ASP.NET 4.5 and ASP.NET Core 1 Hosting BLOG

Tutorial and Articles about ASP.NET 4.0 and the latest ASP.NET 4.5 Hosting

IIS Hosting - ASPHostPortal.com :: Using SSL in ASP.NET Web API

clock December 3, 2013 12:02 by author Mike

SSL works on the public-private key encryption and requires an SSL Certificate on the server. SSL certificates come in different flavors and normally some third party agency issues them to you. Once obtained you need to enable and install the certificate on your web server. For the sake of testing you can create a test certificate in IIS or you can also use IIS Express SSL URL for the communication. Let's quickly see how both of these options can be used.

Using SSL in IIS

Let's first see how to create a test certificate in IIS. Open IIS manager and select the server under the connections pane. Locate Server Certificates in the Features view and double click on it.Server Certificates.

Server Certificates

Server Certificates

Then click on the "Create Self-signed Certificate" link from the actions page to open a dialog as shown below:

Create Self-Signed Certificate
Create Self-Signed Certificate

Enter some friendly name for the certificate and click on OK. You should now have an entry for this new certificate under Server Certificates.

Your New Certificate
Your New Certificate

Notice that in addition to your newly created certificated there is already an entry for IIS Express Development Certificate.

Next, select the website where you wish to install the certificate and click on the Bindings option under the Edit site section of the Action pane. Add HTTPS binding using the newly created certificated as shown below:

Add Site Binding
Add Site Binding

Keep the default port number unchanged, select your certificate name in the SSL certificate dropdownlist. Click OK to close the dialog.

Using SSL in IIS Express

If you are using IIS Express as the development server, things are quite easy. Just select the project in the Solution Explorer and press F4 to open its Properties window.

Project Properties
Project Properties

Set the SSL Enabled property to True. Setting SSL Enabled to True will reveal the SSL URL. In this case it is https://localhost:44300/. You should use this URL while making Web API calls.

Forcing Requests to Use SSL

In many cases you will have both HTTP and HTTPS bindings to your website and you may want to ensure that Web API is called only over HTTPS. To accomplish this task you need to create a custom authorization filter. So, add a class in the Web API project, name it as UseSSLAttribute. Inherit UseSSLAttribute class from AuthorizationFilterAttribute class. The following code shows the completed UseSSLAttribute class:

 public class UseSSLAttribute:AuthorizationFilterAttribute
{
  public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
  {
    if (actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
    {
      HttpResponseMessage msg = new HttpResponseMessage();
      msg.StatusCode = HttpStatusCode.Forbidden;
      msg.ReasonPhrase = "SSL Needed!";
      actionContext.Response = msg;
    }
    else
    {
      base.OnAuthorization(actionContext);
    }
  }
}

As you can see the UseSSLAttribute class overrides the OnAuthorization() method of the AuthorizationFilterAttribute. Inside the OnAuthorization() method the current scheme of the incoming request is checked using the RequestUrl.Scheme property. If the scheme is anything other than Uri.UriSchemeHttps a new HttpResponseMessage is constructed. The StatusCode property of the response message is set to Forbidden indicating that the server refused to process the request. The ReasonPhrase includes a short phrase describing the reason for refusal. This text will be displayed to the end user via jQuery code in case HTTPS is not used to access the Web API. Finally, the Response property of the actionContext parameter is set to the newly constructed message.

Now you can decorate the Web API action methods using the UseSSL attribute. The following  code shows a GetColors() method that has [UseSSL] attribute applied.

public class ColorController : ApiController
{
  [UseSSL]
  public IEnumerable<string> GetColors()
  {
    return new string[] { "Blue", "Red", "Yellow" };
  }
}

To call the GetColors() method you can use the following jQuery code from a view.

$(document).ready(function () {
  $("#button1").click(function () {
    var options = {};
    options.url = "/api/color";
    options.type = "GET";
    options.contentType = "application/json";
    options.success = function (result) { alert(result); };
    options.error = function (err) { alert(err.statusText); };
    $.ajax(options);
  });
});

 

The above code assumes that the Index view has a button with ID button1 and clicking on the button will invoke the Web API. As you can see the URL is set to /api/color. The type is GET. The success function simply displays the return value of GetColors() method using an alert dialog. Similarly the error function displays the statusText of the err object using an alert dialog. If you run the application and try to invoke the above code over HTTP you will get an error as shown below:

Error Message
Error Message

Now switch to the HTTPS URL - https://localhost:44300/ - as mentioned earlier and try invoking the same code again. While using SSL your browser may give you a warning as shown below:

Warning Message
Warning Message

This warning is issued since you are using a test certificate. Click on the Continue to this website option and invoke the code. This time you should get the color values successfully.

