What is the recommended approach to using Kentico user roles and authentication/authorization using Kentico 9, MVC stand alone application?
Is it possible to use the Kentico role attributes for controller methods?
What part of the API is used to authenticate and check authentication in this scenario?
It looks to me like this is not yet possible, and I am about to roll my own solution.
It`s not officially supported (yet). You can see list of supported and unsupported features (for new Kentico9 MVC) here.
Of course you can still use Kentico API (Membership library) to make your own auth logic which fits your needs.
Not sure if it will work (I don't know how much MVC supports the old providers), but you may try to use the same membership and role provider configuration in your web.config as for the admin application.
Kentico 10 will provide validated membership features through a brand new identity provider.
Try this:
[Authorize(Roles="somerole")]
public ActionResult Index()
{
return View(viewModel);
}
This work perfect in my tests... I'm using forms authentication.
Related
Is there anyway, that you can lets say use OAuth in MVC and enable acces to a controller using Attributes like in validation process.
Lets say i have
public class myownController
{
[LoginRequired]
public ActionResult Index(){
//this can be accesed only of the user is logged in.
}
}
If you're using ASP.Net MVC 4 this should be built in using the default AuthorizeAttribute. If not I'd recommend manually integrating the standard Forms Authentication mechanisms with your chosen OAuth provider. Take a look at ASP.NET MVC Authentication - Customizing Authentication and Authorization The Right Way
Since you are using ASP.Net MVC 4, I'd highly recommend reading SimpleMembership, Membership Providers, Universal Providers and the new ASP.NET 4.5 Web Forms and ASP.NET MVC 4 templates. There are significant changes available in MVC 4 that make the entire Membership and OAuth really easy.
I am using MVC 4 and am using Forms authentication. I have heard that MVC has it's own implementation of authentication and authorization but am not sure what it is and how to use it. What is MVC's implementation called and is it easy to migrate from forms to use it instead?
The answer is. Sort of.
MVC (versions 1-3) used standard Membership databsaes and Forms Authentication. MVC 4 uses standard Forms Authentication as well, but uses a system called WebSecurity to access it's membership system. WebSecurity was created for the WebMatrix project and MVC 4 has adopted it's use in the default templates.
You can still use the standard Membership system if you want, however WebSecurity (and in particular SimpleMembership) allows greater customization of the data.
MVC also can be configured in several ways for authorization. You can use the older web.config method, or you can use AuthorizationFilters such as the [Authorize] attribute. This still uses FormsAuthentication, however under the covers, it's just a way to configure the use of it.
I have a requirement for project to build a ASP.NET MVC4 (razor engine) "Front-end" and a WCF service as "backend" (with a sql server 2012 database).
A requirement is to login, register etc. I want to put this logic in the backend, but in the front-end I would like to make use of the [AllowAnonymous] and the logic to authenticate a user with roles (for example use of formauthentication, webmatrix.WebSecurity, Membership provider?).
Is it possible to realize? Do I have to create a login and register (and roles etc.) features by myself? Or can I use a built-in features/libraries of the ASP.NET MVC or WCF? Or both?
Could you give some examples/suggestions/tutorials to realize this?
Thanks in advance
I think this should work for you:
http://msdn.microsoft.com/en-us/library/bb386582.aspx
Edit: To elaborate you can use custom logic for WCF authentication including calling the ASP.NET membership providers which should work fine with MVC and the security attributes you mentioned.
Or is the WCF service on another server and you want to call from your ASP.NET controller to your WCF service for authentication? This is a bit more complex, but you should be able to do it by implementing your own Membership provider.
Depending on the scenario you can reuse some or all of the login and register views that come with MVC.
Edit: In the second scenario here are some pointers that might help:
http://singlesignon.codeplex.com/ - Seems to be what you need, but I didn't check out the code.
Custom membership that uses web service for authentication - No code, but it confirms that it should work.
How do you now configure the membership, profile and role manager using the new MVC template with DotNetOpenAuth enabled? I don't see the configurations in the web.config so how do you now implement a custom profile provider?
With the new MVC4 template, it is very relevant. Instead of using a specified ProfileProvider:Profilebase, all authentication is handled by OAuth and Webmatrix.Security. Out of the box, it doesn't look like there is any support for extending Profilebase. Instead it looks like you will have to create your own table to hold any custom profile attributes. Take a look at this: http://www.asp.net/web-pages/tutorials/security/16-adding-security-and-membership.
See the solution for MVC 4 and built in oauth support/discussion:
See for plugging custom OAuth/OpenID providers.
MSDN has a detailed article explaining how to implement a profile provider. All that you would need to do differently is plug in DotNetOpenAuth.
Profile and role managers are independent of the mechanism used to authenticate the user and are therefore irrelevant to DotNetOpenAuth. Only the Membership provider would be impacted by your use of DotNetOpenAuth, and this question has been asked and answered.
What are some of the common methods to do simple user validation (account login)?
Also, can you have different authentication schemes per area?
Edit
I am creating an eCommerce site that will need to have protected actions per user. So how would one go about doing this? It will need to be able to let only authenticated users access their information.
You have several options when it comes to doing authentication in MVC:
The built-it MVC Forms Authentication (Tutorial available here and here)
Using Forms Authentication with Cookies in MVC3 (Link here)
Using Windows Authentication (Learn more here...)
Mixed Mode Authentication (Using Windows / Forms Authentication together.)
The built in Forms Authentication can allow you to limit access to different areas of your application based on Role, User among other things and it is quite easy to implement using the [Authorize] attribute.
The following would require the user be logged in:
[Authorize]
public ActionResult YourActionNameGoesHere()
{
}
Likewise, the following would require the user be logged in AND be an Administrator:
[Authorize(Roles="Administrator")]
public ActionResult YourActionNameGoesHere()
{
}
Those were just a few methods of accomplishing it, as you can see there are MANY different methods of accomplishing this - I hope this might have shed a bit of light in helping you decide.
According to the security expert on the MVC team
The only supported way of securing your MVC application is to have a
base class with an [Authorize] attribute, and then to have each
controller type subclass that base type. Any other way will open a
security hole.
http://blogs.msdn.com/b/rickandy/archive/2011/05/02/securing-your-asp-net-mvc-3-application.aspx
please go to your model folder when you create a internet application with VS 2010. you will see a cs file there. that file holds a sample structure for User Authentication
Remember that : ASP.NET MVC is not a separate framework. it sits on top of ASP.NET so you can use System.Web.Security.Membership class on MVC as well.
Also, check your Account folder inside your view folder. you will some view samples there.
hope this helps.