Umbraco AD integration for an intranet - umbraco

Im wanting to build an intranet that will use Domain (AD) authentication and let the user not have to login. So Ive been looking at the AD package here and digging into the details a bit, it seems you have to configure a user & password in the web.config. Then I seen this example, which is seems to simply be using the AD membership provider and isnt putting any hard-coded username and password in the config file. Are those two approaches even talking about the same thing?
I just need simple pass-through authentication based on the identity of the user passed in from the browser. The question also comes up as to under which context will requests be made when the user uploads a file, edits content etc. Will it be Network Service or the passed in identity?

Since you have specified umbraco 7 in your question, I think you are much better of pursuing the option in your second link.
The first link was written for Umbraco 4.11, and an awful lot has changed since then. Can't tell you if the second link will simply work out-of-the-box, but imo, you have a better chance of being successful.

Related

Implement AspNet Core Identity or Work account Authentication

This is not like other questions you might find similar. My issue is way bigger.
Scenario:
I have 3 websites. All of them have a common database for authentication and stuff.
Problem is that i will need to expand to 2 more sites, which means more maintenance in login screens and so on. So i will dedicate time to make a "central website" to manage users, access, etc.
Also, Need to implement OpenId for Microsoft Works accounts (ie, Azure tenants).
DDBB User Model: (Simplified)
All users are in the same central database. Which does not contains
anything non-user related.
User is personal on all applications.
Users can have different Roles
Each "User-Role" is mapped to an application, a server and a
database.
Problem:
Created a site in AspNet Core, without any authentication done so I can do it myself since I found that mapping Aspnet Identity tables was no-go because of incopatibilities and overriding is way to complicated, specially when dealing with Managers.
So, Tried and got working a simple Authentication page using HttpContext.Authentication.SignInAsync and CookieAuthentication. Which works well and there is no need to use any of the Identity's implementation (which is not compatible with my backend).
But then I added UseOpenIdConnectAuthentication to have the OpenId auth, but I have no idea how to use it since its suposed to work out of the box when using Identity and when checked documentation they use this code in an controller action: signInManager.ConfigureExternalAuthenticationProperties and I do not have any SignInManager since Im not using Aspnet Identity.
Questions:
Is coping the source of ConfigureExternalAuthenticationProperties to make it work in my site an aceptable solution?
Should I continue to override all SignInManager methods and also probably implement other classes to make Aspnet Identity work with my model?
Tried Mapping the properties to my columns just to test it out and it gave me non debuggable errors, which i dont like to even think about the problems this can give me in the future. For example one error was that it coudnt parse byte[] to string.
How can I implement Microsoft Work Accounts authentication and Database authentication in the same AspNet Site?
Bonus topic
Recently I feel like programming is becoming Configuring instead of coding. Is it just me? Are we now Professional Configurers?
Thanks

Implementing single-sign on in ASP.Net Webforms and MVC

I have an existing WebForms application and we're now creating a new MVC application. They both authenticate using our own custom provider, using the same database.
I can successfully log in in each application separately using the same credentials, but what I now want is to implement a single-sign on (ie: if the user is already logged in in app1, app2 would automatically detect the user's settings and identify him as being logged in).
I have done my homework and read the references here, here and here, amongst others.
So far I have done the following:
Set the same machineKey on both sites:
Set the same forms auth on both sites:
Despite all of this, I haven't managed to get SSO working. I have managed 'Single-sign off', whereby when the user signs off one site, he's signed off from the other.
Is there anything I'm missing?
I would like a configuration-only solution, that does not require me to do any coding.
I am answering my own question just for closure's sake.
The reason why my my SSO was not working is because the main, existing website has its own cookie and session manager, and does not play by the rules of Forms authentication. It calls
FormsAuthentication.SignOut();
Shortly after login has completed.
I tried the configurations mentioned above with 3 different websites, a mixture of MVC and WebForms, different pipelines (integrated vs classic), with our custom membership provider, and it all worked marvellously.
So the steps defined above should work as long as your application does not do funny things with forms authentication.

session share between different war modules possible in jboss?

