Restricting only few actions in zf2 using bjyauthorize - zend-framework2

Consider that in a controller we have 10 actions in that 8 actions can be accessed by anyone but remaining two actions should be accessed by particular user roles.
This I tried using by setting Guard\Controller, but using this 10 actions are accessible to all users or 2 restricted actions are able to access particular user roles still I'm not getting how to configure as per my requirement.

In Zend Framework there are Event Listener and ACL. You should create ACL for each action and after it catch ROUTE event. Here is the documatation of ACL.
In this URL is step by step tutorial:
Zend Framework 2 ACL setup in 5 minutes – tutorial

Related

.NET MVC 6 Simple Authentication without database

I've created a simple website in ASP.NET 5 MVC 6.
I have 1 controller with 1 index-method and view.
I need authentication on this with [Authorize]
I have a login-form on a view with an input taking a number. Users can log in if they can answer the right number to a calculation.. I need to check the answer in C#-code.
So basically i want a AuthenticationController with a Login(int answer) where i can check the result and redirect to the index-page. If they try to acces the index-page not logged in, they must be redirected to the login page :)
Possible in a simple way?
Read this Using Cookie Middleware without ASP.NET Core Identity

.net mvc authentication cookies & sessions

net mvc 5 application using entity frame work etc and am new to .net c# etc (used to php & sessions)
so i have read allot about using .nets authentication service and that is some how registers a user upon login using FormsAuthentication.SetAuthCookie.
however i need to authenticate a user group for example admin or moderator. and from what i understand this can be achieved and be set using [authenticate(roles="admin")].
but surely if this is using a set cookie a user if they knew how could just change their registered role from user to admin to access restricted content?
so in as simple terms as possible how does .net mvc ensure security in authenticating users? can i use sessions instead of cookies? do i need to create my own authentication system.?
i have searched and read all i can find and most resources just explain how cookies work or how to implement authentication using cookies but very little about sessions.
I'll try to be as concise as possible:
Yes, ASP.NET MVC 5 uses cookies out of the box (if you chose Individual User Accounts in the project wizard)
The authorization of a group or role by means of an [Authorize(Roles="bla")] attribute to decorate controllers and/or controller methods will do just that. It's as if you would be writing
if(!User.IsInRole("bla"))
{
return new HttpUnauthorizedResult();
}
else
{
//here's your ultra-secret View
return View();
}
What if a user changes role while in-session or if he or she has a persistent cookie?
Indeed, you'll need to handle the interval between role change and cookie update.
Read up on it here
Long story short: the design decision is yours whether you think it better to log off a user when re-assigning roles or to make db roundtrips at every authorization check.
Can you use a session variable like in PHP? Sure (the Session object exists), but you shouldn't.
If and when the situation arises where you absolutely NEED to pass some arbitrary data however, there's ViewBag, ViewData and TempData.
I won't go as far as to say, that these constructs are superfluous, they certainly have their use from time to time, but do try and design your application to maximize the use of strongly-typed models, viewmodels and make use of the REST-based url architecture to get or put your data.

Multiple login urls in Shiro

I am trying to configure apache shiro to authenticate our application based on apache click.
We have two different login urls for two types of users in the same application
1) For District users : districtlogin.jsp
2) For State Users : statelogin.jsp
How can i specify these 2 urls in the shiro.ini file
Now only one url is working at a time .
I used the below methods
shiro.loginUrl = /statelogin.jsp
shiro.loginUrl = /districtlogin.jsp
Thankyou
In my situation, I need 2 different login URLs because it will be accessed from 2 target, web client and a mobile client (via RESTful).
So I cannot apply the same login action at controller for both of them (because the input and output are absolutely different), but reuse the service methods from 2 actions.
Do we have any way to let Shiro knows that there are 2 available valid login URLs?

The same asp.net mvc page for LDAP authenticated and anonymous users

I have some intranet asp.net mvc3 app ,which is available for both LDAP authenticated and anonymous users.All of them are using IE. One of the views should be available for both of them, depending on status some columns should be hidden,etc.
I don't want anonymous users to receive popup authentication dialog,but can't see no way of solving problem.If I add Authorize() attribute ,it forces anonymous user to input user/password, if I remove this attribute everyone is treated as anonymous.
How can be this obstacle solved?
In your controller check to see if the user is authenticated and perform actions based off that conclusion.
if (User.Identity.IsAuthenticated){
//Handle Case
}

Authorization in a multi-homed environment

I have a system that is multi-homed, that is, our customers share a database. Using MVC Routing, I can pass the customer name as the first portion of the domain ({customer}.server.tld), and have it translated into a parameter to my controller actions.
Problems include:
Authorization: how can I do this transparently, so that developers making controller actions don't have to remember to do this, and someone not authorized will automatically receive a 403 if they are not authorized to view a particular customer?
Parameter passing: I don't want for every controller action to have a parameter called "customerId". The data has GUID primary keys, so customerId isn't required at the data access level.
What should I do here? I don't want a user changing the URL and getting access to all of our customers' data!
Have you considered using Windows Identity Foundation (WIF)?
May sound like an overkill, but it will allow you to not only separate AuthN from AuthZ, but also have code logic (in one spot!) where you can check each customer claim (maybe based on route data) and act accordingly...Check out some of these links:
Windows Identity Foundation Simplifies User Access for Developers
A Guide to Claims–based Identity and Access Control
WIF and MVC – How it works
ASP.NET MVC 2 and authentication using WIF (Windows Identity Foundation)

Resources