This might be a stupid question to ask but I am kind of a confuse here I am working on an ASP.NET web forms application and I need to implement roles base access to users.
This application is working with Active Directory so there is no login forms and form base authentication and I can't use User.Identity to check the roles. I am getting roles from a stored procedure like 1 for admin 2 for user and I want to know if there is a way to implement it generically like set some attributes to add in the controls to show and hide them instead of go and implement if conditions in every form.
I am not sure if I presented my point clearly here or not but please let me know if you get the idea of what I am trying to say. Thank you.
Related
If I use windows authentication inside an asp.net mvc web project , I will not get any membership database, unlike form based authentication . But I can still use Roles. So i have the following questions:-
So where are these roles managed, and how I will be assigning users to roles when using windows authentication ?
are these roles managed and created only inside Active directory ? and if I want to add a user to specific role, I will be doing this inside the active directory ?
so can anyone advice ?
Edit
Now if i understand your point well, let say that i want to restrict calling an action method to only our company admininstrators. where currently inside active directory we have a group of users named "OurCompanyAdminsitrators"
so let say i create a new asp.net mvc5 web project , and i specify to use Windows authentication , then inside my action method i wrote the following:-
[Authorize(Roles = "OurCompanyAdminsitrators")]
will asp.net mvc5 recognize the OurCompnayAdministrators user group ? or i need to do extra work for my asp.net mvc web project to be able to read and check against the active directory groups ?
I think there are many ways to approach this, 2 I can think of off the top of my head:
Use Active Directory to manage your roles and add users to the Active Directory groups as required. You can then access them through the users Identity in which you can get from the http context.
Create a separate service/component to manage the security for you where you map user credentials to roles that you define yourself completely away from AD. Obviously there is more of a time investment here and you will need to duplicate some information.
We can use SimpleMembership provider. "SimpleMembership: The future of membership for ASP.NET".
http://weblogs.asp.net/jongalloway//simplemembership-membership-providers-universal-providers-and-the-new-asp-net-4-5-web-forms-and-asp-net-mvc-4-templates
http://www.codeproject.com/Articles/689801/Understanding-and-Using-Simple-Membership-Provider
http://www.mono-software.com/blog/post/Mono/226/Adding-ASP-NET-SimpleMembership-to-an-existing-MVC-4-application/
Edit:
We can use SqlRoleProvider.
http://msdn.microsoft.com/en-us/library/system.web.security.roleprovider.aspx
http://weblogs.asp.net/scottgu/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server
For my new website, I am using a custom login.aspx (simply two text boxes username and password with a button). Actually I don't know about authentication modes in ASP.NET. Do I need to specify any mode in my web.config?
What are the security issues related to this?
Any links to articles related to this will be appreciated.
Have a look at ASP.NET Identity. This is the way to handle authentication/authorization in ASP.NET these days.
Start reading the introduction on the asp.net site and a lot of thing will become clear.
Just a login.aspx page will bring you nothing, since there's a lot more involved then just username/password checking. You need to store usernames/passwords, encrypt things, handle cookies (persistent or not), handle autorization, maybe some registration or roles etc etc.
All this things can be done with ASP.NET identity. If it's a new website, in VS2013, Individual User Accounts authentication is on by default when creating a new ASP.NET web project. There's a lot of boilerplate code in the project template to get you up and running...
http://asp.net/identity
Anyway thanks for your suggestion. I am using 'Scrypt' based hashing. Form authentication seems easy but its difficult for me to manage cookies, user tables etc. I use User table for many other purpose also.
This method gives me a good control over everything even if its difficult to get coded.
In my ASP.NET 3.5 application, on the ASPX pages I have to implement role based data update policy.
If a user have lest privilege, he can still update some filed but not all. Where user with maximum privilege can update all filed on page.
I was trying to implement this using a generic approach, but not sure if .NET have some thing inbuilt to implement this.
What is the right approach here?
Yes, you will want to utilize ASP.NET Membership. Once you have that in place, you can check roles on a user, like so:
if (Roles.IsUserInRole("User1", "Role1"))
// allow whatever you need to
If you are using the asp.net membership provider, you can limit the content on the page based on the roles the user is in
I'm currently developing a website using Visual Studio 2010. As you all might know, creating a new website here automatically adds an Account folder which contains webpages like Login.aspx, etc. I am implementing this Login.aspx which contains the ASP.NET Login control. It's now functioning the way it should but I have a few concerns.
Before, I used to create my own UI for the log-in so managing sessions is not a problem to me. But since i'm currently using the Login.aspx which has a CS file almost empty, i don't have an idea where I can start implementing my session. Meaning to say, I don't know how to check programatically if the user has been successfully logged in so I can start implementing my session.
I would very much appreciate any pointer regarding this matter.
Thanks in advance. :)
You could subscribe for the Authenticate event and perform some custom authentication logic. Also you may take a look at the following article.
There are events associate with ASP.NET Login Control that you can use to create session like OnLoggingIn. Moreover you can find more about user validation from here Validating User Credentials Against the Membership
I need to secure my website without using the ASP.NET built in login controls or the Forms Authentication.
Its need to support "normal" users and admin users.
Any suggestion? Thanks
Well, it's impossible to build anything in ASP.NET without a tag = )
I can't tell exactly what you are asking, so I will try to go over the whole groundwork.
ASP.NET Provides Different Authentication Models
You can use ASP.NET's built in authentication with Membership and Roles
You can write your own ASP.NET membership model
You can use another ASP.NET authentication model, such as Shibboleth, Windows/IIS, and others, see JD's post.
You can skip all of these and use your own "authentication", perhaps it is stored as a simple Session variable
ASP.NET Provides Different Controls
There is a handly Login control that integrated with ASP.NET's built in membership making things very easy.
If you don't want to use that, you can simply use ASP TextBoxes, Buttons, etc, and basically create your own login form.
In adition to JD's and rlb.usa's posts you can also use opemid or windowslive id authentication perhaps. both of these have membership providers for asp.net. Checkout Codeplex for those; however if you want a truly customazieable solution perhaps its best for you as rlb.usa pointed out a simple session variable solution.
Perhaps you want to use Windows Authentication (rather than Forms Authentication) with ASP.NET? You should choose Windows authentication if your user accounts are maintained by a domain controller or within Active Directory and there are no firewall issues. I think this is what you are after. Here's a decent write up.
Umm, a quick response is for you to checkout Authentication features provided by IIS. These include Kerbros, NTLM, Basic Auth, just to name a few.