Implementing windows authentication in MVC using Active Directory (AD) - asp.net-mvc

I have following requirement for my application :
Application Security will be controlled with Windows integrated
security. The Active Directory (AD) Domain must be stored in the application XML
configuration file.
Users will be able to View the Master File and Transaction
assignments with no security.
There will be one AD group for Adding / Changing / Deleting Master
File data.
There will be one AD group for assigning Master File data to
Transaction data.
A user could be in one, both or neither of the groups. The AD groups
will be stored in the application XML configuration file.
I understood the requirement but not sure how to implement it.
Specially the part 'A user could be in one, both or neither of the groups.'
Any thoughts or directions would be of great help.

i don't know all solutions, but hope this will try to help you
For Point1 :- for windows security use windows authentication and check the identity of the user, and make your database related to users stored in separate XML file and read the data(user information) from XML file.
For point2 :- Add the user AD which are going to access the system(on IIS machine)and create group for View/edit/assign permission set appropriate role as per your need, and use this group in while doing login
For point3-4: create separate login to access the file data and transcation data.

Related

QBWebConnector for multi-tenant DB

I want to use the QBWebConnector for an app that has multi-tenant DB. It means I need to know the tenant when my app receives data from QBWebConnector to populate the DB correctly.
I am using a PHP kit from consolibytes.
What are my options here?
I see that the functions which are called for building and receiving XML request have params like $user and $extra.
The $user is the user which is used by QBWebConnector to authenticate with the SOAP server.
So should I create multiple QWC files for each tenant as a user and use that to identify the tenant?
And what is this $extra in the param? Should I use that? If then how?
I also see we have callback options and hooks when we create QuickBooks_WebConnector_Server. I am not sure the use of them but can they be used in any way?
Thanks for taking the time to help me.
So should I create multiple QWC files for each tenant as a user and use that to identify the tenant?
Each tenant in your application should have their own username, and thus their own .QWC file.
If your application has multiple users per tenant, you do not need a .QWC file per user. You need a .QWC file per tenant.
And what is this $extra in the param? Should I use that?
The $extra param is for passing additional data to your callback functions. It has nothing to do with tenancy or authentication, so don't use it for that.
I also see we have callback options and hooks when we create QuickBooks_WebConnector_Server. I am not sure the use of them but can they be used in any way?
They can be used, but not for tenancy or authentication.

How to create a read-only user for NEO4J 2.2

Now I want to create a read-only user who can login the web browser and webadmin without the permission to modify the graph.
I know there is read-only mode , but this will get the instance read-only, not very convenient for my bussiness requirement.
My question is :
1,if there is a configuration to add a read-only user, how can I do this? I didn`t find this in documentation.
2,If there is not, I would like to create a customized configuration for this, and where should I find the file store user,passowrd or authorization token?
Could you give some suggestions? Any answer is appriciated!
The new user authorization feature doesn't provide roles or different access levels. At the moment it's "all or nothing". Upcoming versions of Neo4j will most likely have some role based concept aboard.
In the meantime you can implement SecurityRules on your own. SecurityRules are acting like servlet filter and allow vetoing the execution of a certain incoming http request.

XPages Social Business Toolkit

I am trying to implement XPagesSBT on localhost.
I have followed this article http://heidloff.net/home.nsf/dx/12152011034545AMNHECAP.htm and the SBT document by Niklas and was trying to implement dropbox oAuth.
I have also placed http://localhost/XPagesSBT.nsf/ and http://localhost/WebSecurityStore.nsf in root folder
but still i get this error
Error while executing JavaScript action expression
Script interpreter error, line=1, col=26: Error calling method 'isAuthenticated()' on java class 'com.ibm.xsp.extlib.sbt.services.client.endpoints.DropboxEndpoint'
No application is registered with id XPagesSBT and provider Dropbox
if(!#Endpoint("dropbox").isAuthenticated()) {#Endpoint("dropbox").authenticate(true);}
do i need to make any other configuration /setup to XPagesSBT db? or it wont work with Localhost?
I don't remember exactly anymore but reading my blog entry you linked it says you shouldn't use Anonymous:
"Additionally there are a couple of security related settings which are important to understand. First of all you need to assign access to the document with the application keys to the ID with which you signed the two NSFs. In the screenshot above I've entered both OpenNTF servers and my own user ID. When you use the web UI to do this these names are added to the document in an authors field and a readers field.
In the last step you need to configure the ACL of the security store. Anonymous must not have access to this database. All users who you want to be able to use the Social Enabler OAuth functionality need to have author access. This is so that their user keys can be stored in this database so that they only have to do the OAuth dance once. "
It should work on localhost. It looks like a configuration issue with SBT not being able to read the security tokens from the websecuritystore.nsf . Did you create the Dropbox Application Key with an admin id and sign the websecuritystore with the correct id?
Padraic

