Okay, i know there have been some questions about this before, but I just want to know what the situation is now. If I am creating an ASP.NET MVC web app, should I use the built in Membership Provider or roll my own?
I feel that the existing one is perhaps overkill, but then again, it has been tested to death and works very well. I don't like the millions of table and sprocs it puts in the database, but should I just delete the stuff I don't need, or just not worry about it and use it anyway?
Whilst you say this is a possible duplicate, I think it's fair enough to seek clarification on the current situation and you do seem to have considered the possibilities.
I still tend to use the built-in membership provider for the reasons you've stated (it just works) and then add my own tables for things like OpenId, Facebook, etc, etc and tie them back to user ids in the aspnet_Users table.
Thus far I tend not to worry about the extraneous stuff it puts in the database.
Related
I have been doing some research about how to do custom profileprovider in .NET MVC.
It seems pretty complicated. Is there any other alternative?
And this is my major concern, why do ppl bother using customer profileprovider? If they want extra information about a user, why don't they just make another table with OneToOne relationship with aspnet_Users with userId or userName as the foreign key?
Please clarify. I'm trying to implement user profile functionality, but I don't wanna go down the wrong path.
Thanks
DG
(not to sure if this helps talk about custom profile providers.. unless I'm misunderstood...)
IMO, what ever you do .. avoid (the baked in) ASP.NET Membership at any cost! It's sooooo over engineered, you'll want to stab yourself in the eye with a blunt spoon :(
Trust me. avoid it.
Why: Should I use the built-in membership provider for an ASP .NET MVC application?
So .. what can we do instead?
It's just so simple to roll your own Username/Password and leverage the built in Forms Authentication. For myself, I'm not a fan of storing -any- passwords in my own database .. so i prefer to use Facebook, Twitter or OAuth as my mechanism for authentication .. which then means I finish up with a simple, basic, custom user class.
I also create my own custom IPrincipal and IIdentity because I want to store a bit more info in the cookie, which Forms Auth creates when a person has been authenticated. This then helps keep my code in my Controllers cleaner and way simpler.
For example, I store the userId of the authenticated person in an encrypted cookie. (the default option is to only store a Name). I also store one or two more things .. but you get the idea. This way, I don't always have the hit the DB to retrieve any user data OR store this crap in a session.
With a roll your own, u can create extra meta data (birthday? mum's maiden name? social security number (joke) ) .. and have that extra profile data. Same table? extra table? who cares ... that's a decision to make way later (and EASY to solve). Get your model right, IMO :) Then once u've locked down your model, you now know what's required and what's optional .. and u can make some DB decisions then.
TLDR??
Avoid the built in ASP.NET Membership crap
Roll your own .. and keep it simple.
If you're feeling advanced, also roll your own IPrincipal and IIdentidy to really rock your world.
GL HF and don't stab yourself with a blunt spoon, in your eye!
I'm building a website using MVC3, EF, and Razor and I currently have the front-end of the site mostly working. It's a "store" of sorts with products, users, etc and in the front end you can browse for products, see ratings by users, and purchase the products.
Now, I am thinking about the back-end and from what I have so far, it seems like hte back-end will be redundant in a lot of ways. I would like to have an entire back-end area to manage all the products, users, sales, etc (preferably /Admin/Controller/Action, but if I want a page in the back-end that lists all of the products, this is going to be identical (at least from the controller standpoint) to the front-end controller that lists all of the products.
My question is, what are some good ways to go about this, am i completely wrong so far, or am I on the right track and just need some tweaking. I have also read about Areas, but have been unable to find any good documentation to use with MVC3. Should i duplicate functionality in the back end or is there a better way? Thanks for the help!
I believe you're going about this in a good way, but I think you're dead on when you were thinking about putting your Admin in an Area. I tried googling for something from Scott Gu for areas, but surprisingly couldn't find anything dedicated to it, but there is this MSDN article:
Organizing an Application using Areas
I know you're worried about having controllers with similar actions (and maybe similar models) with the admin as well as the frontend, but it's still probably optimal to separate the logic. Don't over-think or over-architect it, because at some point, you may have to modify the admin controller, but not the front-end controller. Models are typically the point that can be commonized between controllers.
For my ASP.NET MVC app, I just find dealing with unique-identifiers harder, so I have added my own field to ASPNET_USERS table - UserIdInt (which is actually a bigint!) So most of user operations use userIdInt as reference.
Anyway, I am debating between two approaches:
1)When a user logs in, look up from the database and store the userIdInt in a session variable and any-time session variable slips away, re-look it up and put it back in session variable. (It's okay to use sessions in MVC app, right?)
2)Any time an operation needs to be performed, simply pass userName to database and take care of UserIdInt at database side by doing joins and such on ASPNET_Users table any time an operation from user needs to be performed.
I am heavily leaning towards 1)... but I want to make sure I am on right track.