Color Values
Color Values


If your website deals with sensitive data it is recommended to use Secure Sockets Layer or SSL. SSL establishes an encrypted channel of communication between the server and client browser. To use SSL you must install a server side certificate. For the sake of testing you can create a test certificate using IIS or use an inbuilt mechanism of IIS Express. To enforce SSL on Web API you can create a custom authorization filter that checks the request scheme. If the scheme is HTTPS only then the call is processed, otherwise an error is sent to the client.



IIS 8 Hosting - 3 Huge Improvements in IIS 8

clock January 21, 2013 08:20 by author andy_yo

Internet Information Services (IIS) 8 includes many new and improved features that make moving to Windows Server 2012 compelling for organizations that rely on Windows Servers as their web server. For developers and system administrators that are looking to mirror that IIS environment on their workstation for development or testing, IIS 8 gives another reason to move your workstation to Windows 8.

About ASPHostPortal.com

ASPHostPortal.com is Microsoft No #1 Recommended Windows and ASP.NET Spotlight Hosting Partner in United States. Microsoft presents this award to ASPHostPortal.com for ability to support the latest Microsoft and ASP.NET technology, such as: WebMatrix, WebDeploy, Visual Studio 2012, ASP.NET 4.5, ASP.NET MVC 4.0, Silverlight 5 and Visual Studio Lightswitch. Click here for more information

Improvement 1: Centralized SSL Certificate Management

With IIS on Windows 8 or Windows Server 2012, you can take advantage of the SSL certificate management console. This is a central management console that is able to install certificates and work with certificates across all IIS 8 web servers.

This includes the ability to more rapidly bring new servers online by being able to import all certificates that are needed. If a certificate needs to be renewed on multiple systems, it can be done through the IIS 8 certificate management console. You no longer have to log onto each system to update the certificate.

 

Note: Centralized SSL Certificate management is installed as a separate feature. You can install IIS without Centralized SSL Certificate Support. Centralized SSL Certificate Support is in the security section of “Windows Features.”

Improvement 2: Application Initialization

One frustrating problem that many web server admins face is the problem of slow-responding sites as web applications are initializing. A common workaround is to use tools and scripts to “cold start” the applications early in the morning so that the sites are ready to perform: The in-memory cache is loaded, and in some cases the content must be generated, before the IIS server is ready to respond to HTTP requests.

With IIS 8, Application Initialization lets you establish rules for “warming up” sites. For example, you can have larger applications begin the initialization process earlier than smaller applications. You can also configure through application initialization a new splash screen to be displayed in case people find themselves waiting while the application is initializing.

I can see a much better user experience by logging onto a SharePoint site early in the morning and having the first page displayed being a simple “Please wait while this application is being prepared for use” splash screen instead of just a blank page and a spinning circle.

Improvement 3: Dynamic IP Address Restrictions

Restricting access to a website by its IP address is nothing new -- admins have long been able to do that. You can even restrict by a block of IPs in an address range.

The problem that persists is tracking down all of the IP addresses to block. This would usually take a long time of parsing through logs, and even if going through the logs and filtering out the IP addressed were scripted, it is done in a reactive manner.

Instead, using the Dynamic IP Address Restrictions feature in IIS 8 for Windows 8 and Windows Server 2012, you can specify on a per web application level the maximum number of connections that an IP address can create within a certain time frame. And you can also specify the maximum number of attempts that can be made into the IIS 8 server from an IP address within a specific time. Any attempts beyond what is allowed are automatically filtered out, making your web applications and your web server much more resistant to malicious activity.

Dynamic IP Address Restrictions is added as an additional feature of IIS that is not installed by default. To install the feature, open Windows Features, then place a check in the box to select Web Server (IIS) -> Web Server -> Security -> IP and Domain Restrictions. After all that, click Finish.



Cheap ASP.NET 4.5 Hosting

We’re a company that works differently to most. Value is what we output and help our customers achieve, not how much money we put in the bank. It’s not because we are altruistic. It’s based on an even simpler principle. "Do good things, and good things will come to you".

Success for us is something that is continually experienced, not something that is reached. For us it is all about the experience – more than the journey. Life is a continual experience. We see the Internet as being an incredible amplifier to the experience of life for all of us. It can help humanity come together to explode in knowledge exploration and discussion. It is continual enlightenment of new ideas, experiences, and passions


Author Link


 

Corporate Address (Location)

ASPHostPortal
170 W 56th Street, Suite 121
New York, NY 10019
United States

Tag cloud

Sign in