http://identitymodel.codeplex.com/
https://identityserver.github.io/
Windows Identity Foundation
6.1.7600.16394
Windows Identity Foundation enables .NET developers to externalize identity logic from their application, improving developer productivity, enhancing application security, and enabling interoperable federation. Enjoy greater productivity, applying the same tools and programming model to build on-premises software as well as cloud services. Create more secure applications by reducing custom implementations and using a single simplified identity model based on claims. Enjoy greater flexibility in application deployment through interoperability based on industry standard protocols, allowing applications and identity infrastructure services to communicate via claims.
To install Windows Identity Foundation, run the following command in the Package Manager Console
CORS support in WebAPI, MVC and IIS with Thinktecture.IdentityModel
My second contribution to the Thinktecture.IdentityModel security library is a full-featured CORS implementation. Many other sample implementations only emit the Access-Control-Allow-Origin header, but there’s more to it than that. The implementation in Thinktecture.IdentityModel follows the W3C Working Draft 3 from April 2012. There is a rich configuration API to control the various settings that are involved with CORS. These settings include which resource you want to configure, which origins are allowed, which HTTP methods are allowed, which request and/or response headers are allowed and are cookies allowed.
In this first release there is support for WebAPI, ASP.NET MVC and IIS. For WebAPI you configure your settings per controller. For MVC you can configure the settings per controller or for specific controller actions. For IIS you configure the settings per URL. If there’s enough interest, then perhaps in a future version I can add support for WCF REST and WCF Data Services.
I won’t bother explaining CORS since there are already enough posts on it elsewhere. Instead I’ll just show how to get started with the library. First, reference the NuGet package. Next, depending on the type of application (WebAPI, MVC or IIS) you need to configure how you want CORS support. Below shows each of the different environments:
WebAPI
In WebAPI the implementation is a delegating handler. This allows the CORS settings to be global or per-route (which is forthcoming post-RC). For example if you were to configure it globally then in global.asax‘s Application_Start you would have a call out to the configuration class passing the global HttpConfiguration object (this follows the new style of factoring out configuration to separate classes in the App_Start folder):
|
1
2
3
4
5
6
|
protected void Application_Start(){ ... CorsConfig.RegisterCors(GlobalConfiguration.Configuration);} |
And then in App_Start/CorsConfig.cs:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
public class CorsConfig{ public static void RegisterCors(HttpConfiguration httpConfig) { WebApiCorsConfiguration corsConfig = newWebApiCorsConfiguration(); // this adds the CorsMessageHandler to the HttpConfiguration's // MessageHandlers collection corsConfig.RegisterGlobal(httpConfig); // this allow all CORS requests to the Products controller // from the http://foo.com origin. corsConfig .ForResources("Products") .ForOrigins("http://foo.com") .AllowAll(); }} |
In WebAPI resources are identified by the controller name as in the above example for the“Products” controller.
MVC
In MVC you need to register a HttpModule to enable CORS support, so in web.config:
|
1
2
3
4
5
6
|
<system.webServer> <modules runAllManagedModulesForAllRequests="true"> <add name="MvcCorsHttpModule" type="Thinktecture.IdentityModel.Http.Cors.Mvc.MvcCorsHttpModule"/> </modules></system.webServer> |
And then again in global.asax you would configure the settings:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
protected void Application_Start(){ ... RegisterCors(MvcCorsConfiguration.Configuration);}private void RegisterCors(MvcCorsConfiguration corsConfig){ corsConfig .ForResources("Products.GetProducts") .ForOrigins("http://foo.com") .AllowAll();} |
In MVC resources can either be identified just by the controller name (with just “Controller” for the resource name) or by the controller and action (as with the above sample with the“Controller.Action” syntax).
IIS
In IIS you need to register a HttpModule (different than the one for MVC), so in web.config:
|
1
2
3
4
5
6
|
<system.webServer> <modules> <add name="CorsHttpModule" type="Thinktecture.IdentityModel.Http.Cors.IIS.CorsHttpModule"/> </modules></system.webServer> |
And then again in global.asax you would configure the settings:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
protected void Application_Start(object sender, EventArgs e){ ... ConfigureCors(UrlBasedCorsConfiguration.Configuration);}void ConfigureCors(CorsConfiguration corsConfig){ corsConfig .ForResources("~/Handler1.ashx") .ForOrigins("http://foo.com", "http://bar.com") .AllowAll();} |
In IIS resources are identified by the application relative path (thus the “~/path/resource”syntax).
Other Configuration Options
While the above samples show a minimal amount of code to get CORS enabled and running in your app, these are some of the least restrictive settings. Typically more thought should go into the settings and so there is a rich API for configuring the various CORS settings. Here are some more examples:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
public static void ConfigureCors(CorsConfiguration corsConfig){ // this allows http://foo.com to do GET or POST on Values1 controller corsConfig .ForResources("Values1") .ForOrigins("http://foo.com") .AllowMethods("GET", "POST"); // this allows http://foo.com to do GET and POST, pass cookies and // read the Foo response header on Values2 controller corsConfig .ForResources("Values2") .ForOrigins("http://foo.com") .AllowMethods("GET", "POST") .AllowCookies() .AllowResponseHeaders("Foo"); // this allows http://foo.com and http://foo.com to do GET, POST, // and PUT and pass the Content-Type header to Values3 controller corsConfig .ForResources("Values3") .ForOrigins("http://foo.com", "http://bar.com") .AllowMethods("GET", "POST", "PUT") .AllowRequestHeaders("Content-Type"); // this allows http://foo.com to use any method, pass cookies, and // pass the Content-Type, Foo and Authorization headers, and read // the Foo response header for Values4 and Values5 controllers corsConfig .ForResources("Values4", "Values5") .ForOrigins("http://foo.com") .AllowAllMethods() .AllowCookies() .AllowRequestHeaders("Content-Type", "Foo", "Authorization") .AllowResponseHeaders("Foo"); // this allows all methods and all request headers (but no cookies) // from all origins to Values6 controller corsConfig .ForResources("Values6") .AllowAllOriginsAllMethodsAndAllRequestHeaders(); // this allows all methods (but no cookies or request headers) // from all origins to Values7 controller corsConfig .ForResources("Values7") .AllowAllOriginsAllMethods(); // this allows all CORS requests from origin http://bar.com // for all resources that have not been explicitly configured corsConfig .ForOrigins("http://bar.com") .AllowAll(); // this allows all CORS requests to all other resources that don’t // have an explicit configuration. This opens them to all origins, all // HTTP methods, all request headers and cookies. This is the API to use // to get started, but it’s a sledgehammer in the sense that *everything* // is wide-open. corsConfig.AllowAll();} |
Of course, feedback is welcome. Enjoy.
Edit: Common configuration issues when enabling CORS on IIS.