I'm creating a site with 2 different sections (main site and admin) and both of them need authentication.
I have the main section already created and it works fine using FormsAuthentication.
now, how do I go about creating the admin section? Can I use FormsAuthentication again?
thanks
user - yes you can.
what you need to do is to create roles (such as webuser and admin) and assign the user to the appropriate role as required (you can do this either when setting the user up initially or later as an edit on their profile). anyway, getting back to the question. inside your controller, you'd then investigate the roles that existed for that logged in user and this would determine which controller actions they had access to as well as determining which view to present, should the action be 'shared' between roles.
within the controller, you can decorate the action with the following code:
[Authorize(Roles="admin")]
public ActionResult IndexAdminOnly() // you'd never have an action named this - purely to make the point
{
// your logic here
}
conversely, you could do it inside the controller:
[Authorize]
public ActionResult Index()
{
if(Roles.IsUserInRole("admin")){
// your admin logic here
}
if(Roles.IsUserInRole("webuser")){
// your webuser logic here
}
}
this is it at it's very simplest. hopefully you can google a few more links to get you over any issues that arise once you get going, or drop a note here.
Related
I have a project with Identity 3.0. I have setup a dynamic menu which also works and displays a different menu list depending on what role you are in.
I would like Authorized users to have different home page. If you are UnAuthorized you should see "/Home/Index" as per normal.
If you are Authorized (logged in as a user and it remembers you..) you should always be directed to a different home page for Authorized users... say "/Scheduling/Index".
I have set an AuthorizeFilter
services.AddMvc(setup =>
{
setup.Filters.Add(new AuthorizeFilter(defaultPolicy));
});
so unless you are Authorized you get sent to the login page if you are try an access any controller without the:
[AllowAnonymous]
at the start... eg HomeController has this at the start...
I found this on Stackoverflow and tried it in the StartUp class but it doesnt work.
services.Configure<CookieAuthenticationOptions>(options =>
{
options.LoginPath = new PathString("/Scheduler/Index");
});
How can I have two different home pages depending on whether the user is logged in or not logged in?
You have (at least) two ways:
1) Return different view names from your 'Index' action (depending on user status):
[AllowAnonymous]
public IActionResult Index()
{
// code for both (anonymous and authorized) users
...
var shouldShowOtherHomePage = ... // check anything you want, even specific roles
return View(shouldShowOtherHomePage ? "AuthorizedIndex" ? "Index", myModel);
}
This one is good when your Index method have no "heavy" logic, different for anonymous/authorized users, and you will not have two "branches" of code inside one method.
2) Redirect authorized users to other action from Index:
[AllowAnonymous]
public IActionResult Index()
{
var shouldShowOtherHomePage = ...
if (shouldShowOtherHomePage)
{
return RedirectToAction("AuthorizedIndex", "OtherController");
}
// code for anonymous users
....
}
Use this option when you don't want to mix two logic flows inside one method, or your actions are in different controllers.
I am in search of finding a best way to route users based upon their role in MVC4 application.
Basically I have 3 types of users in my application
1)Admin
2)Staff
3)Client
How can I achieve this?
admin/home (for each admin request it starts with admin/{controller}....)
staff/home (for each staff request it starts with staff/{controller}....)
client/home (for each client request it starts with client/{controller}....)
Thanks.
3) There is an attribute which you place upfront of your actions in your controller, so there you can list what kinda role is allowed for this particular action. You can also create your own filters.
Ok here is what I suggest, make a new project and use the 'internet template'. Out of the box they set up a login page for you and this will give you an idea of how to set it up in your own application.
Based on the set up from above, you will need to edit the AccountController and add something like this to the Login Post Action.
if (User.IsInRole("Admin"))
{
return RedirectToAction("Home", "AdminController");
}
if (User.IsInRole("Staff"))
{
return RedirectToAction("Home", "StaffController");
}
if (User.IsInRole("Client"))
{
return RedirectToAction("Home", "ClientController");
}
Don't forget to add the [Authorize(Roles = "RoleName")] attribute to four controllers, or it won't matter if they are logged in or not.
Also, take a look at http://www.asp.net/mvc they have numerous resources for learning about asp.net mvc.
When it comes to display a view regarding to authentication (view displayed depending to the visitor if he's a user or not). I face many choices. So I need your help to show me how i deal with such situation :
Using 2 views (one for the users and other for visitors), or just one view.
using 2 actions (one with authorize filter and the other without), or just one action.
And why the choices you suggest is better ?
You don't have to not use Authorize attribute. It's main function is to setup the User in the context, and then by default, it also checks that they are logged in. However, this last part can be overridden by using the AllowAnonymous attribute as well:
[Authorize]
[AllowAnonymous]
public ActionResult SomeView()
{
...
}
So, now your view will have a User to play with, and you can dynamically present different pieces of the view using that based on auth status:
#if (User.IsAuthenticated)
{
<p>Logged in</p>
}
else
{
<p>Anonymous</p>
}
EDIT (for clarification)
The Authorize attribute actually does two distinct things for you. First, it setups all the machinery for recognizing a user: reads the cookie or whatever, checks the authentication status, pulls in the user's info, if they are authenticated, etc. Second, it validates that the user is in fact logged in. Using AllowAnonymous skips this second part and allows anyone, logged in or not, to access the view, BUT and this is key, you still need the first part to know stuff like whether you have an authenticated user or not.
So, simply, using both the Authorize and AllowAnonymous attributes together means essentially, "see if the user is logged in, but don't require it to access this view". That allows anonymous users to still reach the page, but enables you to still deliver unique or different content to an actual logged in user.
I am learning ASP.NET MVC3, and I just created a controller for my Model/Context. However, anyone can navigate to these pages and use them. How can I set permissions for these pages?
AuthorizeAttribute will be your first line of defense. You can grant access based on group membership or username. Works a lot like Code Access Security / Principal Permission Attributes but isn't as hard to work with.
Example:
// Allow Everybody in
public ActionResult Index ()
{}
// Allow only Editors/Admin to post edits back to controller.
[HttpPost]
[Authorize(Roles="Admin,Editor"]
public ActionResult Edit(EditViewModel vm)
{}
You can use them at the Class or Method Level, so you can have a base controller that only lets authorized users use certain controllers of your app.
If you find yourself using the same groups or users over and over, I would create an override of the AuthorizeAttribute that has those groups predefined, that way you don't misspell or forget them. This will also DRY up your code, which is always great.
You can use the Authorize attribute to rstrict permission, often this is inherited from the base class. This is the most common and recommended.
You can use the ActionFilter attribute and override the OnActionExecuting and set custom logic in there. Possible, but not the recommended.
There are lots of other ways too, but the prior two are the main ones for MVC.
I want to make the roles default for my controller class to "Administrators, Content Editors"
[Authorize(Roles = "Administrators, Content Editor")]
I've done this by adorning the controller with the attribute above. However, there is one action that I want to be available to all (namely "View"). How can I reset the Roles so that everyone (including completely unauthorized users) have access for this action.
Note: I know I could adorn every single action other action with the authorize attribute above but I don't want to have to do that all the time. I want all of the controllers actions to be unacessible by default so that if anyone adds an action they have to make a considered decision to make it available to the general public.
MVC4 has a new attribute exactly meant for this [AllowAnonymous]
[AllowAnonymous]
public ActionResult Register()
http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx
You can place the Authorize attribute on the action methods. Not just at the class level.
So, move the attribute from the controller class to just the action methods you want to secure.
The only solution I can think of so far is to create and register another controller so that I have one for anonymous access, and one for authorized access but that's not quite as elegant as I would have liked.