I just started to working in Sitecore. I am developing a web application in ASP.NET MVC 5.0 to create / edit some content in Sitecore. I am looking for the best way for authentication in web application (MVC) using existing Sitecore users. User management part will stay with Sitecore, just need authentication (login) in web application against Sitecore users. Can I use Identity concept of ASP.NET for the same?
Sitecore use Membership providers.
Normally create for web users a new domain. so not the same as CMS users.
See This:
http://fes-sitecore.blogspot.nl/2015/02/using-membership-with-sitecore.html
And the Documentation from Sitecore:
https://sdn.sitecore.net/upload/sitecore6/sc61keywords/membership_providers_a4.pdf
I have done this in the last few weeks.
What you will need first to to create a Role in Sitecore that your Extranet (siteusers) will get logged in against. Create a user and assign them to this role.
You will need to go to the security editor (i think) and select the 'everyone' role. Allow everything and inheritance from the top of the tree. (green cross on the content item)
For the item you wish to lock put a red cross against the inheritance
Then select your created role and put a green cross in inheritance against the item you wish to allow this role to see
From Sitecore: The idea is allow everything for everyone and break inheritance to secure it by adding a red cross to inheritance.
From the website: The idea is that everyone (siteusers) don't have access to the page and will get redirected. People in your new role will go to the page.
Next take a look at the post above but in your site settings you need a configure the location of your login page.
After these steps you should be able to navigate to the page and get redirected to your login page (Make sure you are not in the content editor)(incog mode google chrome)
So finally you can use the Sitecore.Authentication namespace and there are method on there to authenticate and check if a user is in a role ect.
Take a look at https://sdn.sitecore.net/upload/sitecore6/sc61keywords/security_api_cookbook_usletter.pdf
Hope this helps. Any questions just ask. Its hard to explain in text :)
Aki,
You can leverage the sitecore authentication which is very useful, I am using this in my all projects since sitecore 6.5 to 7.5.
you just have to explore few APIs of sitecore membership, there you will get
How to create roles
how to set users in roles.
And how to provide proper security or limited access to a particular role.
How to set custom data for users also.
Make sure you are not using sitecore domain for web users, use extranet domain. Sitecore domain is only for user who are supposed to login into sitecore dashboard.
Hope this will help you..
Cheers!!
Related
I am using Visual Studio 2015 Community Edition and created a Web project using MVC and Web API (both selected) with Individual User Account as authentication method.
I noticed that the scafolded template varies in some ways, I now see an AccountBindingModels.cs file, I do see the Account Controller class but I see it references the /api path rather than the usual /Account and I do not see any Account Controller views.
So, if there are no account controller views how can I add supplemental profile information if there is no view to modify?
I also do not see the usual "Log In" link that was at the top of the page layout. I only see an API link at the top next to Home but it takes me to a Help area. If I attempt to go to /api/Account/Register I am asked if I want to save or open Register.
I have invested quite some time on other modifications and now I notice this so it would be very unproductive to start again from scratch.
Basically I want to be able to use both webapi and MVC to perform authenticated requests. I don't see how users can login on the MVC site or even request protected views because there seems to be no login form on the MVC5 website.
I had similar issue. Got around it by choosing MVC template and then checking the Web API check box in the "Add folders and core references for:" check box area.
So, MVC and Web API are checked. This gives me the account views and more scaffolding.
If I choose the Web API template, it defaults to both MVC and Web API checked. But does not give me the account views and ... Maybe that helps.
I had the same issue today and I was using the VS 2015 Enterprise. #jumoro was right, you have to add the MVC template (not the WebAPI one) and it will add all the account related views. At least it does that in the Enterprise edition.
Another solution is to download the Nuget Identity Sample, which will provide you with the necessary model, controller and views.
I am creating a showcase site for this client and he also needs an admin page to manage the content for this showcase site. Well, ok, not hard, I'll just use Devise to create a login for the admin area and I don't need a login for the showcase site. But he also needs a intranet area for service orders and such, so I'll need two different logins, one for the admin and one for the intranet. Do I need to separate this in two projects or I can put the site, admin and intranet all in one project?
You can do it in a single app. You just need to differentiate the type of user so you know what they can/can't access. Maybe subclass your User model. Or use a gem like declarative_authorization for fine grain control.
I must have missed this somewhere (or slept through the class)... the standard ASP security tool for managing users and roles seems to be absent when using the new simple security version. That is, the original is there and working, just points to traditional ASP security... NOT to the new "simple" system.
In my project I can log in, I can look at the webpages_ tables but can find no method of accessing them in my project... I would be happy to manage roles and get the USERID and maybe ROLEID so I could tie the user to other functions in my project.
I've looked through hundreds of posts and articles... normally I find I am missing some minor config entry or something but this time I am a little more stuck.
Advice is appreciated.
Thanks!
SimpleMembership does not work with the Web Site Administration Tool (WSAT). There is a good overview of SimpleMembership in this blog. Here is a quote from it.
WSAT is built to work with ASP.NET Membership, and is not compatible with Simple Membership. There are two main options there:
Use the WebSecurity and OAuthWebSecurity API to manage the users and
roles.
Create a web admin using the above APIs.
Since SimpleMembership
runs on top of your database, you can update your users as you would
any other data - via EF or even in direct database edits (in
development, of course)
I would also add that you can seed some of this information at application start-up, such as what roles are available, as shown in this article.
I have been searching and haven't got luck, I got a tutorial to use the loginview control in order to display or hide parts of the views to different user roles in my application. The thing is that the tutorial I've found is for ASP.NET and I've been told by one of my colleages that it is the same framework for ASP.NET MVC but the way to use it is different. Have you got any good tutorial to recommend?
EDIT: I've got all my application set up, and the login and the roles already configured (via asp.net membership provider). This is all already running. The thing is that if I have role a and role b I want role a to be able to actually see the links to the actions it is authorized to work with, and not b for example. If in the Index of my application I've got a link to "Edit" and only the role a can access to the action, then it will be displayed just for logged in users that belong to role a, and not to those who belong to role b
Thank you,
Vikitor
Try this:
http://www.a2zdotnet.com/View.aspx?id=77
And remember to use [Authorize] attribute on your contoller Actions to prevent users accessing sensitive views.
I'm creating an ASP.NET MVC site and I need to implement login and membership functionality.
Is this something where I roll my own? I already have a members table in my database, should I create a username and password hash field and just check against it? What about keeping the user logged in with a cookie that expires?
Is this an instance when you would use ASP.NET's built in Membership service?
ASP.NET MVC neophyte seeks help.
When you create a new ASP.NET MVC site, it already has membership built in. The CodePlex project mentioned in the other reply is only needed in special cases, namely:
You are using an early beta of the MVC framework, which doesn't have the membership feature.
You want to use an authentication system like OpenID, which isn't supported "out-of-the-box" with MVC.
You want membership administration features not included "out-of-the-box"
However, like I said, basic membership functionality is already present in an MVC site. Just add the [Authorize] attribute to any action requiring login. This is regular forms authentication, so you configured in Web.config like a non-MVC site (specifying the database, etc.; there's lots of information on the web about this).
A default MVC site will contain an "Account" controller and views which you can customize to fit your needs.
To answer the obvious question, no, you should not "roll your own." Even if you need custom authentication, it would be better to create a regular ASP.NET membership provider than to create an entirely new membership framework.
Update: The CodePlex project was updated to work with MVC 1.0
If you want to use something safe to start off with, either use the new project's template membership or consider using http://www.codeplex.com/MvcMembership.