Sharepoint: authenticating users via forms authentication

My problem is the following(sharepoint Newbie) , i want to change the default zone from being a Windows Authenticated Zone to a Forms Authenticated Zone ,thereby forcing the site collection administrator to log in via forms authentication and not windows also the sharepoint users will be accesing the site internally my goal is to effectively replace windows authentication with forms authentication as my company does not have active directory installed.
So far i have created an ASP Application that adds the users to the database,the database was created via the .Net Framework Asp tool(Asp reg_sql),however when i change the default zone to the AspNetSqlMembershipProvider(Forms) and attempt to add my site collection administrator via the Central admistrator, i get the following error "No Exact Match found" as shown on the screenshot. My inkling is that somehow the people picker is failing to read the users from the database but reasearch on correcting that thus far has proved fruitless. I have made all the relevant changes on the these sites(Central admin site,My test site & Add Users site) config files.Changes are the following(Membeship Provider,Connection String,People Picker) i left out the role provider for now as it is optional.
Help on this would ge highly appreciated...
I've had a similar problem in the past. It seems that the People Picker is tuned for Active Directory, but sometimes needs help finding the FBA users.
In the People Picker, try putting the provider name in front of the username as if it were a domain. The format would look like the following: provider\username.

Setting up a private beta for a website

I'm trying to setup a "private beta" for a site that I'm working on. The site uses open id. I don't want anyone to even browse the pages if they aren't part of the beta. What's the best way to implement this? Any suggestions?
For example:
When the site goes live, users will go to http://www.mydomain.com which will not require them to log in.
For the beta I want to restrict access. Users that go to http://www.mydomain.com will be redirected to a login page. Anyone attempting to access ANY PART OF THE SITE who is not authenticated will be redirected back to the login page.
I could stick [Authorize] attributes all over my controller actions, but that seems stupid.
If you're using ASP.NET MVC, it comes with authentication/authorization out of the box. You should be able to use that to setup authentication on your site.
Alternatively you could setup app server settings - IIS lets you setup username/password on a specific site it's serving, regardless of what the actual application may do. If you have access to the app server this might be the best solution.
If you're using IIS6, you can setup authorization easily. Right-click on your site > Properties > Directory Security Tab > Authentication and Access Control > Edit, and enter a username/pwd of your choice. Done.
The real question is how are they being invited to the private beta?
You could setup a password which drops a cookie much like serverfault.com does.
OR
If you know who you are inviting: you could add them to the system before hand using the email/login information that you already know about them (assuming you are inviting them via email)
I have implemented a function in a web application a while ago where we go the possibility to block access to the full website unless the user was an administrator (which in our case meant that the user account was a member of a specific group in Active Directory).
It was based on two things. First, all pages in the web application inherited not directly from the Page class, but from a custom page class in our web application. Second, we had a value like this in the appSettings section of web.config file:
<add key="adminaccessonly" value="0" />
The custom page class would check that value when loading. If it was not 0 it would redirect to a page (that did not inherit the same custom page class, though) informing the user that "the site is not available right now". If the value was 0 the page would load as usual.
In that application we used this to be able to take the site "offline" when we deployed a new version, giving us some time to verify that all was good before we let in the users again.
Best way are invitation system (based on invitation code) or manually confirmation access after create profile in your system. imho
Or you could host the site on a private server, and set up a VPN to use it. Depending on your resources and needs this may be the easiest and most secure way to do what you want without modifying your codebase.
OR alternatively you could use Apache or IIS to force authentication on access to the website directory. Keeping the authentication info in .htaccess for a while.
Even though you use open id authentication, you may still need some form of authorization mechanism. The simplest form would be a user-roles system in your database that assigns different roles to users
In your case, just assign the private_beta role to your private beta invitees and ensure you your authorization mechanism that all users have private_beta privilege before they may continue.
If you don't want to provide authorization for the public site (where everyone can do everything, once authenticated), then, you may only need to do a quick-and-dirty post-processing (for private beta only) on your open_id authenticated users to check them off a short list (which you can store on a text file.

Resources