|
|
Rank: Advanced Member
Groups: Member
Joined: 12/13/2017
Posts: 29
|
Hi,
background
We have a mvc Core website that is generating the html and then POST'ing it to a .Net Framework web api to do the Html to Pdf rendering using eo.pdf. The html has a <base href="https://our mvc website/" in the <head>
The IIS logs for the mvc core website shows that the css files are being requested anonymously and IIS is returning a 401.2 response.
Q. Why isn't the request to get the css using the app pool identity? I have read that it used the clients security context, but this would be multiple hops so would never work. Is there an option to use the App pool identity when it is running the chromium browser?
Thanks and Regards.
|
|
Rank: Administration
Groups: Administration
Joined: 5/27/2007
Posts: 24,221
|
Hi,
The HTML to PDF converter will try to use the calling thread's security context. This is not necessarily the same as the app pool identity. For example, if IIS impersonation is enabled, then it will switch to the client user's security context to run the request in that context. The general idea is to use an account with as less privilege as possible. This also means the privilege the HTML to PDF converter receives is usually less than the privilege of the app pool account.
As a simple test, you can use WindowsIdentity.GetCurrent to check the current user context. That should help you identify the root of the problem.
Thanks!
|
|
Rank: Advanced Member
Groups: Member
Joined: 12/13/2017
Posts: 29
|
Hi,
As you will be aware of, credentials are lost over multiple hops, so it is pointless using the clients security context in this situation. My question is ...
How can I make it use the app pool identity.
Regards.
|
|
Rank: Administration
Groups: Administration
Joined: 5/27/2007
Posts: 24,221
|
We use your current calling code's security context. This is not necessarily the client's security context. I mention the client's security context in my previous post is just to give you an example about how your code could run in a different security context than the app's pool's security context. So basically if have two line of code like this:
Code: C#
DoSomethingElse();
HtmlToPdf.ConvertHtml(...);
Then us (the second line) will receive exactly the same permission/privilege as the first line DoSomethingElse(). This is how it supposes to work. In another word, we take whatever you give us as is. Exactly how you get to this point, how many hops you have made before you reach us is controlled by you, not by us. Because of this and also because security is a generic Windows topic, we do not provide support on it. So you may want to search online on how to call specific code with app pool identity. It is neither our responsibility nor our expertise to cover such topics since the issue is generic in nature and it does not have anything particular to do with our product.
|
|
Rank: Advanced Member
Groups: Member
Joined: 12/13/2017
Posts: 29
|
Hi,
Thanks for the update. It sounds like there is nothing that can be done then.
If I make a call to a database, then this will use the web api's app pool identity. EO.pdf is showing as making anonymous calls when getting the css etc from the calling web site.
e.g.
User --> Website (html generation) --> web api (pdf rendering) --> website (for css etc)
The website IIS logs show anonymous calls from the web api
Sql server shows database calls from the app pool identity from the web api
Regards.
|
|
Rank: Administration
Groups: Administration
Joined: 5/27/2007
Posts: 24,221
|
Hi,
You have to find out how your web server handles the authentication and exactly what it needs to establish the credentials. Once you find out exactly what it needs, you can then look into our product to find out whether there is a way to pass that information to your web server through our product or not ---- we may have a way for you to pass through or may not. Once you are clear about the first part (how your web server handles authentication and what it needs), we can help you with the second part (whether there is a way to provide such information through our product).
Thanks!
|
|
Rank: Advanced Member
Groups: Member
Joined: 12/13/2017
Posts: 29
|
Hi. I really appreciate this. Thank you.
So our security pipeline is as follows:-
1. Our Website requests an oAuth2.0 token for the AD user (me)
2. The website generates the HTML with a base address of the website
3. The html is POSTed to a web api with the oAuth token in the header
4. The web api controller has [Authorize] and I am logging the following security context information:-
a) this.User.Identity.Name --> me
b) WindowsIdentity.GetCurrent().Name --> app pool usercode
c) WindowsIdentity.GetCurrent().IsAuthenticated --> True
d) WindowsIdentity.GetCurrent().ImpersonationLevel --> None
IIS Logs showing requests for css etc (obfuscated where necessary). Shows that GET is anonymous and returns a 401.2
2018-12-10 16:52:03 10.64.40.67 GET /template/css/purple.css - 443 - 10.XX.XX.XX Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/62.0.3202.9+Safari/537.36 https://ourwebapi/ 401 2 5 0
Website is .Net Core 2.1 behind IIS
web api is .Net framework in IIS
Regards.
