I have been searching and haven't got luck, I got a tutorial to use the loginview control in order to display or hide parts of the views to different user roles in my application. The thing is that the tutorial I've found is for ASP.NET and I've been told by one of my colleages that it is the same framework for ASP.NET MVC but the way to use it is different. Have you got any good tutorial to recommend?
EDIT: I've got all my application set up, and the login and the roles already configured (via asp.net membership provider). This is all already running. The thing is that if I have role a and role b I want role a to be able to actually see the links to the actions it is authorized to work with, and not b for example. If in the Index of my application I've got a link to "Edit" and only the role a can access to the action, then it will be displayed just for logged in users that belong to role a, and not to those who belong to role b
Thank you,
Vikitor
Try this:
http://www.a2zdotnet.com/View.aspx?id=77
And remember to use [Authorize] attribute on your contoller Actions to prevent users accessing sensitive views.
Related
I just started to working in Sitecore. I am developing a web application in ASP.NET MVC 5.0 to create / edit some content in Sitecore. I am looking for the best way for authentication in web application (MVC) using existing Sitecore users. User management part will stay with Sitecore, just need authentication (login) in web application against Sitecore users. Can I use Identity concept of ASP.NET for the same?
Sitecore use Membership providers.
Normally create for web users a new domain. so not the same as CMS users.
See This:
http://fes-sitecore.blogspot.nl/2015/02/using-membership-with-sitecore.html
And the Documentation from Sitecore:
https://sdn.sitecore.net/upload/sitecore6/sc61keywords/membership_providers_a4.pdf
I have done this in the last few weeks.
What you will need first to to create a Role in Sitecore that your Extranet (siteusers) will get logged in against. Create a user and assign them to this role.
You will need to go to the security editor (i think) and select the 'everyone' role. Allow everything and inheritance from the top of the tree. (green cross on the content item)
For the item you wish to lock put a red cross against the inheritance
Then select your created role and put a green cross in inheritance against the item you wish to allow this role to see
From Sitecore: The idea is allow everything for everyone and break inheritance to secure it by adding a red cross to inheritance.
From the website: The idea is that everyone (siteusers) don't have access to the page and will get redirected. People in your new role will go to the page.
Next take a look at the post above but in your site settings you need a configure the location of your login page.
After these steps you should be able to navigate to the page and get redirected to your login page (Make sure you are not in the content editor)(incog mode google chrome)
So finally you can use the Sitecore.Authentication namespace and there are method on there to authenticate and check if a user is in a role ect.
Take a look at https://sdn.sitecore.net/upload/sitecore6/sc61keywords/security_api_cookbook_usletter.pdf
Hope this helps. Any questions just ask. Its hard to explain in text :)
Aki,
You can leverage the sitecore authentication which is very useful, I am using this in my all projects since sitecore 6.5 to 7.5.
you just have to explore few APIs of sitecore membership, there you will get
How to create roles
how to set users in roles.
And how to provide proper security or limited access to a particular role.
How to set custom data for users also.
Make sure you are not using sitecore domain for web users, use extranet domain. Sitecore domain is only for user who are supposed to login into sitecore dashboard.
Hope this will help you..
Cheers!!
hello everyone
i have a project where am using ASP.NET Identity 2.0. in this project am following the Onion architecture.
the layers are :
1.UI: no reference to Owin or ASP.Net Identity
2.AuthenticationService:contains a wrapper for the asp.net identity usermanager.this wrapper implement an interface that lives in the Bal layer.this layer also contain my custom UserStore.
3.Dal: DbContext lives here.
4.Bal: contain Domaine entities and interfaces .no reference to Owin or ASP.NET identity or anything else.
5.DependencyResolver: Owin Startup is here plus some Ninject Modules and the NinjectWebCommon.So am Using Ninject.
till now everything is fine. users are happy creating accounts and ,they can login/logout/manage any time they want.the problem am facing now is with the Authorize(Role="rolename").it just doesn't work.
[Authorize(Users="pedro")]
[Authorize]
both of these works
[Authorize(Roles="Admin")]
this is one no.
in my Database i have users who belongs to the Role Admin.I am not sure why this doesn't work.mybe because i moved all the authentication stuff to another layer so the IPrincipal.IsInRole(string role) can't figure out how to check this anymore.
am working on creating a custom Authorize attribute or create some extensions. but i decided to seek your advices first.
Thank you for your time
well Here i am answering My Own Question.
