I have three entites: Users, Roles and Permissions.
There two controllers: UserController and RolePermissionController. All controller wrapped by Nhibernate Session.
When I create fill Role Permissions, User doesn't exist. So I storage my new Permission object in the ASP.MVC session. I wants to save new Role with permission when I`ll create User in the UserController.
But when I filled new Role with exist Permission (I got then from DB by Nhibernate) and went to the User Controller New object Role created, without call Session.SaveOrUpdate or any other methods.
I tried to use Evict after fill my new role with exist permissions:
Microsoft.Practices.ServiceLocation.ServiceLocator.Current.GetInstance<ISession>().Evict(newRole);
But it didn't help.
So I want to say to Nhibernate - don't save entity on this transaction (RolePermissionController) - and save as connected to User object entities in the UserController.
This doesn't answer your question directly, but it still might be a solution - how about collecting all the information through a ViewModel, so that you end up with a single controller action that takes the information from the ViewModel, creates the Role and the User at the same time (i.e. during the same request), and no need for messy session stuff.
Maybe not the answer you were looking for, but I've done something similar this way, and it works just fine.
Related
I'm incorporating version spring-security-core:2.0-RC5 into an application - having successfully used the s2-quickstart approach. I'm trying to write some admin functionality to be able to create, edit and remove users within the application.
When I try and delete a user instance, in my user controller, I get an error as the associated SecUserSecRole instances, which define the specific roles the user have to be removed prior to deleting the user instance.
So I get the list of SecUserSecRole instances, within the user controller, and try to delete them using the command:
secUserSecRoleInsance.delete
But I get the error:
No such property: delete for class: vidplay.SecUserSecRole
I could create a controller for SecUserSecRole but them I remembered that when creating users in the Bootstrap file and adding associated roles in order to create instances for SecUserSecRole I used the command:
SecUserSecRole.create user1, userRole, true
So presumably the spring security plugin has all these SecUserSecRole actions to be used.
Is this correct or do I need to create a specific SecUserSecRole.delete action in my application or what else shoukd I do?
BTW Note that the beginning of the Bootstrap I've added the line
def springSecurityService
I've also put this in my user controller.
Hope someone can advise.
-mike
delete is a method, not a property. delete() will do what you want.
I am just starting MVC and I would like to know the best practice to pass sensitive information like IDs across views ...
Let's assume that I have a scenario.
I have a car service managing MVC application which allow users to choose product for their registered car.
The user have to register their car first before they choose a product for their service.
In register view, they fill out the car detail and it redirects to purchase product page when they click the submit button. At the time when they click the submit button, we store car details with user ID (which I can get from Identity) and generate unique car ID from the database. I want to pass this newly created car ID to next view.
In purchase product page, they can choose different product A or B and when they choose, it redirects to checkout page.
What I want to achieve now is then in checkout page, how securely we can carry the car ID that user get after they have registered their car and product ID from previous product view so I can process transaction with userID, carID, and productID.
Is Session way to go with this ? Or any other better way to tackle this problem .?
Someone with small example will be great help for me.
Thanks,
In your example given I would certainly recommend storing the ID in a session. The web is a stateless beast, and what you're essentially after doing is recording state for the duration of the user's visit to the website/application - this is essentially what sessions are designed to do.
Creating, storing and retrieving data from a session is simple and can be done like so:
Setting a variable in the session object
[HttpPost]
public ActionResult Login(int carId)
{
...
Session["carId"] = carId;
...
}
Retrieving a variable from the Session object
public ActionResult Load()
{
...
int carId = Session["carId"];
...
}
Whilst this is a basic example, it gives you an idea as to how to store/retrieve simple types of data from a session.
For storing more information such as large objects you can use the [Serialize] class attribute outlined in my answer in this post.
Actually i am new learner for MVC4, my boss want to change the old asp.net webform to MVC4.
that i have some problems.
one is for each view is that need to create seperate model?
for example, in login page, users just put their name and password and submit.
so in order to receive those name and password, need i create one model for that name and password, namely one auth class with two class member, name and pass.
Or is there any better way to transfer old one to MVC
What you're talking about is a View Model - a class that represents your view / form. Instance of this class will be passed as a parameter to your Login action and will contain username and password. You will usually name your view model class after the view, eg. LoginViewModel.
It is an accepted way to create MVC applications.
PreReq:
User logs in and is given roles got from the database using a custom implementation of userService. i.e.
authentication-provider user-service-ref="securityPolicyService"
The implemented method loadUserByUsername gets called and the roles are load for the user for the particular club they are logging into, Default one is loaded first time in.
The user then click on a different club from the UI and I call a method on a service that gets the new list of authorities for this club.
I then perform the following:
Object principle = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
SecureMember sm = (SecureMember) principle;
Authentication auth =
new UsernamePasswordAuthenticationToken(sm, null, newAuthories); <br><br>
SecurityContextHolder.getContext().setAuthentication(auth);<br>
request.getSession(false).invalidate();
SecureMember extends User from SpringFramework.
The problem is the SecureMember authorities are never updated with the new ones.
thanks
Gary
Spring Security won't store the security context if the HttpSession is null and was invalidated during the request, so if you set the context after invalidating the session (and don't create a new session), then it won't be stored.
You should see this log message if this is the case (and you have debug logging enabled).
Either create a new session or don't invalidate the original one.
How would one go about performing controller actions from withing an ASP.net MVC user control?
My scenario is that I have a userID and I want to transform it into a name from the database. To do this I've annotated my model with a display type and put a User template in the shared display templates but I'm not sure where I should write the code which does the lookup to convert from userID to user name.
I think that code ought to go into your models and you should be calling it in your controller and passing it to your user-control in a viewdata. This is if I understood your question.
I would just have the model expose the name and not the userID. This way your view (user control) is only displaying the name and not trying to do a DB lookup. Your "User Control" model would be responsible for how it gets the name, i.e. the DB from your question.
In short, you don't do that.
You should be passing the necessary data to the MVC user control from the View, which in turn should be getting it's information from the controller.
The view (or user control) should not have any knowledge of the controller. You may want to use RenderAction instead of a user control if you feel that the view shouldn't be responsible for passing the necessary information into the user control.