First, I am new to Web app programming. I come from Desktop apps (WinForms & WPF).
Recently I have been assigned a project that was made in the past by ohter people. This project is done in ASP.NET MVC and it uses an InProc session state mode.
Now, I want to build a web gardening, that is, use multiple worker process for the application pool. I have googled and I have discovered that InProc session does not work with web gardening because each worker process within app pool uses its own session state. So I am planning to switch it into another session state mode such as State Server or SQL Server.
Now I have a doubt. Apart from changing session state mode in Web.config:
<configuration>
<system.web>
<sessionState mode="InProc" timeout="25"></sessionState>
</system.web>
</configuration>
... Do I need to do some extra work? for example reprogramming the ASP.NET MVC app, configuration or some other things in order it to work?
Below I share some interesting links:
Configuring Server and SQL Server State
HOW TO: Configure SQL Server to Store ASP.NET Session State
For web farms you should keep your session either in StateServer or Sql Server.
To do so you need to add following configuration
<connectionStrings>
<add name="ConnectionString1"
connectionString="Data Source=YourServer;Initial
Catalog=SessionDatabase;Integrated Security=True"
providerName="System.Data.SqlClient" />
</connectionStrings>
<!--Change your <sessionState mode="InProc" timeout="25"></sessionState> to this.-->
<sessionState mode="SQLServer" customProvider="DefaultSessionProvider">
<providers>
<add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionStateProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="ConnectionString1" />
</providers>
I have an asp.net mvc application and I have set up impersonation as follows in the web.config.
<system.web>
<compilation debug="true" targetFramework="4.6.1" />
<httpRuntime targetFramework="4.6.1" />
<authentication mode="Windows">
</authentication>
<identity impersonate="true" userName="BvhHisPharmaUser" password="12345"/>
<httpModules>
<add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" />
</httpModules>
</system.web>
As you can see I have enabled windows authentication mode.
Next you can see impersonate = true. And the userName(BvhHisPharmaUser) is a windows user that I created as follows using compmgmt.msc tool.
Now when I place a break point in Index Home
I dont see the imperonate user in the identity in the immediate window.
What am I missing?
Even after I login using the login screen, I do not see the impersonate user in the immediate window as follows.
I have removed the windows authentication mode in the web.config completely
and still observe exactly the same.
My objective is to run this iis web app under the above shown windows user(BvhHisPharmaUser) because this web app calls a wcf service which is configured to authorize this user.
So my questions are as follows.
Is impersonation is the way for this, so that the web application can run under this user? Is there any other way like app pool configuration?
Why is this impersonation not working? I have enabled it as showin in the web.config and still the identity of the thread principal does not change. What am I missing?
Kindly let me know if additional info is needed.
I have a MVC 4 web application which I want to implement SqlRoleProvider and Windows Authentication into it.
After I did search in Google I added SqlRoleProvider tables in my database by running aspnet_regsql command in VS command prompt.
Then I added this to my web.config:
<authentication mode="Windows" />
<roleManager enabled="true">
<providers>
<clear />
<add connectionStringName="PortalDbContext" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" />
<add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
Now I need to know how can I manage roles? I mean how to create/edit/delete roles and assign/un-assign users from roles?
Should I create these pages by myself or there is something already available may be with NuGet?
I usually just roll my own. And this has been years, not sure if its supported anymore, but you can use the Asp.Net Web Site Administration Tool if your on IIS. It's slow and clunky but if I recall get's the job done.
I have implemented my own custom Role manager object. When I run my web app using the visual studio version of IIS, it works fine. I can see the username and I can drill into my Role Manager class and see what it's doing. When I debug the app using IIS 7, HttpContext.Current.User.Identity.Name is blank and it does not use my Role Manager class when determining what roles my user has. I've checked that all my dlls are in the bin directory.
I'm guessing that the problem is on IIS 7. What do I need to configure on IIS 7 to make this work and to make it use my Role manager?
Here is a snippet of the web.config that sets the role manager.
<membership>
<providers>
<clear />
</providers>
</membership>
<roleManager defaultProvider="HyperionRoleProvider" enabled="true">
<providers>
<clear />
<add name="HyperionRoleProvider" type="Census.BUD.Common.HyperionRoleProvider" applicationName="/" />
</providers>
</roleManager>
From:
http://learn.iis.net/page.aspx/528/how-to-use-the-sample-read-only-xml-membership-and-role-providers-with-iis-70/
"These samples are excellent for use with IIS 7.0 for demonstration or test Web sites, but they don't work as-written with IIS 7.0 because of the way that IIS 7.0's security is designed. The original instructions allowed you to deploy the sample membership/role providers into the App_Code folder of your Web site, but IIS 7.0 requires that providers are registered in the Global Assembly Cache (GAC) before they can be deployed. With that in mind, the following steps will walk you through compiling and deploying the read-only XML providers on a development system."
