Tutorial :ASP.NET MVC How to call a secured page from a windows app?



Question:

I have a MVC app that has forms authentication enabled.

The app allows printing of invoices.

I have an external app that converts html to pdf.

How can I call the secured page from this pdf converter app so that some security remains?

The PDF converter app just requires a URL.

One thought was to create a HttpHandler for an extenion of say .print and pass a public key in the URL qureystring that can be validated by the MVC app.

Any ideas on this?

Malcolm


Solution:1

You can do a number of things to secure this.

  1. Use OAuth to implement the security in the application. This allows the user of the invoicing app to authenticate when access the PDF app.
  2. Implement OpenID, SAML or other single sign-on protocol to re-authenticate the user.
  3. Implement a custom scheme: POST the key to access the PDF app, make sure to use SSL, use a nonce.

Options 1 and 2 are similar. Option 3 is fairly secure if implemented correctly. Most times you want to use a tried and tested solution as implementing these things with a good level of security can be tricky. There are libraries out there to help with options 1 and 2.

Query strings are easily exposed, do not pass keys on the query string as SSL will not protect them. If you implement your solution you should POST to the server and send the key in the body of the request. That way SSL can protect the key in transit. You should also use a nonce value to protect your PDF converter app.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »