Pass-through login

Hello

Just trying this software out which is very nice. I would like to use this within an area which the user has already been authenticated - is it possible to:

a. Create a user entry in the FileVista database from a seperate application (optional)

b. Assuming that the suer has been created in the FileVista database and matches the information which we authenticated the user, can we parse this information to the FileVista application so it automatically logs them in?

Cheers.
Matt

Looking forward to the reply to your thread.

I have a similar question in the File Control section.

Perhaps a custom script can do manual 'post' to the FileVista login page?

Is this product support alive?!

We will add pass-through login feature in few days.
For example, you will be able to call a url like "FileVista\login.aspx?user=SomeUser&hash=e3kdl25owm"

This way FileVista will let the authenticated user login automatically without prompting for user name and login.
The Hash parameter makes sure that the login request is coming from a trusted source (a web page from your site) and is not altered.

So when this feature is ready, you can dynamically generate a link to "FileVista\login.aspx?user=CurrentUser&hash=e3kdl25owm"or create an aspx page (eg. EnterFileVista.aspx) which will redirect to “FileVista\login.aspx?user=CurrentUser&hash=e3kdl25owm"with current authenticated user name () and calculated hash as parameters in Page_Load. 

Let me know what you think about this solution.

Thanks would be a great feature, cheers.

Is there the opportunity for us to create users in the database directly and not through your interface?

Ta.

No, currently the API is not available for external calls but you can connect to the FileVista database and insert new users to the User table.

Cem

Any news or eta on the update to allow login via pass-through?

I looked at the database and i would assume that the password has been encrypted? Could you let me know the encryption type please...

Hi Matt,
Yes, we have implemented the pass-through feature but we have decided that using a cookie instead of a querystring will be better as this way FileVista can detect when the user logs out from the external application. I have sent you the updated files and I am waiting for your feedback on this new feature. 

For making use of this feature, first you need to edit App_Data\FileVista.config and add this line:

<add key="ApplicationKey" value="dsfd4ee3ytg3" />

This is the secret key used for hashing the information that is passed to FileVista. This way FileVista will verify that the automatic login request is coming from a trusted source and is not altered by 3rd parties. You should better set the value to a complex string.

Secondly, you will set a special cookie within the external application which can be ASP.NET, ASP or any other kind of script as long as it's on the same domain.

ASP.NET C# code:

Response.Cookies["FileVistaLoginCookie"]["user"] = userName;
Response.Cookies["FileVistaLoginCookie"]["hash"] = MD5Hash(userName + applicationKey);
Response.Cookies["FileVistaLoginCookie"].Path = "/";


ASP Code:

Response.Cookies("FileVistaLoginCookie")("user") = userName            
Response.Cookies("FileVistaLoginCookie")("hash") = MD5Hash(userName + applicationKey)
Response.Cookies("FileVistaLoginCookie").Path = "/"


Note that userName is the name of the user that the external application authenticated. MD5Hash is your function that returns MD5 hash of userName string plus applicationKey string which should be the same key as set in FileVista.config. If using ASP.NET, you can reference GleamTech.Utility.dll in your application and use our CryptoManager.Hash() function for this purpose, there are also ASP versions for MD5 hash on the net.
Be careful about setting the Path property of the cookie as it effects the accessibility. For instance, if your domain is www.mydomain.com, the value of "/" (root) will make the cookie available to all sub-urls like www.mydomain.com/Filevista/ or www.mydomain.com/SomeFolder/FileVista. Or you can limit the cookie just to the folder of FileVista like "/Filevista" or "SomeFolder/FileVista".

It's recommended that you include the above code for adding the cookie in your external application's login/authenticate module where you just authenticate the user and start his session. In the same way, you should include the below code for removing the cookie in your application's logout function:

ASP.NET C# code:
Response.Cookies["FileVistaLoginCookie"].Expires = DateTime.Now.AddDays(-1);

ASP Code:

Response.Cookies("FileVistaLoginCookie").Expires = Date() - 1


After you complete the above integration, you can include a link in your external application which simply targets to "FileVista/" or "FileVista/default.aspx". FileVista will detect the cookie set by your application and automatically log the user in without displaying the login page.


Regarding your other question, you can encrypt the passwords by referencing GleamTech.FileVista.dll and using FileVistaUser.CreateSalt() and FileVistaUser.CreateHash() functions:

            byte[] passwordSalt = FileVistaUser.CreateSalt();
            parameter = command.Parameters.Add("@Password", OleDbType.Binary, 16);
            parameter.Value = FileVistaUser.CreateHash(password + Convert.ToBase64String(passwordSalt));

            parameter = command.Parameters.Add("@PasswordSalt", OleDbType.Binary, 16);
            parameter.Value = passwordSalt;

FYI, in v3.2 which we have just released, we included the cookie-login feature. Note that there are some changes to my post above.

- The cookie name is changed from "FileVistaLoginCookie" to "FileVista.ExternalUser".
- ApplicationKey is automatically generated and added to FileVista.config by the configuration wizard.

Here is a correct sample code (ASP.NET C#) for v3.2:

//taken from App_Data/FileVista.config
string applicationKey = "48A5B4EF36615265C7997BA99F1743A17E1196713E613E14457B7658791FBE8C";
//FileVista user
string userName = "SomeUser";

//add the cookie
Response.Cookies["FileVista.ExternalUser"]["name"] = userName;
Response.Cookies["FileVista.ExternalUser"]["hash"] = CryptoManager.Hash(userName + applicationKey);
Response.Cookies["FileVista.ExternalUser"].Path = "/"; 

I've browsed around the forum, and I haven't found a solution to this problem.

I want to login to FileVista from a html form that is located on another server.  I can't use the AJAX method of logging into the server (posting to administration.asmx/LoginUser and then an XML response back) because of AJAX security restraints. I assuming AJAX is the default method to login, is there an alternative method (like a standard form login method). 

I do not want a complex solution like the pass-through solution you have implemented. I just want a non-ajax login form. Does such a thing already exist in the product? If so, which page, and what variables do I pass to it?

Ok, I have noted this and we will look into it.

I am having trouble uploading files when I do pass through login.  Non-passed logins are able to upload fine.
When I use the FileVista.ExternalUser cookie, I can see the correct folders and my permissions are working fine.  But, when I upload a file, it says:

The Progress bar Simulates a transfer of the file
"Upload Complete"
Esimated time left is 00:00
And there is a button that says "New Upload"

But, the file never actually uploads.

Please help!!

Does anyone have this working?  I have tried all of the examples and nothing works.

I am hashing the username + applicationkey with MD5 and setting the cookies in the same domain and then redirecting to the root of the filevista application.  All I get is the login screen.

If someone has this working please give me an example or some details about your setup.

Thanks

Urgent help is needed on the pass through login. Just like user bfrench, we have been able to create the cookie as explained on this thread but we keep getting the login screen.

Daniel.. you seem to at least have avoided the login screen.... can you please share with us the details? Did you do anything differently to what is stated above?

I guess you are using old version of the code:

Response.Cookies["FileVista.ExternalUser"]["user"]

This should be (for all versions after v3.2)

Response.Cookies["FileVista.ExternalUser"]["name"]

Please use the latest version of the code as in my last post:

//taken from App_Data/FileVista.config
string applicationKey = "48A5B4EF36615265C7997BA99F1743A17E1196713E613E14457B7658791FBE8C";
//FileVista user
string userName = "SomeUser";

//add the cookie
Response.Cookies["FileVista.ExternalUser"]["name"] = userName;
Response.Cookies["FileVista.ExternalUser"]["hash"] = CryptoManager.Hash(userName + applicationKey);
Response.Cookies["FileVista.ExternalUser"].Path = "/"; 