Indeed the problem was because the Method User.IsInRole(or IPrincipal.IsInRole because User is an IPrincipal). Inspecting the code of AuthorizeAttribute Using Reflector Shows that this Attribute uses the IsInRole Method To Check if The Authenticated User Is In Role X or Xs.but here comes another question .why it can't do that , i mean why it can't find out if a user belongs to a specific role or not.
the problem come from the Cookie generated for the user.because roles are associated to the Cookie they need to be there so IsInRole can Find Them and this is where i made My mistake.I moved the Authentication and authorization to somewhere else but i didn't provide a way to embed the roles informations inside the cookie so the IsInRole (from User or from Roles) couldn't find them in order for the Authorize Attribute to do it's job as i wanted it to.so the good news is that i only needed to insert the roles inside the cookie somehow.
the better news is : ASP.NET Identity wich am using now support claims,and in 4.5 GenericPrincipal derives from ClaimsPrincipal wich in turn derive from IPrincipal,so i can work with claims rather than old fashion roles (wich we can still use if we want to).
well.if someone came across the same issue,i recommand the following:
1.Authorize Attribute needs that the cookie to contain all the informations you are trying to rely on (Roles,User Names).
2.use thinktecture Nuget rather than Authorize or ClaimsPrincipalPermission attributes wich gives you the pros of both of them.
3.Learn About Claims.yo will never regret it.
If my site has several user roles say Admin, User, Manager and there are several modules of functionality that may be used by one particular user or by all users how should I go about naming my controllers?
Is it OK to have role based controllers such as an Admin, User and Manager controller as well as controllers for shared functionality such as Products controller?
And for small parts of functionality that is used by only one user role can I keep that inside the user based controller e.g. having all the add/remove/update functionality for product categories can I have that inside the Admin controller or should it have its own controller even though it will only be a few lines of code?
When searching the net for conventions on doing this I am only provided with ways to name the actual file and other sources only explain the controller functionality and not what should and should not be a controller.
If this is subjective I am also happy to take that as an answer, but as it currently stands I am unsure of what is acceptable and whether or not role based controllers are acceptable in the MVC framework.
Personally, I have upgraded my ASP.NET MVC project to version 2-beta release 2 and moved admin related stuff to different area.
This way you can keep your controller names related to their function but run them from dedicated area.
I have a super simple ASP.NET MVC application that uses RpxNow (OpenID) to allow users to login. I now want to let users edit their own account and provide administrator access to edit anyone's account.
I have two separate "Edit Account" views:
~/account/edit/
~/account/edit/1
The first loads the account details based on the logged in user. The second loads the account details using the supplied AccountId. The first would be for standard users, and the second for an administrator.
Firstly I need to define the roles (User, Admin) and then I need to assign a user account (or multiple) to that role.
Then I need to check the role in the controller. I like this concept:
http://schotime.net/blog/index.php/2009/02/17/custom-authorization-with-aspnet-mvc/
So, down to the questions:
Is there a simple way to define a list of roles in the web.config?
Is there a simple way to define which users are in which roles in the web.config?
Is there a way to do this WITHOUT using Membership / Role providers?
Am I approaching this from the wrong perspective? Should I be partioning the application into two branches and securing them based on folder authorisation?
I'm not a friend of storing authorization data in web.config. I prefer storing it in database or other xml files.
Have a look at Xml Membership / Role Provider. This uses Membership / Role for reading userdata but it shows a way storing and reading user authorization data from xml files.
Braching the application woulded move the issue and not solve.
Remember that the entire permissions plumbing still really revolves around IPrincipals, the Role/Membership providers are just window dressing to allow most applications to not have to write that plumbing code. In this case, you could easily add a database-backed (or just static if the list is short enough) list of roles and a list of users in roles and query that. Wrap it up behind a custom IPrincipal and stuff that puppy in there at the appropriate place and you are golden.
I'm having a huge problem in understanding Membership with MVC. We have in our project controllers named "Admin" and "SuperAdmin" and they are restricted to some users.
Do I have to use the Authorize Roles attribute on each Action or can I use a ActionFilter to check if an user can view a certain page?
And if I have to user Roles attribute, do I have to configure each user on the ASP.NET Configuration tool? For example, "SuperAdmin" will be only a few users (around 3 at top), making easy to use ASP.NET Configuration tool and tells it who these users are. But "Admin" users will be many more... how can I configure them?
I'm totally lost!
I need a great clarifying on that!
Thanks a lot!!!
You can apply the AuthorizeAttribute to controllers as well as actions. If you apply it to the controller, each method will have its access restricted with respect to the attribute. You can also apply another instance of the attribute to individual actions to further restrict access if necessary based on other roles. You will need to put the individual users in their roles for them to have access to role-controlled controllers/actions.