Make sure your assembly is in the GAC
On the first run of my mvc "hello world", i get a couple of buttons; home, about and log on. If I create a user account on the log on, where is the data stored? Is it secure enough to just leave it as is when the time comes to develop my application or should this be going to a database (if it isn't already)?
Thanks for your time.
ASP.Net MVC and WebForms share many of the same components including membership storage, authentication, authorization. These components are used on thousands of public sites around the internet.
Membership
The default ASP.Net MVC template uses the same SqlMembershipProvider as WebForms to store membership information. If you look in the web.config file you'll see the configuration section under the <membership/> element, it'll look like this;
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices"
enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
applicationName="/" />
</providers>
</membership>
It references the connection string named ApplicationServices which you'll find defined at the top of the config file:
<connectionStrings>
<add name="ApplicationServices"
connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true"
providerName="System.Data.SqlClient" />
</connectionStrings>
This mounts the aspnet.mdf file found in your application's App_Data directory using a locally installed instance of Microsoft Sql Server Express.
You can easily upsize this to full SQL Server by copying the MDB file to your SQL Server, mounting it, and updating the connection string.
Authentication
Authentication is again handled by the same FormsAuthentication class used for WebForms, it is also configured in the web config file:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
Authorization
The default template also has configuration entries for SqlRoleProvider, and WindowsTokenRoleProvider which can be used to store and retrieve roles for your users from the database or ActiveDirectory respectively. Role managers are configured in the <roleManager/> element.
<roleManager enabled="false">
<providers>
<clear/>
<add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
</providers>
</roleManager>
Roles are by default disabled, you can enable support for roles by changing the enabled attribute of the roleManager element from false to true.
Once you have roles configured, you can use ASP.Net authorization elements to control access to resources on your site. You can also use Authorize attributes on your controllers and/or actions for more finely grained access control. You don't have to use roles for authorization, usernames work just fine, but doing so will make management of authorization much easier.
Security
All of these modules are written using industry accepted security best practices. Authentication is handled by IIS, which can use Digest or Windows Integrated auth, both secure methods; because of browser support, anything you wrote yourself would be restricted to these methods as well.
The passwords are stored hashed in the database with a salt making brute-force attacks with methods such as rainbow tables much more difficult. The providers also support password complexity, and expiration out-of-the-box.
The authentication tokens are securely encrypted with a machine specific key and signed with a MAC to ensure that they haven't been tampered with, only then are they stored in a client-side cookie.
Testability
Even though the security is quite standard, one emphasis that MVC proponents encourage which these components don't make simple, is testing. This issue however can be worked around fairly simply with some strategically placed interfaces, a couple facade classes, and some dependency injection (which is supported by default in MVC3 now).
Yes, it's stored in a database. The database is in the App_Code folder under the name of ASPNETDB.MDF. You can configure it at your web.config file.
Is it secure? Well, IMHO, it is. But I really don't like this approach, I prefer to design my own authentication service and have full control over it. If you're going to stick with this method, you should read more about ASP.NET Membership Provider with Forms Authentication.
I'm taking the answer to the next logical step: OK, so I know it is in ASPNETDB.MDF, so how can I browse the table?
(at least it was my next logical question)
Here is a good link: http://learningsqlserver.wordpress.com/2011/02/13/how-can-i-open-mdf-and-ldf-files-in-sql-server-attach-tutorial-troublshooting/
Essentially:
Run SQL Server Management Studio (menu shortcut under "Microsoft SQL
Server ####")
Connect Object Explorer to your SQLEXPRESS server
Right-click on Databases and choose Attach...
Browse to your MDF file
If you create a default ASP.NET MVC 3 app and look int the the web.config, you'll see:
<add name="ApplicationServices"
connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true"
providerName="System.Data.SqlClient" />
And
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices"
enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
applicationName="/" />
</providers>
</membership>
This appears to attempt to connect to a local SQL Server Express instance and load aspnetdb.mdf from the app data folder. The membership.providers key then references System.Web.Security.SqlMembershipProvider, and references the ApplicationServices connection.
the database is created aoutomatically by asp.net. this feature uses asp.net build in membership feature. you shoul look at it firstly : http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
and also look at the models folder, you will see the account model there. and look at the controller folder. there, you will accountcontroller. review the code and you will figure it out.