Migrate Symfony from FOSUserBundle to Security - symfony

I have an old project written in Symfony 3.4 where I used FOSUserBundle for authenticating users.
Recently I started to upgrade the project to Symfony 6 - quite a long journey where I actually created a new project and copied most of the code from the old project.
Now the last challenge is to let existing users authenticate using their current credentials.
Does anyone have an advice on how to tackle this?
How can I use the new Symfony authenticate method (with MakerBundle and Security) but for the passwords and hashing algorithm that FOSUserBundle used?

Related

Migrating from OWIN .NET Framework to OpenIddict .NET Core

I have an existing .NET Framework Web API currently in production which is in the process of being upgraded to .NET 6.
The application uses the built-in .NET Framework OWIN solution for generating tokens and handles the authorisation for the client_credential flow.
We have a couple of custom MySql tables that hold the ClientId, ClientSecret info and another for granted token requests, e.g. storing the OWIN ticket, scope details etc.
One limitation we have is that we are using EF Core 3.1.x which we cannot upgrade.
I want to build a solution so that:
existing active OWIN tokens in the database can still be used for
authorisation into the new .NET Core API using OpenIddict, once it goes live. (so
that the end users are not impacted)
I also want to be able to generate new tokens using OpenIddict and
store those tokens in the same existing MySql tables.
I don't know if this is possible and if so how to tackle it.
Has anyone here achieved a similar migration?

Configure database for MVC authentication

I've been Googling terms like
configure database for mvc authentication
But I can't find anything from this decade that relates to my configuration.
I've created an MVC application using .NET Framework 4.6 with authentication support (database first). Now where do I find step-by-step instructions for creating the database tables and configuring MVC to use them?
Thanks for any tips!
The correct thing to google for is 'ASP.NET Identity'.
If you generate an MVC app straight from one of the templates it will generate a number of classes to handle security and identity.
One of these classes will implement interface IUserStore. The class provided will inherit from Microsoft.AspNet.Identity.EntityFramework.UserStore<TUser>, and uses Entity Framework to check the database if the tables exist, and create them if they are not there.
If you are uneasy about giving your application enough privileges to modify your data schema (ew!), you can create your own class that implements IUserStore and plug that into the system.
It's a big topic, but hopefully this is enough to get started with.

Adding User Authentication to MVC

I was assigned my first ever MVC 5 projet, it is a simple Lending System with lots of CRUD operations which is almost done except that I have not implemented user authentication to the app yet.
My project has 4 layers:
1. App.Web - mvc web app
2. App.DataAccess - crud repositories
3. App.Common- my edmx/entities and interfaces
4. App.Business - services / logical operations
Now I just need to add user authentication to complete my project. Just a simple individual user account but I need to implement user roles. I do NOT need any other api login feature (facebook, google etc). But I am too lazy to code this and wanted to use asp.net identity instead. So when I created my MVC 5 App.Web, I checked individual user authentication so everything I need is now referenced in my App.Web but I dont know how to make it work with my application layer.
Is there a way I can use asp.net identity in my web application? How can I do this to fit in my application architecture nicely? Please help!
to understand the structure and customization of ASP.NET Identity you can create empty project on visual studio and download this package from NuGet.
Install-Package Microsoft.AspNet.Identity.Samples -Pre
If your project is not too big I mean if have just some simple User roles and Login/Log out system ,so I recommend you to use ASP.NET membership system.it is very easy to manage user's and roles.Please take a look into the following article:
Introduction to Membership

Microsoft Asp.Net Identity 2.0 - Entity Framework vs. Custom Provider

I am writing a new web site and am looking at Asp.Net Identity 2.0. Out of the box, it uses Entity Framework for all of its data access. For the rest of the site, we were creating middleware web services for data access. Our original plan for security sake was that the web servers would talk to middleware and middleware would talk to the database via Entity Framework. We had planned on blocking via firewall database access from the web server.
I see that I can create a custom provider for Identity 2.0 and it in turn could use middleware for it's data access.
Here are my questions:
Is it more secure to not allow the web servers to have direct database access?
If it is more secure, why would Microsoft not build it that way out of the box
If you were starting from scratch like we are, would you recommend using entity framework or writing a custom provider that goes through our middleware layer?
Thanks.
1.) It can be secure. I don't see it as a security issue but coupling issue. What if you want to upgrade or change from Entity Framework in the future? What if you want to change from Identity 2.0? What if you want to upgrade one but you can't because the other doesn't support it yet.
2.) Microsoft wanted to promote it products first and foremost. For simplicity sake if your ok with Entity Framework and Identity 2.0 and don't mind how coupled they are it could be perfectly fine solution.
3.) How much time/effort can you afford to spend on the custom provider? It might not be worth the effort to create your own provider.
Asp.NET Identity out-of-the-box is actually Asp.Net Identity on Entity Framework. It generates a database, connection string, the model files, the controllers and a context class for you, which you can redirect to your own database for it to generate the Identity tables within. Everything is very secure, and they've taken care of a lot of the authentication/password hashing for you. I wouldn't say it is worth it to create your own provider, but you can also create your own provider within Identity if you want. Identity 2.0 is great. Very easy to add custom table properties, etc.

Using sfGuard and FOSUserBundle in paraller

Our client uses multiple applications that are developed with Symfony. Older use Symfony 1.3.x and newer Symfony 2.x. User management and security is based on sfGuard using Propel. The client has created own bundle for handling security with sfGuard based ORM-objects in Symfony 2. Now client wants to upgrade user management component. Current user management is made with automatic CRUD-app-generation for Symfony 1.x.
Upgrading user management to Symfony 2 Using FOSUserBundle seems to be reasonable solution, but is it possible to use existing Symfony 1.x apps with sfGuard-plugin handling user management with FOSUserBundle?
I'm quite new to Symfony, so I would appreciate clear guidelines to resolve the issue one way or another.
FOSUSerBundle use another kind of password storage.
I'm sure than with FOSUserBundle is not be able to check passwords created with sfGuard.
Maybe you can use https://github.com/FriendsOfSymfony/FOSAdvancedEncoderBundle for change the password encoder for FOSUserBundle.

Resources