Security

[Ian]

Hi,

just looking at coolite and wondering how all the json stuff fits in with the asp.net forms authenitication?

E.g in this example
https://examples1.ext.net/#/GridPane...s/Json_Reader/

it is using a handler

and in this example https://examples1.ext.net/#/GridPane...g_and_Sorting/

it is wrapping an object datasource in a

<ext:Store

tag

which uses a JsonReader.

the datasource has parameters
start
limit
sort
dir

the store has
RemoteSort="true"

My question is what is exposed to the client side?
What parameters do I have to validate?

Does the page act as the handler and use the same security on an ajax request.

For the first example can the handler be secured using forms authentication,
and get access to the current user via Membership.GetUser,
and then to calculate what the handler returns based on the logged in user?

How does the ajax used in coolite compare to the asp.net ajax used by microsoft?

Thanks

[geoffrey.mcgill]

How does the ajax used in coolite compare to the asp.net ajax used by microsoft?

It should be handled just the same. I was hoping to post a full sample for you, but just haven't had the time.*


If the authentication is stored in a cookie (FormsAuthentication), then the same standard issue cookies with*ASP.NET_SessionId information*are sent with every request. If you're requesting from a '.NET' endpoint (.aspx, .ashx, .asmx, WCF, MVC, etc) the request is handled by the same .NET pipeline as all requests.*


The user token can be retrieved as normal since it's fetched from the Request object (cookie).*


It just so happens that the Response is a Json formatted document. The Request knows nothing (and doesn't care) about the Response.


Hope this helps.

[geoffrey.mcgill]

Yep, I just ran a quick test with the MVC sample application (http://mvc.ext.net) and the User Identity object is fully accessible during a Json Request (really a Json Response).*

Example

throw new Exception(this.User.Identity.Name); // works, throws exception with "demo"