I'm trying to implement role based authentication, in my AuthController I have retrieved the user's Windows username and checked it against the database users table to find their record, now that I have found their role I want to assign it to them so that they can access protected routes. What is the simplest way to achieve this?
Right now all I am doing in the AuthController is setting their auth cookie.
The best and correct way is to use ASP.NET MVC Identity Framework. It is designed to handle authentication and authorization of MVC apps. It supports role based auth. You can start from here.
Related
We are starting a new ASP.NET Core web site and the customer would like to handle the authorization using the database. So they want to configure custom roles and the actions to be configured in the database.
I have been trying to find an example or something to help me implement this, but could not find. Can this be achieved using the Authorize attribute from framework or a custom filter needs to be implemented?
EDIT:
I should probably mention that the application is an intranet so Windows Authentication is used for authentication
Short answer Yes.
Long answer...
This can all be achieved from the database you can configure up using existing methods with Identity, and from there create all the custom roles and even policies that you want to have and be able to assign, to each user individually or via roles.. Authorize attribute will work just fine with cookies. My only recommendation is that you try not handle security yourself but let the framework handle this for you.
I'm implement aspnet identity with my MVC5 project. I have configured my project to use cookie authentication, form authentication and external authentication (facebook and google). Everything work fine.
Now i have a requirement to log whenever user log in system and i need to do some further logic. For the form authentication and external authentication i have a controller action that i can add my logic. However for the case user just come back system via cookie, how do i handle it?
I'm sure there's a better way to handle this, but a basic method would be to track all activity by the user, and then use timestamps to determine when a user was last active on your site.
Discussed here: Track user activity/actions for an asp.net mvc website?
OnExecuting filters here: https://msdn.microsoft.com/en-us/library/gg416513%28VS.98%29.aspx
I'm working on an MVC4 site using SimpleMembership to handle user accounts and role based authentication. We have another site and we'd like to implement a single sign on system allowing users from the existing site to log in to the one I am building. What would be the best way to achieve this and hopefully leverage to the existing roles based authorization I'm using on the MVC4 site. Is it possible to have multiple membership providers (i.e. use the built in one and if the user is not found, attempt to authenticate via a custom provider that I'll write (once I work out how!). Or would it be better to abandon the built in membership/roles and roll my own?
I also thought of letting WebSecurity check the local database and if the user is not found, query the 2nd database and if the users credentials are valid, create a local account for them. One issue with this approach is if a user called Fred registers on the MVC site, and then a user from the other site called Fred logs in, we couldn't create them a local account with the same username. We could prefix/suffix the username with some text to indicate that they are from the other site but then we lose the single sign on feature.
We will also want to integrate AD authentication for staff in the future.
So essentially I'm looking for the best way to authenticate users from multiple databases and keep using roles based authentication?
I've also done a little digging was wondering if ADFS might be useful for this.
Any help or advice would be greatly appreciated!
I recommend the use of an Identity server to handle all your login request and switching to a claim based authentication instead of a role based authentication if you can.
I personally went with Thinktecture IdentityServer
pluralsight.com have a good course on it.
Thinktecture IdentityServer is build on top of simple Membership and it supports multiple protocol such as
WS-Federation
WS-Trust
OpenID Connect
OAuth2
ADFS Integration
Simple HTTP
I recommend checking it
Good Luck
I'm new to the ASP.NET world. Since I want to use the ORM it seems I would want an Entity to represent the User or Member or whatever, not some data tucked away by the forms authentication api. In fact I don't see how I can live without one.
How do people deal with this? Roll your own authentication? Or is there a best practice for incorporating forms authentication with the Entity Framework?
In short, since I need a User and Role Entity for queries anyway, should I skip the forms auth or find a way to use it?
Thanks
EF and Forms Auth are really two different areas. You can use Forms Auth without ASP.NET Membership very easily and roll your own provider with very little effort.
This tutorial will show you how:
http://msdn.microsoft.com/en-us/library/ms172766(VS.80).aspx
With ASP.NET MVC you should really use standard Auth since you can manage access to controllers using attributes for Roles very easily.
FormsAuthentication on its own does not care about the identity store and can validate only credentials stored in the web.config <credentials> section, through the Authenticate method. Standard implementations of the login page use the static Membership class to manage the identities and credentials in the MembershipProvider specified in the config file (usually SqlProfileProvider).
However, you don't have to use the membership provider functionality of ASP.NET to maintain your identities and you can still use FormsAuthentication just fine. The forms authentication control flow shows that forms authentication deals primarily with creating and maintaining the auth ticket for the user in a cookie. It does not deal with the user identity or profile itself, as it does not care about those.
Thus, you can safely use EF to maintain your user profiles, including credentials and do authentication of the provided credentials in your login page, while still using FormsAuthnetication.
If I have an ASP.Net MVC applicaiton where users can only access via an NTLM authenticate account, do I need to use ASP.Net Membership services and issue cookies?
Or do I have completely the wrong end of this particular stick?
You never have to use the asp.net membership provider, it is just an option. If all you need to do is authenticating the user, NTML works just fine by itself. If you need to use the user's identity for further authorization or personalization on the site you need to use some sort of user management, but it doesn't have to be the membership provider, you can write your own or your own.
I doesn't make any difference whether you are using mvc or web-forms.