I would like to confirm that the the claims in the bearer token are up to date on each API call so that I be sure that the given user still have access to the given method.
For example, for a method decorated with [Authorize(Roles = "admin")] I want to make sure that the user is an admin when the call is executed, not if the user was an admin when the token was issues.
After some looking around I am planning to
write a public class VerifyTokenAttribute : System.Web.Http.AuthorizeAttribute apply it globally and inside OnAuthorization check if the action is decorated with Authorize and if so, get the user info from the database and confirm that the roles match.
Is there a better way?
I planned on doing basically the same thing. In my case, there exists the definition of "system features" where a Role in the system can perform a number of system features. The features a role can perform can vary, and the administrator can change them any time.
So basically, on each request I should grab all the roles a user has, and for each one all the system features it can execute. I thought about something like creating an attribute that would look like this: [CustomAuthorize("Feature_Name")] and applying it to the controller (or action) level. Then, I would need to check if "Feature_Name" is a feature the current user can perform based on their roles.
Off course, that would require access to the database each time.
A possible enhancement would be to cache this information in a cache server, and the cache would be invalidated each time the admin changes the users privilleges. Something like that.
So, as Mayu said: Is there a better way?
Related
I would like to have a custom authorization filter like [Verified] to check if the user has is email confirmed which is a property of my User class (IsEmailConfirmed).
I've read the docs about authorization in .NET Core but not sure what the correct approach should be.
Additionally I would like to have another filter to check if an authenticated user is the owner of the resource he's trying to update/delete. All of my entities have a CreatedBy property so I would have to check that against the logged in user.
What authorization types (roles, claims, policy, etc.) are the most adequate to each scenario?
Claims is usually used when there is a third party providing the Claim values. In your case, this won't be applicable.
You can use both Roles and Policy, however, Roles is the easiest to implement for first scenario. You can create a Role something like VerifiedUser and assign it to a User, whenever the email is verified. If this is the only requirement, the Roles is the best approach.
For the second scenario, Policy is the best way to implement, as it would require a DB call to fetch the resource and identify whether the Resource is accessible by the User or not. Since anyways, you will be implementing a Policy, you can implement the Email Verification in the policy model itself, eliminating the Roles approach.
I would like to implement claims based authorization in a Web Api project. I understand the idea of claims and can manually add a claim to a user and authorize a request based on it. However, I don't know how I should manage the claims, assign them to users and update them in future.
For example, say I have a Product entity and ProductCreate, ProductRead, ProductUpdate and ProductDelete claims for the CRUD operations on this entity. So I have a few questions:
I can store the claims in the DB, but what is the best way to add the "default" claims to a user on registration?
If I add new functionality to list the products which is only authorized if the user has the ProductList claim - new users would get this claim, but how would I add this claim to all existing users in the system?
Should there be a limit on the number of claims associated with a user? In a larger system with many entities, a user could end up with hundreds of claims
As I said, I know how to physically add the claims to the user etc., but it's more the bigger picture of the process of how you would manage claims and users in a real world example.
Thanks!
UPDATE
Thanks Brendan, I appreciate your help! I don't know if I'm misunderstanding something fundamental or if the answer is staring me in the face - either way, I'm not getting it.
So I have web api and would like to give granular access to the different controller methods. As the Admin, I want to be authorized on all calls so I should have all claims. Registered users should have read access to some methods and you as a moderator should have update and create access to some. My understanding is that these claims should be stored in a DB (SQL server in my case) somewhere and "assigned" to the user when they register. Using Asp.Net Identity, each user's claims would be stored in the AspNetUserClaims table, so when they login they get all their claims in the token by default. Simples!
What I am missing is the process of how you would handle the claims that should be assigned to a user when they register, what claims should a Moderator get etc. and how would you add / remove privileges. It doesn't seem right to me to have this in the code as adding a new claim in the system would require a rebuild and new deployment.
Also, if I add new functionality which requires new claims for different types of user, how would I make sure that the next time an existing user logs in they get the new claims as well as the ones they were assigned when the first registered.
I hope I am making sense, I may be mixing up some of the Role-based thinking with some of the Claims-based thinking which could be the source of my confusion. I just haven't seen any examples of how you would manage an application with many, many claims in the real world.
Thanks again!