Hi Cem,

For testing, I created a ASP.NET page with the following code in the Page_Load event which sets the cookie and redirects me to http://localhost/filevista and logs me in without showing the login screen:

string userName = "user";
string applicationKey = "mykey";
HttpCookie myCookie = new HttpCookie("FileVista.ExternalUser");
myCookie["name"] = userName;
myCookie["hash"] = GleamTech.Util.CryptoManager.Hash(userName + applicationKey);
myCookie.Path = "/";
myCookie.Expires = DateTime.Now.AddMinutes(30);
Response.Cookies.Add(myCookie);
Response.Redirect("http://localhost/filevista");

There are two issues here. One, after I’m logged in I don’t see the log out button. Two, when the upload method is set to Flash the files are being uploaded but when I close the upload files dialog, I get this error in a loop untill I break the debugging:

“Microsoft JScript runtime error: '__flash__removeCallback' is undefined”

I tried adding cookie FileVista.RememberedUser but that did not solve any one. Changing the upload method to AJAX or Browser all seems to work fine though, no '__flash__removeCallback' errors but the log out button is still missing.

Also, creating the cookie with Perl CGI.pm, all the special characters in the value part get URL-encoded when sending the cookie with the HTTP header. This means that the ‘=’ becomes ‘%3D’ and ‘&’ becomes ‘%26’. The problem is that FileVista can’t process the value of the cookie properly anymore and you are not being logged in. Is there somewhere a switch in FileVista.config I can set to solve this?

Kind regards,

Hi Leandros,
Regarding the missing logout button, this is by design. As you are doing an external login, the logout button is hidden because it's considered you will do the logout externally, i.e by deleting the cookie manually. However you can override this behaviour. Please edit default.aspx and find this line:

<input type="hidden" name="canLogout" value="<%=InsertCanLogout%>" />

Change this line to

<input type="hidden" name="canLogout" value="1" />

Now, the logout button will be always displayed.

I suspect this Flash error seems to occur with IE9. I guess you are using FileVista 4.0. As a workaround, add the below line to default.aspx after <head runat="server">

<meta http-equiv="X-UA-Compatible" content="IE=8" />
 
Regarding the cookie encoding, FileVista uses ASP.NET cookie conventions. As you can see when you create the cookie with an ASP.NET page it works. If you are sure the problem is with the character encoding and not something else like wrong hash, you should investigate this with Perl (maybe you should set header "Set-Cookie" manually with the ASP.NET compatible format). Unfortunately FileVista is dependant on the ASP.NET implementation for cookie handling so there is no setting to change this behaviour.

Hi Cem,

By design seems logical, I didn't think of that. Changing the value to 1 worked, the logout button is visible again. 

I compared the two cookies, one created with Perl and the other with ASP.NET, and the hashes are exactly the same. The only difference is that in the value part of the Perl cookie the '-' and the '&' are URL-encoded. I'll let you know if I find anything that can make the Perl cookie work.

As for the Flash error, yes I'm using IE9 but I'm using FileVista 4.1. The error is resolved by adding the meta tag. The strange thing is though, when I do a normal login and the meta tag is not present, this Flash error doesn't occur. Any idea why that may be?

Yes, Flash error seems strange. As it happens only when you do external login, it may be related to the cookies. I will let you know if we find the exact cause. However the fix I recommended is safe to use.

Hello,

i have the same problem with the flash error. I use FileVista version 4.6...

adding the meta tag in the filevista default.aspx did not solve my problem.

does anybody have an idea?

Regards

Sorry for my double post.

This is the Error Message in the filevista event log:

An unhandled exception has occurred.

Exception information:
System.InvalidCastException: Unable to cast object of type 'System.Security.Principal.GenericPrincipal' to type 'GleamTech.FileVista.User'.
   at GleamTech.FileVista.ApplicationManager.c5ad5b11d246fae6b6f76c35e2956bbce(HttpContext cb13035873f180013b7025a364931d0f6)
   at GleamTech.FileVista.AuthenticationManager.LogoutUser(String username)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)