I am new to ASP.NET and have been asked to do the following. I have tried looking at a large number of Stack overflow articles in this topic but wasn't quite able to find a specific answer to my situation.
The scenario is the following: the web application is internal to the company. Within the application, there are many pages that should have varying levels of access based on AD groups. So for example, for one page, if a user is in any of the AD groups A, B, C or D, they will have access. Another page may provide access to a user who belongs to any of AD groups E, F, or G.
Not sure if I read the other Stack Overflow articles incorrectly, but it seemed like they answered the question of providing access to a user who is part of a particular group (single group). For a given web page, I want to provide access to the user if they are part of any of the groups that I specify as permitted to visit that page.
Furthermore, is there an easy way to store the AD group names that I want to have access to each page in a file, and authorize against this file without writing much code? This way if I need to change the groups allowed to visit a particular page, I can just change the list of group names in the file.
If you want users to be automatically logged in, then hosting in IIS is by far the easiest way. Instructions on setting that up are here: Configure Windows Authentication in ASP.NET Core
Locking down certain parts of the site by AD group is pretty easy too. You simply use AuthorizeAttribute above either a whole controller, or just an action, and specify the Roles:
[Authorize(Roles = "DOMAIN\\GroupName")]
If you want the group name to be configurable, then you can create a policy for each group that reads the group name from your appsettings.json (or anywhere else, really) and you set the Policy property of the AuthorizeAttribute instead of Roles.
Details on how to set that up are in this answer: https://stackoverflow.com/a/48148149/1202807
these days I’m facing a fundamental problem – let’s call it an architectural design decision.
So my team and I build typical line of business (lob)-web-applications for my company. For my purpose, lob means especially this:
A lot of user-interaction (entering data, CRUD entities, display data, aggregating data, statistics and reports, validation and so on)
Very restrictive (users have to login, users have different permission-levels, they can make different kinds of changes on different entities, display various reports and so on)
For an example, let’s take an ordinary approval-workflow: I need a new laptop, so I go to the “ressources-webApp” and create a new purchase requisition. My boss gets a notification and has to approve my request. In the next step, the proper department has to buy the laptop and finish my requisition.
I know this is a simple “hello world”-example and in real life you would use an existing software for this purpose (SAP or something like that), but it describes my use-case pretty well: data-driven and very restrictive (I can see all requisitions of my department but only change or delete my ones, I should not see the page for the approval or call the approval-api, my boss should only see the requests of his employees but not for the empolyees of another department, neither my boss nor I should see the page or be able to finish a requisition and so on).
Currently we are using ASP.NET MVC and WebAPI in combination with angularjs 1. For each “action” (page or view) exists a mvc-controller which listens to a specific route and returns the appropriate view. Each view references a specific angular-controller. Also each view may consist of different “partial views” (components or controls). To handle data the angular-controller calls webAPI-controllers which also listen to specific routes and handle the request (GET/POST/PUT/DELETE). Each controller (mvc and webAPI) checks the authorization-token of each http-request which comes in a cookie, if the user is allowed to open the page or call the action.
Now I’m wondering how to do this in a SPA-application with angular 2. Angular 2 sounds pretty interesting for me and has some nice benefits over angular 1, so I want to try angular 2. It seems that with angular 2 you only can build a SPA-application (compared to the “classical” MPA-application I mentioned above, where every page comes from the server and contains a angular-controller).
Generally I’m not disinclined to SPA, but I’m not sure how to handle the security-questions mentioned above.
In addition there are other common problems with SPA: not working back-buttons from the browser, no way to enter a specific url directly to the browser, no bookmarking etc.
So, do you have any advice, tip or best practice for me? Do you think that SPA is a good “pattern” for lob-web-applications? And if yes, how would you handle the security-problems as well as the other common SPA-problems?
Best regards,
Alex
I'm fairly new to Google Analytics and im building a membership base site. GA seems to be very good at describing visits and user behavior, but I want to customize it so that it also tracks track the number of user registrations and the number of users that upgraded their membership. I simply want to build a counter for those two fields and I was wondering what is the best approach?
My best guess is event tracking. Every time the user registers or upgrades their membership, i'll paste in the necessary js to register that as an event. I have never done this before so I'm not sure what's the best approach. Thank you
You need to make some custom tags :) This should get you started:
https://developers.google.com/analytics/devguides/collection/gajs/gaTrackingCustomVariables
This should also help:
https://developers.google.com/analytics/devguides/collection/gajs/#EventHandlers
Case 1: If all that you need to do is maintain counter, event would be a good approach, you can refer the link mentioned by #Ryan Brodie. Also, storing the counter in the table can be an option :P.
