My ASP.NET MVC site requires forms-based authentication for some resources (downloads, discussion forum, etc). This works great with the [Authorize] attribute.
However, I need my admin site (`~/Areas/Admin/*) to authenticate against active directory.
With regular ASP.NET or classic ASP, I would just go into the IIS config and change the directory security to deny anonymous users. However, I can't figure out a way to do that with an area.
I know putting the [authorize] attribute on the controllers in my admin area would require a login, but it'll use the same forms-based authorization as the public areas of the site. Right now that authenticates users against a database (not using the ASP.NET Membership system as it's overkill for my app). I need users to authenticate against the domain, but ONLY in the Admin area.
Ideas?
You will need to write your own custom Domain authorize attribute and add this to the admin controllers.
Have a look at the answer here: asp.net mvc Adding to the AUTHORIZE attribute
Related
I have read all the stack overflow posts and other blogs regarding mixed-mode authentication. I could not find a step by step implementation anywhere.
So here is my scenario. I have developed asp.net MVC 4.5 and asp.net identity 2.0 for individual user accounts. Some of our clients use active directory to authenticate their users whereas others use individual user accounts. Also, those that use active Directory can also remotely access the web portal and in that case authentication would be from database(Form Authentication/individual user account authentication).
My findings so far
create another web application. If this client does not use "active Directory", then redirect to login screen, else, authenticate from active directory (but how?)
Some of the links show that there is no need to create another web application like
Mixed mode authentication with OWIN
ASP.NET Identity + Windows Authentication (Mix mode - Forms + Windows)
ASP.NET MVC and mixed mode authentication
Truly confused as to what to do and how to do..most solutions seem vague and general
There's no need to create a second web application.
Owin is designed to let you use all available providers (such as, Windows authentication and form-based authentication) given that you enable them in IIS.
Briefly, you have to
Enable Anonymous and Windows authentication on IIS - Authentication
(with server or site scope as it best fits to you)
Anonymous authentication - Edit - Use Application Pool Identity
I recently implemented just this kind of authentication on an MVC project and it works like a charm. I suggest you to read this post https://github.com/MohammadYounes/MVC5-MixedAuth it's been really helpful to me.
In my ASP.Net MVC web application any unauthenticated and anonymous user can type a URL ( for example localhost:16621/Controller/Index/1 ) and access that page. How can I prevent from this???
In ASP.NET MVC, use the AuthorizeAttribute. But you'll probably need a user system that uses a database or authenticates against Google/Facebook using Oauth.
Take a look at the [Authorize] attribute.
You can find more details here and here.
I have an asp.net mvc4 application, using simplemembership for the authentication.
In this application I have an admin area, and the frontend which is the root of the application (not an area).
I would like to be able to log in to both areas without overwriting the login session of the other.
Is it possible to define the admin area as a seperate application, and how?
If I understand you correctly, you want the admin to be able to log into both the administive section of the site and the "regular" authenticated part of the site, but non-admin users to only be able to log into the "regular" authenticated part of the site?
Could you just use Roles to decorate the controller actions that are only available to Administrators vs those that are available to any authorized user?
[Authorize(Roles="Admininstrator")] for administrator-only actions
[Authorize] for any authorized user actions
http://geekswithblogs.net/tyarmer/archive/2010/02/25/strongly-typed-roles-in-mvc-with-authorize-attribute.aspx
Or am I misunderstanding what you are asking?
What are some of the common methods to do simple user validation (account login)?
Also, can you have different authentication schemes per area?
Edit
I am creating an eCommerce site that will need to have protected actions per user. So how would one go about doing this? It will need to be able to let only authenticated users access their information.
You have several options when it comes to doing authentication in MVC:
The built-it MVC Forms Authentication (Tutorial available here and here)
Using Forms Authentication with Cookies in MVC3 (Link here)
Using Windows Authentication (Learn more here...)
Mixed Mode Authentication (Using Windows / Forms Authentication together.)
The built in Forms Authentication can allow you to limit access to different areas of your application based on Role, User among other things and it is quite easy to implement using the [Authorize] attribute.
The following would require the user be logged in:
[Authorize]
public ActionResult YourActionNameGoesHere()
{
}
Likewise, the following would require the user be logged in AND be an Administrator:
[Authorize(Roles="Administrator")]
public ActionResult YourActionNameGoesHere()
{
}
Those were just a few methods of accomplishing it, as you can see there are MANY different methods of accomplishing this - I hope this might have shed a bit of light in helping you decide.
According to the security expert on the MVC team
The only supported way of securing your MVC application is to have a
base class with an [Authorize] attribute, and then to have each
controller type subclass that base type. Any other way will open a
security hole.
http://blogs.msdn.com/b/rickandy/archive/2011/05/02/securing-your-asp-net-mvc-3-application.aspx
please go to your model folder when you create a internet application with VS 2010. you will see a cs file there. that file holds a sample structure for User Authentication
Remember that : ASP.NET MVC is not a separate framework. it sits on top of ASP.NET so you can use System.Web.Security.Membership class on MVC as well.
Also, check your Account folder inside your view folder. you will some view samples there.
hope this helps.
If I have an ASP.Net MVC applicaiton where users can only access via an NTLM authenticate account, do I need to use ASP.Net Membership services and issue cookies?
Or do I have completely the wrong end of this particular stick?
You never have to use the asp.net membership provider, it is just an option. If all you need to do is authenticating the user, NTML works just fine by itself. If you need to use the user's identity for further authorization or personalization on the site you need to use some sort of user management, but it doesn't have to be the membership provider, you can write your own or your own.
I doesn't make any difference whether you are using mvc or web-forms.