Dion Scher - 82 - Jul 8, 2014

ServiceStack Authentication
1

I’m getting an error and can’t figure out what I’m doing wrong:

“Type definitions should start with a ‘{’, expecting serialized type ‘MessageHistoryResponse’, got string starting with: 
<!DOCTYPE html>
<html>
<head>
    <meta name=“
The client code is simpy:

var client = new JsonServiceClient(Url);

try
{
    var messageHistoryResponse = client.Send(new MessageHistory
                        {
                            Take = 20,
                            Skip = 0
                        });
}
catch (WebServiceException e)
{
    Console.WriteLine(e);
}
I have a request filter in place as follows:

 public override void Execute(IRequest req, IResponse res, object requestDto)
{
    var token = req.Headers[“authtoken”];

    if (token != null)
    {
        //Authenticated code
    }

    if (_logger.IsDebugEnabled)
        _logger.DebugFormat(”[Token {0}] Access Denied”, token);

    res.ReturnAuthRequired();
}
This is following one of the examples but instead of receiving a webexception,it throws a Serialization exception. I’m not sure how best to handle this?

All of my services use a standard requestDto/responseDto pattern. From the docs I was expecting a WebException to be thrown, which I could then handle. But instead it’s a SerializationException and doesn’t report that the Auth failed.

Anyone got any ideas to help me?

2

Dion Scher:

thank you thank you thank you… changed it to return a 403 Forbidden error and I’m back in business. Thanks for your help. Greatly appreciated!

3

Can you use Fiddler to show the full contents of the HTML page? I want to know if it’s an ASP.NET error or a SS error page.

4

Dion Scher:

Hmmm… looks like an HTTP Error. Not sure why. I will investigate further. Thanks.


<!DOCTYPE html>
<html>
<head>
    <meta name=“viewport” content=“width=device-width” />
    <title>Login</title>
    <link href=‘http://fonts.googleapis.com/css?family=Roboto:300’ rel=‘stylesheet’ type=‘text/css’>
     <link href="/Content/site.css" rel=“stylesheet”/>

     <link href="/Content/themes/base/jquery.ui.core.css" rel=“stylesheet”/>
<link href="/Content/themes/base/jquery.ui.resizable.css" rel=“stylesheet”/>
<link href="/Content/themes/base/jquery.ui.selectable.css" rel=“stylesheet”/>
<link href="/Content/themes/base/jquery.ui.autocomplete.css" rel=“stylesheet”/>
<link href="/Content/themes/base/jquery.ui.button.css" rel=“stylesheet”/>
<link href="/Content/themes/base/jquery.ui.dialog.css" rel=“stylesheet”/>
<link href="/Content/themes/base/jquery.ui.theme.css" rel=“stylesheet”/>

     <link href="/Content/themes/uniformjs/default/css/uniform.default.css" rel=“stylesheet”/>

     <script src="/Scripts/jquery-2.1.0.js"></script>
<script src="/Scripts/jquery-migrate-1.2.1.js"></script>

     <script src="/Scripts/jquery-ui-1.10.4.js"></script>

     <script src="/Scripts/jquery.unobtrusive-ajax.js"></script>
<script src="/Scripts/jquery.validate.js"></script>
<script src="/Scripts/jquery.validate.unobtrusive.js"></script>

    <script src="/Scripts/jquery.uniform.js"></script>

    <script type=“text/javascript”>
        $(function () {
            $("#LoginForm").validate({
                rules: {
                    UserName: { required: true },
                    Password: { required: true }
                }
            });
            $.validator.messages.required = '’;
            //$(“input[type=text], input[type=password]”).uniform();
           
        });
    </script>
</head>
    <body>       
        <div id=“loginformouter”>
            <h1>Login</h1>
            <div id=“loginforminner”>
                                 
<form Id=“LoginForm” ReturnUrl="/api/MessageHistory" action="/Account/Login" method=“post”><input name="__RequestVerificationToken" type=“hidden” value=“Kdk-Ac4QTO51GONiAv0spKOW9TFRzv_fny7pdg6KL_9wMhRxQW0od3HD4uVBrl1FRJ8rFrpMxLE3lanBkW9jEBEJck_VKiy2w6vd3MtNZK01” />                    <div class=“editor-label”>
                        <label for=“UserName”>Username</label>
                    </div>
                    <div class=“editor-field”>
                        <input data-val=“true” data-val-required="" id=“UserName” name=“UserName” type=“text” value="" />
                        <span class=“field-validation-valid” data-valmsg-for=“UserName” data-valmsg-replace=“true”></span>
                    </div>
                    <div class=“editor-label”>            
                        <label for=“Password”>Password</label>
                    </div>
                    <div class=“editor-field”>
                        <input data-val=“true” data-val-required="*" id=“Password” name=“Password” type=“password” />
                        <span class=“field-validation-valid” data-valmsg-for=“Password” data-valmsg-replace=“true”></span>
                    </div>                  
                    <div class=“editor-label”>&nbsp;</div>    
                    <div class=“editor-field”>
                        <input id=“btnlogin” type=“submit” value=“LOGIN” style=“width: 100px;height:40px;font-size:1em;” /> <a id=“forgotpasswordlink” href="/Account/ForgotPassword">Forgot Password?</a> 
                    </div>    
</form>
            </div> 
        </div>
    </body>
</html>

5

Dion Scher:

Not sure what could be causing it to go to the login page on 401 error…

6

Dion Scher:

Looks like it might be this line causing a redirect to that page:

    <authentication mode=“Forms”>
      <forms loginUrl="~/Account/Login" timeout=“2880” />
    </authentication>

No sure why it’s taking over from a SS error though.

7

Yeah ASP.NET Forms auth can hijack and take over any ASP.NET request. 
Note: ASP.NET Auth is incompatible with SS Auth and the ServiceClients it doesn’t make sense to try and use both.

8

Dion Scher:

Due to compatibility issues, we’re only using ASP .NET auth. However the problem exists because SS and ASP .NET are running in the same web application. I’m using the SS configuration of :

  <location path=“api”>
    <system.web>
      <httpHandlers>
        <add path="" type=“ServiceStack.HttpHandlerFactory, ServiceStack” verb="" />
      </httpHandlers>
    </system.web>
    <!-- Required for IIS7 -->
    <system.webServer>
      <modules runAllManagedModulesForAllRequests=“true” />
      <validation validateIntegratedModeConfiguration=“false” />
      <handlers>
        <add path="" name=“ServiceStack.Factory” type=“ServiceStack.HttpHandlerFactory, ServiceStack” verb="" preCondition=“integratedMode” resourceType=“Unspecified” allowPathInfo=“true” />
      </handlers>
    </system.webServer>
  </location>

9

Dion Scher:

I created a request filter in order to check the validity of security tokens. As I didn’t want to do something silly like copy and paste code into every service method, using a SS request filter seemed the best approach. Any ideas on how I can keep control with SS or change the filter return to work? Otherwise, if not, any suggestions on how best to handle this kind of scenario?

10

By ending the request with a res.ReturnAuthRequired() it returns a 401 HttpStatusCode.Unauthorized error which is what what ASP.NET built-in Auth listens to in order to kick-in and hijack the request. You could try using the FormHijackingPrevention module to try and ignore hijacking the request for SS routes: https://github.com/ServiceStack/ServiceStack/wiki/Form-Hijacking-Prevention
Otherwise you would have to change the exception into a 400 Error or something else to prevent FormsAuth from hijacking the request.