Case 2: If you want to maintain the counter + study the visitor behavior of various categories of users you can opt for Custom Variables.Now say your website offers users the ability to login, you can use a custom variable scoped to the session level for user login status. In that way, you can segment visits by those from logged in members versus anonymous visitors. For more details visit
this link
I've been reading about asp web administration tool. I read about creating roles and stuff and forcing a controller to use authentication in order to be viewed. My question is, say create on the administration tool a user called Peter and I assign him the Administrator role. Then I want to create another role called LimitedAdministrator. But I want Peter to create new users on his View (I'm using MVC). Can anyone point me in the direction of how to do this.
I want peter to see on his page, like "Create user" and this user will be created as a LimitedAdministrator.
Thanks!
I would probably handle this by limiting the available roles that display on the page for Peter to choose from. You'd also need to validate that the role passed in the request is a valid role for Peter to create as well. Say you're using a dropdown to allow Peter to choose roles for new users. Then simply populate the dropdown with only those roles which Peter has access to assign using whatever logic is used to make that decision. If Peter can only allocate LimitedAdministrators, then you don't need to present him with a choice, just apply that role server side based on your logic for Peter.
If you do it this way, you won't need to have separate pages/views for each type of administrative user. You can reuse the view because you're changing the data in the model. The view displays the proper data according to the model corresponding with the user's capabilities.
Important: This question isn't actually really an ASP.NET question. Anyone who knows anything about URLS can answer it. I just happen to be using ASP.NET routing so included that detail.
In a nutshell my question is :
"What URL format should I design that i can give to external parties to get to a specific place on my site that will be future proof. [I'm new to creating these 'REST' URLs]."
I need an ASP.NET routing URL that will be given to a third party for tracking marketing campaigns. It is essentially a 'gateway' URL that redirects the user to a specific page on our site which may be the homepage, a special contest or a particular product.
In addition to trying to capture the referrer I will need to receive a partnerId, a campaign number and possibly other parameters. I want to provide a route to do this BUT I want to get it right first time because obviously I cant easily change it once its being used externally.
How does something like this look?
routes.MapRoute(
"3rd-party-campaign-route",
"campaign/{destination}/{partnerid}/{campaignid}/{custom}",
new
{
controller = "Campaign",
action = "Redirect",
custom = (string)null // optional so we need to set it null
}
);
campaign : possibly don't want the word 'campaign' in the actual link -- since users will see it in the URL bar. i might change this to just something cryptic like 'c'.
destination : dictates which page on our site the link will take the user to. For instance PR to direct the user to products page.
partnerid : the ID for the company that we've assigned - such as SO for Stack overflow.
campaignid : campaign id such as 123 - unique to each partner. I have realized that I think I'd prefer for the 3rd party company to be able to manage the campaign ids themselves rather than us providing a website to 'create a campaign'. I'm not
completely sure about this yet though.
custom : custom data (optional). i can add further custom data parameters without breaking existing URLS
Note: the reason i have 'destination' is because the campaign ID is decided upon by the client so they need to also tell us where the destination of that campaign is. Alternatively they could 'register' a campaign with us. This may be a better solution to avoid people putting in random campaign IDs but I'm not overly concerned about that and i think this system gives more flexibility.
In addition we want to know perhaps which image they used to link to us (so we can track which banner works the best). I THINK this is a candiate for a new campaignid as opposed to a custom data field but i'm not sure.
Currently I am using a very primitive URL such as http://example.com?cid=123. In this case the campaign ID needs to be issued to the third party and it just isn't a very flexible system. I want to move immediately to a new system for new clients.
Any thoughts on future proofing this system? What may I have missed? I know i can always add new formats but I want to use this format as much as possible if that is a good idea.
This URL:
"campaign/{destination}/{partnerid}/{campaignid}/{custom}",
...doesn't look like a resource to me, it looks like a remote method call. There is a lot of business logic here which is likely to change in the future. Also, it's complicated. My gut instinct when designing URLs is that simpler is generally better. This goes double when you are handing the URL to an external partner.
Uniform Resource Locators are supposed to specify, well, resources. The destination is certainly a resource (but more on this in a moment), and I think you could consider the campaign a resource. The partner is not a resource you serve. Custom is certainly not a resource, as it's entirely undefined.
I hear what you're saying about not wanting to have to tell the partners to "create a campaign," but consider that you're likely to eventually have to go down this road anyway. As soon as the campaign has any properties other than the partner identifier, you pretty much have to do this.
So my first to conclusions are that you should probably get rid of the partner ID, and derive it from the campaign. Get rid of custom, too, and use query string parameters instead, should it be necessary. It is appropriate to use query string parameters to specify how to return a resource (as opposed to the identity of the resource).
