I know I can use the attribute [Authorize(Roles="client")] to make sure that only authenticated clients can access a page. But after that, how can I access this user's personal data? How do I programmatically get that user's account ID from that action controller?
For example, on Stack Overflow, how does my personal account page access my personal data which is stored in a database?
So far, googling "authentication", "authorization" only helped me limit access to a controller action, not how to access that user's stuff.
Assuming you're using the membership provider (which I'd assume so if you're using the attribute), the simplest way is:
var membership_user = Membership.GetUser();
which will return a MembershipUser for the currently logged-in user. From that, you can access any profile information you've set up, and also get the primary key to access anything else you've set up.
James
Related
I am calling a webpage from an external webpage and I am passing a user id with the call (http://localhost:54697/?position='position'&user='user'). What I want to do is I want to put the user into an authentication process using the request variable.
It is a good place to do it at global.asax.cs/Application_Start() ? If so, is there any way to pass a request variable into it?
Or is there any suggestion?
UPDATE:
The external site has the credential info that is needed for my site's authorization. Shortly, I have a system on which I can go through several other websites via menus. One menu link will go to this (http://localhost:54697/?position='position'&user='user') Asp.Net MVC web site. Whenever the user clicks to the link, a userid will be sent through the link. Based on the userid I will go through an authorization
process on which I will check the userid and show menus based on the roles associated with the userid. In the controller I can get the userid
however, I do not want to check the roles in every controller. Whenever the link is clicked I want the system to go through a role provider and assign the roles associated with the userid and place role annotators to the controllers. As stated above I am not sure if it is a good place to do it at global.asax.cs/Application_Start() ? If so, is there any way to pass a request variable into it? Or Can I use the constructor of the controller for this purpose?
I am using ADFS for Claim based-authorization, I need to check specific ‘claim’ is still valid
(implements a validate claim method) by key in a Claim Name in text box and Click Validate button.
I am not sure how I can validate specific claim again for logged in user. I tried doing lots of research but could not found any useful resource.
Thx in advance.
The only way to get claims from ADFS is to authenticate and look through the list of claims in the token.
It sounds like what you need is to go to AD directly as per this and get e.g. the user groups
i.e. "IsUserGroupMember" – This method will validate whether the User is a Member of a Group
I am using the Survey Monkey api to get the url's of surveys I have created which allows me to display surveys from within my application. To do this I have to send my key and authorization with the request.
What concerns me is that Survey Monkey has an api 'create_flow' that allows surveys to be created. Using fiddler I can see my requests including the key and authorization token. As far as I can see, this means that anyone could use this information to access the api and create a new survey on my account, which I do not want.
Is there any way to stop someone from creating new surveys using the API and the auth token? I'm not really bothered about people getting access to the survey details or Uri's as all they can do is post junk survey results that only I will see, but I absolutely don't want anyone else to be able to create a survey that will be presented to all my users with potential malicious text.
It is not possible to make an account read-only.
So if I'm understanding correctly, you're shipping an application which contains your api_key and access token?
This is very much not recommended - the access token is equivalent to your account password, it gives full access to your account.
If you want a way to dynamically list your surveys, the best way to do it is create a proxy web app / API you host yourself. When someone hits that address, it uses the access token / api key you've stored on your box and grabs the list of surveys and then returns it to your app. This is the only safe way to do this.
I'm new to web security so I don't want to implement my own. I plan to use SimpleMembership via the VS2012 template for an ASP.NET MVC Internet Application. The problem is that I need to pass the data via a Web API.
I plan to use basic authentication for my Web API, so I just need to pass username/pass in the http headers. I can intercept the message using Thinktecure.IdentityModel. Here's an example that uses ASP.NET Membership:
authConfig.AddBasicAuthentication((userName, password) =>
Membership.ValidateUser(userName, password));
I can replace Membership.ValidateUser with my own bool function. I've successfully queried my custom database with username/password and everything worked fine. However, I'm using the template's user database because I DON'T want to store string (or even encoded) passwords.
I am unclear on how to manually validate the credentials using the SimpleMembership's database. I can grab a UserProfile, but can't figure out how to check the profile's password.
UserProfile user = context.UserProfiles.Find(1);
==OUTPUT==
user
UserId: 1
UserName: "bob"
Do you know how I can check if an inputted password matches that of an existing user?
Thanks for your help!
Why you are not using Membership.ValidateUser? This is not restricted to just ASP.NET Membership assuming you have your [InitializeSimpleMembership] (here) attribute in the correct places or have executed the logic inside it yourself elsewhere, and you have the correct references to WebMatrix etc you can still just call Membership.ValidateUser and it will use SimpleMemberships Validate user.
If you wanted to go to the database yourself, and assuming you are using hashed password etc then this article is probably going to help as you are going to need to hash your inputed password before selecting it out, the rest of which is just writing some EF or (any other db access method) to select from the User table where the username and hashed passwords match. But I can think of no obvious reason to do this as Membership.ValidateUser will do all this for you.
I'm using OpenId in my ASP.NET MVC application. Works great :) Once i have the user's OpenId Identifier (once they have authenticated and returned to my site), i load up the users data (to get display name, etc).
From here, i also know their roles.
I'm not sure how to assign the role to the current Forms.Identity.
here's my code...
// Load User...
var user = GetUsers().ByOpenIdIdentifier("blahblahblahbl....");
// Here means we have a user AND all the roles, for that user.
// Forms Authenticate and Redirect.
FormsAuthentication.SetAuthCookie(user.DisplayName, true);
return RedirectToAction("Index", "Home");
How can i change this code so the authenticated user also has their roles assigned?
Update
I stumbled across this web post about making a custom Authorize attribute. Notice how they are checking the logged in users role that exists in the session? Also, the roles are an enumeration :) This is pretty funky, if u ask me :) Nice and simple.
Thoughts (compared to a full on blown RoleProvider class?)
You'll need to write your own RoleProvider and hook it up in the web.config file. Your RoleProvider will take the user's name and figure out their role(s). IPrincipal.IsInRole uses the configured RoleProvider to determine role membership.
Have a look at this article
It shows a simple way to integrate openid with membership roles and profile. Hope can help.