That's exactly the same question and issue i'm running into. All I found is info on how to create a claim using the manager classes but nothing on where to manage these claims.
There can be different combination of access to give to a user and if my UI is a disconnected UI from my API, I don't think i would want the ui to manage these claims for me.
Other than mucking and creating a claims manager class with a claims table did you figure anything built in that can be used?
What exactly do you have to do to authenticate users against an external source while accessing pages on a CQ publish instance?
From what I have read, a custom AuthenticationHandler can be used for this. The AuthenticationHandler can be configured to be called against the paths requiring authentication and inside the extractCredentials() method, the users will be authenticated against the external source and an AuthenticationInfo object will be returned.
If the supplied credentials are invalid, null would be returned from this method to indicate the same. The SlingAuthenticator will then call requestCredentials() where the user can be redirected to the login page.
Is this understanding correct? If so, what does SlingAuthenticator do with the AuthenticationInfo object returned from extractCredentials()?
In some places, having a custom LoginModule (by overriding AbstractLoginModule) is also suggested for the same purpose. Are these 2 different approaches (custom AuthenticationHandler and Loginmodule) for having custom authentication or are they used together somehow? If so, how do they interact?
And also, the concept of CUG (Closed User Group) can be used to redirect users to the login page if they don't have access to a page. Can CUG still be used with a custom auth mechanism or it only works if the users are present in CQ repository?
Any light shed on this would be much appreciated :)
Your understanding is correct. The AuthenticationInfo object ultimately contains a JCR user id -- but rather than having to use the JCR password for the user, a 3rd party service basically says "this user has authenticated successfully and can access the repository as X".
Example: you're using OpenID or SAML to verify a user is X. user X is then mapped to a user Y in the repository.
I haven't used LoginModule but from what I'm reading, that's just extending login processing for the JackRabbit repo. So, rather than using AuthenticationHandler to redirect a user to some other place and processing the response, you're plugging further down into the chain where there's already AuthenticationInfo (or something like that) being given to JackRabbit to verify and return a session for a user.
So, let's say you did successfully authenticate with OpenID but the user you're mapped to doesn't exist. You could write a login module to create the user in this case (and assign user to a default group). For instance, if user came in with a gmail id, the JCR user could be gmail_$id. And the login module, seeing the name starts with gmail, will know it's ok to create that user automatically.
As far as CUG, yes, all the above can be used in conjunction with it. Basically, if a request doesn't have access to a resource and the request hasn't been authenticated, the authentication handling system kicks in. If a user has authenticated but still doesn't have access to the resource (e.g. not part of a group that can read it), a 403 will be generated.
I like to know, when will the GetPropertyValue() Method called?
I have written a proxy pattern for sql profile provider and i tried using the profile properties in my application.
I tried both authenticated and anonymous user mode, when ever the profile property values are accessed, profileProvider GetPropertyValue() method is called and it is hitting the DB to fetch the values.
I like to know, when will the profile values presist in the context?
For each & every request, I m seeing the profileProvider is called to fetch the values. If so, then what is use of having Profile in HttpContext.Current?
I'm in need of a RoleProvider with the following functionality:
Dynamic Assignment of Roles to Tasks
Authentication / Authorizaiton of IPrincipals based on the dynamically allocated tasks in the system they have privilege to access
Reporting showing who is currently logged in, and other common usage statistics.
I'm pretty sure I'm going to have to roll my own, but wanted to make sure I didn't miss out on something OSS or even from MS.
I'm also using ASP.NET MVC and so my basic plan is to write a custom attribute like: [Authorize(Task=Tasks.DeleteClient)]
and place it over the methods that need authorization.
Rather than authorizing against the Role, I'll authorize the task against the role based on whatever settings the user has configured in the DB.
Thoughts?
You might want to check out NetSqlAzMan. It allows you to define tasks and assign them to roles and then authenticate and authorise your IPrincipal objects.
You may need to roll your own security attribute but NetSqlAzMan should help make that a reasonably easy task.
We had a similar issue with one of our systems. The first thing I'd do is create more AuthorizeAttribute classes for your specific tasks - e.g. DeleteClientAuthorize etc. You can then add specific logic into your classes.
As long as you can access the routines that trigger the change of roles for the current user you should be OK. Just call Membership.DeleteCookie() and this will force the next authorisation request to re-query your data store. It's at that point that you can determine what roles are required now.