I am building an MVC4 application and need to use external authentication (Facebook, etc). I have that working fine. I see the SimpleMembershipProvider creates 2 separate tables to handle this: "webpages_Membership" and "webpages_OAuthMembership". I need to map other tables (foreign keys) to User ID. The problem is both tables have a user ID which are unrelated to each other.. I could ignore the foreign keys in the database if necessary (don't like that though), but the bigger question is this: in code, how would I determine whether a user is authorized externally or locally so that I know where to get his other info from? Specifically, I have a user profile table where I will map other attributes to.. having 2 different types of user, how does one go about this?
Right, I have learned more about MVC4 and SimpleMembershipProvider and I see now that the User ID on both tables is actually a foreign key to a parent table called UserProfile. So, User IDs will still be unique.. it's just the mappings are a little different to what I was accustomed to with the standard ASP.NET membership provider. Email address and whatever other properties are required can be easily applied to the UserProfile table.
Related
I've built a MVC WebApp using the ASP.NET 2.0 Core MVC template + Individual User Accounts (EF) and notice that the AspNetUsers table in the database created for my WebApp has a non-unique index for Email whereas the UserName index is unique. Further upon account creation UserName is set to the same value as Email, but the user is then allowed to change their Email using the account management page. I am struggling to understand the rationale here.
I would expect each AspNetUser record to relate to a different person. Therefore why not make Email unique? After all, the email confirmation process expects the address to be unique to the user. However, being non-unique means that user might change their email address to one shared by one or more other users e.g. admin#abc.com. Where is the value in such a use case? Indeed, this is behaviour I want to stop on my site.
Questions:
Would changing the AspNetUser Email index to unique have any consequences or otherwise break the framework?
Would allowing the user to change their UserName have any consequences or otherwise break anything? The primary key of AspNetUsers is Id and seems to used as the foreign key by the other identity tables created by the framework.
Can anyone recommend how to check from the account management page (client side) that a new UserName is unique?
I've found other questions on StackOverflow about this sort of thing, but they don't answer the above questions or explain the rationale
asp-net-username-to-email
asp-net-identity-use-email-instead-of-user-name
I am new to MVC and want to understand the authentication mechanism in MVC
I have these tables in SQL, Users table, Roles table and UserRoles table which maps user id column to role id column. Now as soon as I add an attribute Authorize(Roles = "Customer") I want the access to be given only to the users having customer priviliges. Now what is is that I have to do to create a link between these two. I am looking for a step by step explanation or a link which points me to do this exactly, as I found a number of articles googling out on this and was unable to find the matching one.
Thanks in advance.
If you take the out of the box MVC template, you don't need to do anything to enforce this behavior. A database will be created for you as soon as you launch your application with a number of tables (Users, roles, mapping between users and roles, ...). Check your web.config for the connection string.
The only thing for you to do is to populate the ROLES table and then match those entries with the Authorize attribute in code. So if you have a role named "Admin" in the database, you can protect your actions and controllers with following code:
[Authorize(Roles="Administrators")]
You could also take it further to limit access by users but I wouldn't consider that as a best practice. Next, create a user in the UI and then match this user to a role you specified in the DB. Login as this user and you'll notice you have access to the restricted action/controller.
For more information, he best articles are those from Microsoft themselves, like this one.
I am developing an Intranet application and have successfully integrated with Active Directory.
When we add a new customer I would like to assign a Customer Advisor from a dropdown list.
I am able to populate the dropdown list using the following
PrincipalContext pc = new PrincipalContext(ContextType.Domain, "DOMAIN", "dc=domain,dc=org");
GroupPrincipal group = GroupPrincipal.FindByIdentity(pc, "customerAdvisors");
ViewBag.Guid = new SelectList(group.Members, "Guid", "DisplayName");
I would like to then store the Guid of the selected user along with the Customer data in the database.
However, I am unsure of how to setup foreign key constraints in my Model as the table I am joining to is within Active Directory.
