i have an asp.net mvc application that has authentication set to none in the web.config but would like to secure one view with windows authentication. is there any easy/good way to do this without changing the authentication configuration?
Think you'll need to use the Authorize Attribute.
Any reason you can't set Authentication mode to Windows for the project?
Can you write your own authorize attribute which when applied to your method checks a few things, routes you to a challenge page or performs some other action that will satisfy your credentials?
Unsure what you'll use to authorise the user. Maybe check IP, Active Directory user name etc.
If you do it like this then you can re-use the attribute on other pages which would be nice.
Related
We are starting a new ASP.NET Core web site and the customer would like to handle the authorization using the database. So they want to configure custom roles and the actions to be configured in the database.
I have been trying to find an example or something to help me implement this, but could not find. Can this be achieved using the Authorize attribute from framework or a custom filter needs to be implemented?
EDIT:
I should probably mention that the application is an intranet so Windows Authentication is used for authentication
Short answer Yes.
Long answer...
This can all be achieved from the database you can configure up using existing methods with Identity, and from there create all the custom roles and even policies that you want to have and be able to assign, to each user individually or via roles.. Authorize attribute will work just fine with cookies. My only recommendation is that you try not handle security yourself but let the framework handle this for you.
My MVC application is secured using Forms Authentication. I have a global filter to which applies the AuthorizeAttribute.
I have a controller called Development with an action called Report. I can access this fine by authenticating in the normal way and going to http://localhost:8080/Development/Report. If I am not authenticated then it redirects me to the Forms Authentication login.
I am trying to embed this page into an iOS app so that a user can view the information without having to manually authenticate themselves. To confuse things the iOS app uses a different authentication system, however it holds a device ID and a unique token which my MVC app also store.
What I am trying to do is make the Report action available both via Forms Authentication and from the iOS app using basic authentication where the username will be the device ID and the password will be the token. It's really important that when authenticated using this method the user can only access the Report action. What's the best way to implement this whilst keeping everything secure?
I was thinking of marking the Report action with the AllowAnonymous attribute and then creating a custom authentication just for this action. Is this the best way?
Authentication strategies are just that: strategies. They're not intended to be mixed and matched; you pick one that best suits your application and go with it.
That said, I see two ways forward. Either way, however, will not allow you to use the same action for everything. Your best bet is to factor out shared code into a utility class or similar.
Put the two actions in separate projects. Then each project can implement its own auth strategy. Again, similar code can be factored out into a utility class, and in this case, shared via a class library that both projects may reference.
Create a separate action in the same project and don't use Authorize on it or use AllowAnonymous if it's part of a controller that is authorized. This will essentially turn off the standard auth for this action and provide no protection. However, you're now freed up to do your own "authorization" manually. You can either check the values of device ID and token directly in the action or create an action filter that does so. Which you choose depends on how frequently you need to do this. If this is a one-off you might just want to check directly in the action as that will be quicker and easier. However, if it is one-off you may still want to use an action filter just so you're prepare should its use become more widespread.
I'm implement aspnet identity with my MVC5 project. I have configured my project to use cookie authentication, form authentication and external authentication (facebook and google). Everything work fine.
Now i have a requirement to log whenever user log in system and i need to do some further logic. For the form authentication and external authentication i have a controller action that i can add my logic. However for the case user just come back system via cookie, how do i handle it?
I'm sure there's a better way to handle this, but a basic method would be to track all activity by the user, and then use timestamps to determine when a user was last active on your site.
Discussed here: Track user activity/actions for an asp.net mvc website?
OnExecuting filters here: https://msdn.microsoft.com/en-us/library/gg416513%28VS.98%29.aspx
Instead of using windows/forms authentication can I just use authorize attributes on the control actions that I want to restrict?
It seems to me that authorization is strictly better then authentication and is a replacement in most situations. I understand that authentication is at the web.config level and thus lets you switch pages in and out without a recompile, but if we didn't need that functionality then authorization is the way to go?
To protect a system you need both authentication and authorization.
http://www.duke.edu/~rob/kerberos/authvauth.html
Authentication is how you determine who a user is a.k.a. Logging In.
Authorize is a Annotation for ASP .NET that says to use this part of the site you need to be authenticated.
My ASP.NET MVC site requires forms-based authentication for some resources (downloads, discussion forum, etc). This works great with the [Authorize] attribute.
However, I need my admin site (`~/Areas/Admin/*) to authenticate against active directory.
With regular ASP.NET or classic ASP, I would just go into the IIS config and change the directory security to deny anonymous users. However, I can't figure out a way to do that with an area.
I know putting the [authorize] attribute on the controllers in my admin area would require a login, but it'll use the same forms-based authorization as the public areas of the site. Right now that authenticates users against a database (not using the ASP.NET Membership system as it's overkill for my app). I need users to authenticate against the domain, but ONLY in the Admin area.
Ideas?
You will need to write your own custom Domain authorize attribute and add this to the admin controllers.
Have a look at the answer here: asp.net mvc Adding to the AUTHORIZE attribute