Removing those yields:
"campaign/{destination}/{campaignid}",
OK, that's simpler, but it still doesn't look right. What's destination doing in between campaign and campaign ID? One approach would be to rearrange things:
"campaign/{campaignid}/{destination}",
Another would be to use Astoria-style indexing:
"campaign({campaignid})/{destination}",
For some reason, this looks odd to a lot of people, but it's entirely legal. Feel free to use other legal characters to separate campaign from the ID; the point here is that a / is not the only choice, and may not be the appropriate choice.
However...
One question we haven't covered yet is what should happen if/when the user submits a valid destination, but an invalid campaign or partner ID. If the correct response is that the user should see an error, then all of the above is still valid. If, on the other hand, the correct response is that the user should be silently taken to the destination page anyway, then the campaign ID is really a query string parameter, not a part of the resource. Perhaps some partners wouldn't like being given a URL with a question mark in it, but from a purely REST point of view, I think that's the right approach, if the campaign ID's validity does not determine where the user ends up. In this case, the URL would be:
"campaign/{destination}",
...and you would add a query string parameter with the campaign ID.
I realize that I haven't given you a definite answer to your question. The trouble is that most of this rests on business considerations which you are probably aware of, but I'm certainly not. So I'm more trying to cover the philosophy of a REST-ful URL, rather than attempting to explain your business to you. :)
I think the URL rewriting is getting out of hand a little bit lately. Not everything belongs to the URL. After all, a URL is supposed to describe a resource that can be searched for, discovered or manipulated and it seems to me that at least the partner ID and the custom fields from above are not part of the resource.
Not to mention that that at some point you would like to actually keep the partner ID constant across multiple campaigns and that means that it is now orthogonal to the particular places they need to visit. If you keep these as parameters, you will allow your partners to access uniformly multiple resources on your website, while still reliably identifying themselves, so you can track their participation in any of your campaigns.
It looks like you've covered all of your bases. The only suggestion I have is to change
{custom}
to
{*custom}
That way, if you ever need to accept further parameters, you don't have to take the chance that old URLs will get a 404. For example:
If you have a URL that looks like:
campaign/PR/SO/123
and you decide in the future that you would like to accept a fourth and fifth parameter:
campaign/PR/SO/123/blah/foo
then the first URL will still be valid, because you're using a wildcard character in {*custom}. "blah/foo" would be passed as a string to your action. To get those extra two parameters, you would simply split the custom argument in your action by '/'. Add some friendly error handling if they don't exist and you've successfully changed the amount of information you can receive with a campaign URL without completely breaking URLs already in the wild.
Why not use URL encoded variables instead of routes? They're a lot more flexible - you can add any new features in the future while still maintaining 100% backwards compatibility. Admittedly, it's a little more trouble to type manually, but if there's all those parameters anyway, it's already no picnic.
http://mysite.com/page?campaign=1&dest=products&pid=15&cid=25
To me, this is much more indicative of what is really going on. Using paths implies a that a resource exists at that location. But really you're just providing a web service with various parameters, and this model captures that much more clearly. And in the future, you can add more parameters effortlessly. You can also default parameters if they are missing without messing anything up.
Not sure of the code in ASP, but it should be trivial to implement.
I think I'd look at doing it the way that SO does it's questions.
"campaign/{campaign-id}/friendly-name-of-campaign"
Create a mapping in your database when the campaign is created that associates all the data you need with an automatically generated id. The friendly name could be assigned basically the same way as a question is on SO -- by the user -- but you could also have an approval process that makes sure that it meets your requirements and is distinct from any existing campaign names. Your tracking company can track by the id and you can correlate that with your associated data with a simple look up.
What you have looks good for your needs. The other posts here have good points. But may not be suitable for you. One thing that you could consider with future proofing your links is to put a version number somewhere in there.
"campaign/{version}/{destination}/{partnerid}/{campaignid}/{custom}"
This way if you decide to completely change your format you can up the version to 2.0 (or whatever) and still keep track of the old links coming in.
I would do
/c/{destination}/{partnerid}/{campaignid}/?customvar=s
You should think about the hierarchy of the first parameters, you already got that managed quite well. Only if there's a hierarchy path segments should be used.
From your description, destination seems to be the broadest parameter, partnerid only works with destination, and campaingid is specific to a partner.
When you really need to add custom parameters I would go for query variables (they are not forbidden in REST), because these are not part of the hierarchy.
You also shouldn't try to be too RESTful here. After all, it's for a campaign and for redirecting to a final resource. So the URL you want to design here is not really a specific resource in the terms of REST.
Create an URL called http://mysite.com/gateway
Return an HTML form, tell your partners to fill in the form and POST it. Redirect based on the form values.
You could easily provide your partners with the javascript to do the GET and POST. Should be trivial.
The most important thing i have learned about REST URL´s thats usually burried deep in some book or article:
The URL should point to a resource and the following ?querystring should have all the scoping information needed. DONT mix those two or you will have a design thats very hard to work with.
Other then that i fully agree with Craig Stuntz