Do I need to create a separate Employee table within my DB and sync the required fields or is there a simplified way of doing this?
I've never done this but some quick research makes it look possible.
You could just save the Guid for your adviser on your Customer. The AD Guid can go into the Guid data type. You should be able to query individual users by using this method:
UserPrincipal user =
UserPrincipal.FindByIdentity(pc, yourUsersGuidAsAString);
The down side is that every time you want your customer adviser's info (like their name or email address) you will have to do a separate query to AD. Harder to use ORM.
In my application I have a different use case, but I have also integrated my application with AD. The route that I took was to save this information in my own DB instead of hitting AD every time. In large part because my architecture makes it hard to get to AD in the same way you can. Also it's easier to use ORM (like entity framework in my case) to pull in the information that I want. The downside to this is then you need to ensure that the information you have in your database is reasonably up to date with what's in AD.
You will have to make the judgement on which approach makes the most sense for your architecture/use case.
Hope that helps.
I am creating a Grails website where users will have access to the resources they create. Till here everything is clear to me. I define ROLE_USER and lock down my controllers and actions using the Config.groovy file.
The issue I am facing is that I have requirement to support group of users such that some resources created by a user can be edited/updated/deleted by other users of the same group. How do I associate a user with a "group" in spring security, what is the design/library I should use here?
What you will need to do is to have your users' roles (the authorizations) come from the database. Once that is the case, you can then easily adjust the roles a user (or set of users) has and create/remove them on the fly. The docs have some pretty good info on how to get the roles to come from the database, so I won't go any more into that here.
Once the dynamic roles are in place, however, you still need to be able to connect roles to the objects that are created. There are essentially two ways you can go about doing this:
Access Control Lists
Custom logic
Depending on the granularity you need and the flexibility you want, one option may be more appealing than another.
Access Control Lists essentially allow you to have a permission mapping between each user and each entity instance. As you can imagine, it's a fair bit of overhead and can perform poorly if you have a large number of entities and users.
Putting together your own logic, on the other hand, is much more flexible because you can set up your own scheme to connect entity instances or entity classes to users and their roles.
I dont think that spring-security provides such functionality out of the box so you will have to do that manually.
For each domain class that you this kind of functionality, store the user name of current logged in user
def authenticateService
def user = authenticateService.principal()
entity.setUser(user?.getUsername())
Then in the update/delete method of the contoller you should check if the role of the current logged in user matches
the role of the user that created the entity. If you have a match you should proceed with the update/delete otherwise throw an exception
/redirect the user to an error page
As role you can use the spring security roles or you can create a property on the user object you have created
In creating a new ASP.NET MVC application, I have an issue with the approach I'm using to store user-created data for temporary users who have yet to create an account which I then try to convert to a real user. That probably doesn't make much sense, so let me explain:
A visitor to the site can enter profile settings before being made to register with a username, password, etc.
I'm creating database entries via LINQ to SQL for a new user in this case, using the Request.AnonymousID value as a temporary username.
When the user chooses to register, I need to 'switch over' the relevant database records to use the newly entered username instead of the temporary one.
The problem is that when I try to update the record I can't because the username is the primary key, so I'm forced to delete the record and add a new one...
I can probably persevere with this, but I think I might just be going about this in completely the wrong way and wondered if anyone could suggest a better way to allow visitors to store information before they've registered and have that carry over when they do.
I know about profiles but want the profile information to be available to other visitors. I also know that I can create an anonymous profile but it seems like I should be able to keep the data model out of the web.config file.
I would suggest having an independent primary key for the table with your custom user data.
And then have fields like RefAnonymousId and RefUserId to relate that user data to the anonymous user and the registered user, respectively.
For example:
TABLE UserData
(
UserDataID int IDENTITY(1,1) PRIMARY KEY,
RefAnonymousId uniqueidentifier,
RefUserId uniqueidentifier,
... (data fields),
(maybe also unique keys on RefUserId and RefAnonymousId)
)
That way you will also be able to identify the user when the user is logged out and maybe automatically log the user in...