="1.0" targetFramework="net45" />
</packages>

6
src/umbraco.businesslogic/umbraco.businesslogic.csproj
View File

@@ -113,10 +113,16 @@
<Reference Include="AutoMapper.Net4">
<HintPath>..\packages\AutoMapper.3.0.0\lib\net40\AutoMapper.Net4.dll</HintPath>
</Reference>
<Reference Include="Microsoft.Owin">
<HintPath>..\packages\Microsoft.Owin.3.0.0\lib\net45\Microsoft.Owin.dll</HintPath>
</Reference>
<Reference Include="Microsoft.Web.Infrastructure, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<Private>True</Private>
<HintPath>..\packages\Microsoft.Web.Infrastructure.1.0.0.0\lib\net40\Microsoft.Web.Infrastructure.dll</HintPath>
</Reference>
<Reference Include="Owin">
<HintPath>..\packages\Owin.1.0\lib\net40\Owin.dll</HintPath>
</Reference>
<Reference Include="System" />
<Reference Include="System.configuration" />
<Reference Include="System.Core">

4
src/umbraco.editorControls/app.config
View File

@@ -31,6 +31,10 @@
<assemblyIdentity name="System.Net.Http" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="Microsoft.Owin" publicKeyToken="31bf3856ad364e35" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>
</configuration>