|
|
Rank: Administration
Groups: Administration
Joined: 5/27/2007
Posts: 24,221
|
Hi, This makes sense. OAuth is a protocol on top of the HTTP protocol so whatever authentication result you have between the client and your website is exchanged between your client and your website. It does not propagate further automatically. The following flow is a very simplified version of what's going on: 1. Your client logs in and get an access token. Say access_token=123456; 2. Your client access a protected resource using this token. Say http://yourserver/protected_resource?access_token=123456; 3. Your server checks this access token and proceed after verifying this token; 4. Your server side code also calls HtmlToPdf.ConvertUrl("http://yourserver/protected_resource2") to convert another protected page; 5. Note that the access token does not exist in the Url you passed to ConvertUrl. As a result once this request reaches your web server again, it will be treated as anonymous; So the key is for you to pass whatever information you have in step 2 to EO.Pdf in step 4, and this does not happen automatically. In reality it's much more complicated than just passing a single access token. And you may also need to use HTTP POST instead of HTTP GET (ConvertUrl uses HTTP GET). You can take a look of this Microsoft document about exactly how oAuth works and how you can satisify your web server: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-codeHope this helps. Thanks!
|
|
Rank: Advanced Member
Groups: Member
Joined: 12/13/2017
Posts: 29
|
Hi,
It is not quite as you describe as it looks like you think that both the web api and the website are secured by tokens but they are not. Obly the webs api is secured by a token and the website is secured by windows authentication. The css is held on the website and as such is not protected by a token and is protected by Windows Authentication. So long as your software passes on the App pool Identity (WindowsIdentity.GetCurrent()) then this would all be fine.
Trying to use the User.Identity would not be fine for multiple reasons. BUT, in your earlier post you say "We use your current calling code's security context. This is not necessarily the client's security context".
So it looks like you are telling me that you are going to be using the App pool identity when getting the css from the website. And hence this should be good. But obviously it is not "good", so something is not how I understand it. Can you confirm that the call to the website to get the css is under the web api's app pool identity. Is there any logging that would show this?
Regards.
|
|
Rank: Advanced Member
Groups: Member
Joined: 12/13/2017
Posts: 29
|
SOLUTION Hi, I now have a working solution. I have accepted that EO.Pdf will request the CSS etc as ANONYMOUS and have therefore configured the Mvc Core web site to work with both Anonymous and Windows Authentication schemes. This requires both IIS to be set to allow both Anonymous and Windows Authentication for the website. The website needs a code change as follows:- Note: Requires Nuget package Microsoft.AspNetCore.Authentication Startup.cs // set the default authentication scheme when IIS allows anonymous and windows authentication services.AddAuthentication(IISDefaults.AuthenticationScheme); Web.config <add accessType="Allow" users="?" /> I now get anonymous requests to the website but they get 200 responses now. i hope this is helpful to someone else.
|
|
Rank: Administration
Groups: Administration
Joined: 5/27/2007
Posts: 24,221
|
Aaron wrote:Hi,
It is not quite as you describe as it looks like you think that both the web api and the website are secured by tokens but they are not. Obly the webs api is secured by a token and the website is secured by windows authentication. The css is held on the website and as such is not protected by a token and is protected by Windows Authentication. So long as your software passes on the App pool Identity (WindowsIdentity.GetCurrent()) then this would all be fine.
Trying to use the User.Identity would not be fine for multiple reasons. BUT, in your earlier post you say "We use your current calling code's security context. This is not necessarily the client's security context".
So it looks like you are telling me that you are going to be using the App pool identity when getting the css from the website. And hence this should be good. But obviously it is not "good", so something is not how I understand it. Can you confirm that the call to the website to get the css is under the web api's app pool identity. Is there any logging that would show this?
Regards.
I am not sure where the missing link between what we tell you and what you understood and how we can help you to connect the two. What we are telling you is: We use your calling code's security contextWhat you are saying is: It looks like you are telling me that you are going to be using the App pool identifyThese two are NOT THE SAME. We have already gave you an example of how they can be different. The calling code's security context is the security context of the calling thread at exact the moment you call our code. By definition it can change and often changes (that's the purpose of it). The app pool identify is the identity that establishes the security context for the IIS worker process and it does not change throughout that process's life time. In any case, we are happy that you have found a workable solution.
|
|