Is there an easy way to share session between different war modules in jboss?
I have a Grails app running in jboss, but want to create a new Grails war module which looks & feels the same as the existing one (but, don't want user to login again). The domain will be same, for example, if I have war1 and war2, the domain should be
http://domain.com/war1 <-- login should be done here..
http://domain.com/war2
I searched through the web, but couldn't find an easy/or difficult way to do this.
Please help~.
No HTTP sessions are not shareable between servlets from different apps. What you really need is a Single Sign On solution. A poor man's SSO can be built with cookies but I wouldn't call it a very secure way. First session can set a cookie and the second session can read the same cookie - this will work as long as the domains are the same for both apps.
Good luck!

CouchApp user registration

I'm building a standalone couchdb application. These are called couchapps. The idea is that the database itself is served on port 80 and returns HTML and works as the actual website. This is a very powerful idea and I'm entirely amazed by this new concept of having your code live inside your database.
But I'm having some issues with user registration. The one built into couchdb allows for cookies to be set and makes it really easy to plug it into your website. But there's several quite important things missing that my app requires in order to say that it has a "proper" user registration system.
There's no signup verification. No email is sent, no captcha is displayed. This means that anyone could spam your _users database and create as many new users as they please.
If a user forgets their password there's no facility to help them recover it.
Any idea how I could overcome these issues without doing any hardcore Erlang development at a lower level (not an Erlang guy)? It would also be great if anybody knew if I could be using OAuth to authenticate against Twitter or GitHub accounts and have that integrate seemlessly with how couchdb data is handled (inside validate_doc_update functions).
Thank you
While the built in user database can work, I would not recommend it for the workflow you describe. Here are some other options:
Browser ID
I would really recommend using BrowserID. IrisCouch has provided a plugin to couchdb here:
https://github.com/iriscouch/browserid_couchdb
This will take care of the normal registration workflow.
If you want to take it a step further and have your users "Fairly Anonymous", you can follow the example of this couchapp called "Mingle"
https://github.com/thedod/Mingle
Twitter Integration
Max Ogden's "DataCouch" project has a log in via twitter, although it is using some Node external processors to make it work. See here:
https://github.com/maxogden/datacouch/blob/master/processors/auth/twitterauth.js
Facebook integration
https://github.com/ocastalabs/CouchDB-Facebook-Authentication
OpenID
https://github.com/mcaprari/couchdb-openid
I dont think you can use the oauth purely with Couch, as this post suggests:
http://bennolan.com/2011/01/11/couchdb-oath.html
so the closest you will get there is following what Datacouch has done.
Hope these suggestions help.

How to create roles and superuser in an ASP.NET MVC application in a secure way

This could be considered a duplicate question, as a similar one has already been asked, but I don't like any of the answers, and security was not addressed.
When deploying an ASP.NET MVC app, what's the right way to create roles and a superuser without risks?
Two ways come to my mind: using Application_Start or a custom action (better if with a non-obvious name and not linked).
Anyway, what about with first user's password?
I've seen tons of web apps that happily let the first person to access them to be the superuser; when you put such an app online, you can only pray to be the first to connect.
What is the most secure way to set password?
Hardcode it in the application?
Have it randomly generated and then mailed somewhere?
Have it randomly generated and then saved somewhere on filesystem?
Have it taken from a file on filesystem?
Something better that I couldn't figure out?
The best solution to this I have seen is to allow for the creation of a superuser via some installation bits then require the user delete or disable the installation bits for the application to run. Subtext works this way, as did Wordpress (at least the last time I installed it, which might have been back in the 90s).
I use the ASP.NET membership provider and a SQL database.
Upon deploy, I have a script I run that creates my users.
It does mean my site is not "ready for business" until I run the script but I am okay with that.
Kindness,
Dan
Assuming the admin of the application doesn't want to run upload a pre-configured database you could configure an installation password in your web.config which must be set before it is uploaded. Then in your installation pages prompt for this password and the admin credentials. Obviously your installation pages would check for a blank installation password and refuse to proceed.
You could then add an HTTP handler which checks if the application has gone through the installation procedure, refusing to serve any pages other than the ones related to installation until the install is complete.

Resources