I am trying to develop an MVC site that implements dotnotopenauth. I have a user table, provider table and a user to provider table. I am storing the returned auth string.
I am using forms auth cookies for user authentication. I am wonder, and this could be a very simple question for someone... how to protect certain controller actions for authenticated users only.. Is it as simple as isAuthenticated? Is their some action decorator or something. I am just starting with this so thanks for any help.
All you need is to decorate your controllers with the [Authorize] attribute.
http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx
There is a good article on the topic. It is not straight-forward since [Authorize] applies to Membership Provider code and DotNetOpenAuth applies to OAuth technology, that is external to Membership.
The basic idea is that the two need to be merged first, as explained by ...
http://www.west-wind.com/weblog/posts/899303.aspx
Related
We are starting a new ASP.NET Core web site and the customer would like to handle the authorization using the database. So they want to configure custom roles and the actions to be configured in the database.
I have been trying to find an example or something to help me implement this, but could not find. Can this be achieved using the Authorize attribute from framework or a custom filter needs to be implemented?
EDIT:
I should probably mention that the application is an intranet so Windows Authentication is used for authentication
Short answer Yes.
Long answer...
This can all be achieved from the database you can configure up using existing methods with Identity, and from there create all the custom roles and even policies that you want to have and be able to assign, to each user individually or via roles.. Authorize attribute will work just fine with cookies. My only recommendation is that you try not handle security yourself but let the framework handle this for you.
I'm trying to implement role based authentication, in my AuthController I have retrieved the user's Windows username and checked it against the database users table to find their record, now that I have found their role I want to assign it to them so that they can access protected routes. What is the simplest way to achieve this?
Right now all I am doing in the AuthController is setting their auth cookie.
The best and correct way is to use ASP.NET MVC Identity Framework. It is designed to handle authentication and authorization of MVC apps. It supports role based auth. You can start from here.
The "dream" is to use WindowsAuthentication for an intranet site. However, we need to hit a 3rd party service to determine if the user has "permission" to use the site, thus "Roles". I have seen many examples that show how to add roles to the identity but they are all on "per request" basis. I don't want to do that. I would like for the user to hit the site once, I determine if the user has the permission, and add the role to the identity. The identity (with the role) sticks around for the session. I also don't want to have to cache users and their permissions. Is this doable or am I missing something?
Thanks.
The solution is to write your own Authentication and put caching in the middle. It is really easy to do as I have two methods of doing it.
Pre ASP.NET MVC 5
http://tech.pro/tutorial/1216/implementing-custom-authentication-for-aspnet
ASP.NET MVC 5+ OWIN
http://www.khalidabuhakmeh.com/asp-net-mvc-5-authentication-breakdown-part-deux
My posts describe the basics of writing your own authentication, but it is pretty easy to integrate a third party service once you understand the basics. Hope that helps :)
What are some of the common methods to do simple user validation (account login)?
Also, can you have different authentication schemes per area?
Edit
I am creating an eCommerce site that will need to have protected actions per user. So how would one go about doing this? It will need to be able to let only authenticated users access their information.
You have several options when it comes to doing authentication in MVC:
The built-it MVC Forms Authentication (Tutorial available here and here)
Using Forms Authentication with Cookies in MVC3 (Link here)
Using Windows Authentication (Learn more here...)
Mixed Mode Authentication (Using Windows / Forms Authentication together.)
The built in Forms Authentication can allow you to limit access to different areas of your application based on Role, User among other things and it is quite easy to implement using the [Authorize] attribute.
The following would require the user be logged in:
[Authorize]
public ActionResult YourActionNameGoesHere()
{
}
Likewise, the following would require the user be logged in AND be an Administrator:
[Authorize(Roles="Administrator")]
public ActionResult YourActionNameGoesHere()
{
}
Those were just a few methods of accomplishing it, as you can see there are MANY different methods of accomplishing this - I hope this might have shed a bit of light in helping you decide.
According to the security expert on the MVC team
The only supported way of securing your MVC application is to have a
base class with an [Authorize] attribute, and then to have each
controller type subclass that base type. Any other way will open a
security hole.
http://blogs.msdn.com/b/rickandy/archive/2011/05/02/securing-your-asp-net-mvc-3-application.aspx
please go to your model folder when you create a internet application with VS 2010. you will see a cs file there. that file holds a sample structure for User Authentication
Remember that : ASP.NET MVC is not a separate framework. it sits on top of ASP.NET so you can use System.Web.Security.Membership class on MVC as well.
Also, check your Account folder inside your view folder. you will some view samples there.
hope this helps.
I'm new to the ASP.NET world. Since I want to use the ORM it seems I would want an Entity to represent the User or Member or whatever, not some data tucked away by the forms authentication api. In fact I don't see how I can live without one.
How do people deal with this? Roll your own authentication? Or is there a best practice for incorporating forms authentication with the Entity Framework?
In short, since I need a User and Role Entity for queries anyway, should I skip the forms auth or find a way to use it?
Thanks
EF and Forms Auth are really two different areas. You can use Forms Auth without ASP.NET Membership very easily and roll your own provider with very little effort.
This tutorial will show you how:
http://msdn.microsoft.com/en-us/library/ms172766(VS.80).aspx
With ASP.NET MVC you should really use standard Auth since you can manage access to controllers using attributes for Roles very easily.
FormsAuthentication on its own does not care about the identity store and can validate only credentials stored in the web.config <credentials> section, through the Authenticate method. Standard implementations of the login page use the static Membership class to manage the identities and credentials in the MembershipProvider specified in the config file (usually SqlProfileProvider).
However, you don't have to use the membership provider functionality of ASP.NET to maintain your identities and you can still use FormsAuthentication just fine. The forms authentication control flow shows that forms authentication deals primarily with creating and maintaining the auth ticket for the user in a cookie. It does not deal with the user identity or profile itself, as it does not care about those.
Thus, you can safely use EF to maintain your user profiles, including credentials and do authentication of the provided credentials in your login page, while still using FormsAuthnetication.