ASP.NET MVC 3 User Authentication - asp.net-mvc

What are some of the common methods to do simple user validation (account login)?
Also, can you have different authentication schemes per area?
Edit
I am creating an eCommerce site that will need to have protected actions per user. So how would one go about doing this? It will need to be able to let only authenticated users access their information.

You have several options when it comes to doing authentication in MVC:
The built-it MVC Forms Authentication (Tutorial available here and here)
Using Forms Authentication with Cookies in MVC3 (Link here)
Using Windows Authentication (Learn more here...)
Mixed Mode Authentication (Using Windows / Forms Authentication together.)
The built in Forms Authentication can allow you to limit access to different areas of your application based on Role, User among other things and it is quite easy to implement using the [Authorize] attribute.
The following would require the user be logged in:
[Authorize]
public ActionResult YourActionNameGoesHere()
{
}
Likewise, the following would require the user be logged in AND be an Administrator:
[Authorize(Roles="Administrator")]
public ActionResult YourActionNameGoesHere()
{
}
Those were just a few methods of accomplishing it, as you can see there are MANY different methods of accomplishing this - I hope this might have shed a bit of light in helping you decide.

According to the security expert on the MVC team
The only supported way of securing your MVC application is to have a
base class with an [Authorize] attribute, and then to have each
controller type subclass that base type. Any other way will open a
security hole.
http://blogs.msdn.com/b/rickandy/archive/2011/05/02/securing-your-asp-net-mvc-3-application.aspx

please go to your model folder when you create a internet application with VS 2010. you will see a cs file there. that file holds a sample structure for User Authentication
Remember that : ASP.NET MVC is not a separate framework. it sits on top of ASP.NET so you can use System.Web.Security.Membership class on MVC as well.
Also, check your Account folder inside your view folder. you will some view samples there.
hope this helps.

Related

Kentico 9 - separate MVC application - authentication

What is the recommended approach to using Kentico user roles and authentication/authorization using Kentico 9, MVC stand alone application?
Is it possible to use the Kentico role attributes for controller methods?
What part of the API is used to authenticate and check authentication in this scenario?
It looks to me like this is not yet possible, and I am about to roll my own solution.
It`s not officially supported (yet). You can see list of supported and unsupported features (for new Kentico9 MVC) here.
Of course you can still use Kentico API (Membership library) to make your own auth logic which fits your needs.
Not sure if it will work (I don't know how much MVC supports the old providers), but you may try to use the same membership and role provider configuration in your web.config as for the admin application.
Kentico 10 will provide validated membership features through a brand new identity provider.
Try this:
[Authorize(Roles="somerole")]
public ActionResult Index()
{
return View(viewModel);
}
This work perfect in my tests... I'm using forms authentication.

Disable ADFS Authentication for Areas

We have an MVC application which uses ADFS as its authentication method. All is working as should.
We are now beginning to add in 'areas' into the application to separate certain parts out.
One of these areas needs to allow complete anonymous access.
Is there a way to disable ADFS for a particular area within an MVC application?
We have tried overriding the webconfig within the area, however, no such luck.
Have you tried using the [AllowAnonymous] attribute on controller methods in that area?

MVC - Using Windows Authentication and inject Roles without doing it per request

The "dream" is to use WindowsAuthentication for an intranet site. However, we need to hit a 3rd party service to determine if the user has "permission" to use the site, thus "Roles". I have seen many examples that show how to add roles to the identity but they are all on "per request" basis. I don't want to do that. I would like for the user to hit the site once, I determine if the user has the permission, and add the role to the identity. The identity (with the role) sticks around for the session. I also don't want to have to cache users and their permissions. Is this doable or am I missing something?
Thanks.
The solution is to write your own Authentication and put caching in the middle. It is really easy to do as I have two methods of doing it.
Pre ASP.NET MVC 5
http://tech.pro/tutorial/1216/implementing-custom-authentication-for-aspnet
ASP.NET MVC 5+ OWIN
http://www.khalidabuhakmeh.com/asp-net-mvc-5-authentication-breakdown-part-deux
My posts describe the basics of writing your own authentication, but it is pretty easy to integrate a third party service once you understand the basics. Hope that helps :)

how to protect controller actions in MVC 2 DotNetOpenAuth multiple providers scenario

I am trying to develop an MVC site that implements dotnotopenauth. I have a user table, provider table and a user to provider table. I am storing the returned auth string.
I am using forms auth cookies for user authentication. I am wonder, and this could be a very simple question for someone... how to protect certain controller actions for authenticated users only.. Is it as simple as isAuthenticated? Is their some action decorator or something. I am just starting with this so thanks for any help.
All you need is to decorate your controllers with the [Authorize] attribute.
http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx
There is a good article on the topic. It is not straight-forward since [Authorize] applies to Membership Provider code and DotNetOpenAuth applies to OAuth technology, that is external to Membership.
The basic idea is that the two need to be merged first, as explained by ...
http://www.west-wind.com/weblog/posts/899303.aspx

Using both Forms and AD authentication?

My ASP.NET MVC site requires forms-based authentication for some resources (downloads, discussion forum, etc). This works great with the [Authorize] attribute.
However, I need my admin site (`~/Areas/Admin/*) to authenticate against active directory.
With regular ASP.NET or classic ASP, I would just go into the IIS config and change the directory security to deny anonymous users. However, I can't figure out a way to do that with an area.
I know putting the [authorize] attribute on the controllers in my admin area would require a login, but it'll use the same forms-based authorization as the public areas of the site. Right now that authenticates users against a database (not using the ASP.NET Membership system as it's overkill for my app). I need users to authenticate against the domain, but ONLY in the Admin area.
Ideas?
You will need to write your own custom Domain authorize attribute and add this to the admin controllers.
Have a look at the answer here: asp.net mvc Adding to the AUTHORIZE attribute

Resources