I asked this question on Serverfault first, but I was told to ask this question here.
progtick,
you may be far better looking into the use of custom profile providers as this would allow you to leave the aspnet_* tables as is (which is a good idea in case a later version of sqlserver changes how they operate) plus offer the additional bebnefit of having a multitude of additonal profile related properties availabale to your application. i can't overstate enough the benefits in going down this track as i've found it very useful to have such an approach in both my standard asp.net apps as well as my mvc ones.
you can get a feel for what's involved in this by looking thro a couple of these links:
here's one on SO for starters:
Implementing Profile Provider in ASP.NET MVC
and one from my old mate, lee dumond:
http://leedumond.com/blog/asp-net-profiles-in-web-application-projects/
hope this helps
An alternative approach is to alter the forms authentication ticket to add your unique id to the data stored in the cookie. Then, by implementing a custom IPrincipal you can have your unique id available anywhere that the User object is available.
I have a requirement to track what authenticated users change with regards to the data when logged in. I don't need to track what pages they look at although that could be very useful in future.
I have thought about saving the User Guid but that seems very clunky. I do need to do simple stuff like old value and new value. I am using the Entity Framework is there support for that in there with stored procedures in SQL Server?
Are there other methods/best practises?
This isn't really an ASP.NET MVC question. You can implement auditing in your EF layer. Here's a quick sample I just found.
I've found that the trick with auditing is understanding why you need to have the support. Often times a user will say they want auditing, but really they just want to know a last edit date/user. You should know if they need undo capability, security audits, etc. Is this for regulatory compliance or for a DBA to fix user errors? Often times it's simpler to dlete and reenter data than to manually edit a DB. Also, how would rolling back data affect other reporting concerns? If you've changed data and rerun a report it will not match the original. If this is an issue you need to store the original results or have an event sourcing model. Not fun.
The second difficult thing about auditing is figuring out how to display the data. Sometimes SQL queries are acceptable, other times users want a full history in the UI. My suggestion is to review the business needs of your case and research appropriate implementations.
Also, if you need to audit relationship changes in a database there is no simple solution. Good luck!
In my pet project I want to have a user system with the following requirements:
It needs to work with Db4o as a persistance model
I want to use DI (by means of Turbine) to deliver the needed dependencies to my user model
It needs to be easy to plug in to asp.net-mvc
It needs to be testable without much hassle
It needs to support anonymous users much like SO does
I want Authentication and Authorization separated (the first can live without the second)
It needs to be safe
I'm aware I'm putting a few technologies before functionalities here, but as it is a pet project and I want to learn some new stuff I think it is reasonable to include them as requirements.
Halfway in rolling my own I realized I am probably suffering some NIH syndrome.
As I don't really like how needlessly complex the existing user framework in asp.net is, it is actually mostly only all the more complicated stuff regarding security that's now giving me some doubts.
Would it be defendable to go on and roll my own? If not how would you go about fulfilling all the above requirements with the existing IPrinciple based framework?
It sounds to me like what you want to do is roll your own Custom .NET Membership Provider.
It will allow you to use the built-in ASP.NET Authentication/Authorization attributes on your Controller Actions while giving you complete control over the implementation inside the provider (which will allow you to code it to meet the requirements stated above).
Direct from MSDN...
Implementing a Membership Provider
I think you recognize where the thin parts in your consideration are: namely in that you've included how to do what you're doing as motive in why you're doing it and the NIH (funny: I'd never seen that before) issue.
Putting those aside, your provider is something that you could potentially reuse and it may simplify some of your future efforts. It should also serve to familiarize you further with the issue. As long as you understand the ASP.NET framework so you can work with it too if you need to (and aren't specialized such that you don't know what you're doing if you're not using your tool) then I believe you've already crafted your defense.
As DOK mentioned, be cautious that you're not rolling your own here to avoid a larger task at hand in whatever your other functionality is. Don't let this be a distraction: it should be something your application really needs. If it's not, then I'd lean towards focusing on your software's core mission instead.
If you go ahead and create your own custom solution, you will have a better idea of how difficult it is and what features you want. This will help you to evaluate off-the-shelf solutions for future projects.
OTOH, spending time developing functionality that is already readily available means you won't be spending that time working on the major functionality of your project. Unless authentication and authorization are a major component of your project, you might consider investing your time, and expanding your knowledge, in another area.
I too am working on a pet Project using ASP.net MVC and db4o and did the same thing, so you're at least not alone in going down that route :). One of the biggest reasons for me to start playing around with db4o as persistence layer is that especially authorization on field level (i.e I'm allowed to see Person A's first name but not Person B's first name) is though to achieve if you're forced into complex SQL statements and an anemic domain model.
Since I had complex authorization needs that needed to be persisted (and synchronized) in both db4o and Solr indexes I started working on rolling out my own, but only because I knew up front it was one of the key features of my pet project that I wanted 100% control over.
Now I might still use the .Net Membership provider for authentication but not (solely) for authorization of objects but only after i POC'd my authorization needs using my own.