Custom ClaimsPrincipal or ClaimsIdentity (where to graft it?) - asp.net

Where can I extend ASP.NET current (5.0) Identity functionality to easily resolve the integer user ID and security rights associated with a claim?
This should be available within all of my web application browser service access points (everywhere a cookie or JWT is provided), including SignalR hub, MVC controller, and WebAPI controller. It should work with OWIN Authentication.
Here are the three most-related solutions I've seen, and why they don't work:
Set HttpContext.Current.User in every call via global.asax Application_PostAuthenticateRequest. I've seen older (MVC 4) functionality that obsoletes this. I know global.asax is generally not the way to go today. I'm also using OWIN; this may not even work at all.
Override ClaimsPrincipal ClaimsAuthenticationManager.Authenticate() with the configuration <system.identityModel><identityConfiguration><claimsAuthenticationManager type = "CustomClaimsAuthenticatonManager" /> However, ClaimsAuthenticationManager is from System.Identity, which isn't even in the references of my ASP.NET 5.0 project with ClaimsAuthentication active. Instead I have references to Microsoft.AspNet.Identity.Core stuff in my project from current NuGet packages. It seems this approach is not for ASP.NET apps, or at least not current ones?
Set UserManager.ClaimsIdentityFactory to a custom ClaimsIdentityFactory, with overridden CreateAsync. This looks like this might work, but I don't see any way to graft that onto the current ASP.NET default behavior. See here: How to set a custom ClaimsPrincipal in MVC 5?

Related

Is it possible to use Sustainsys.SAML2 without ASP.NET cookie authentication?

I'm trying to implement SAML as service provider in our ASP.NET 4x application using Sustainsys SAML2 but I'm starting to wonder if this is the right way to go.
The application is technically ASP.NET MVC, but we only use one mvc page to load the frontend SPA (angular). As the application is also multitenant I have mostly focused on the OWIN-version of Sustainsys (as the ASP.NET MVC version doesnt seem to support different configurations based on the request). But we also use custom authentication and the Sustainsys library seems tightly linked to the ASP.NET cookie authentication, which I dont know that much about. Is it possible to use this library without ASP.NET authentication?
Yes, it is possible. Hook the AcsCommandResultCreated notification and set the HandledResult flag on CommandResult to true to supress the default handling, including calls to the cookie authentication. Then do whatever you want to do.
Note that you would need to copy parts of the CommandResultExtensions.Apply method to clear the state cookie and apply the redirect.

What are Startup.Auth.cs and Startup.cs used for in ASP .NET MVC 5?

Im making an application in MVC 5, and I've commented out all the code in Startup.Auth.cs and Startup.cs because I felt that I dont need them and Visual Studio seems to be ok with it. Im thinking about deleting them completely but I just want to make sure that they aren't necessary.
Thanks
Looks like you don't need any authentication in your application and in that case you can get rid of those files. Those are added part of your creating the MVC application. Yes, Startup.Auth.cs comes to support OWIN authentication. While creating the application, by default Individual User Account will be selected and hence you get those files. if you want no authentication then while creating new project under Configure Authentication button select No Authentication
They are used by SignalR and OAuth as classes to attach their implementations to the request pipeline through OWIN. If you are not using with of these, then you should be OK, as far as I am aware.

Is it possible to use ASP.NET application caching in web API?

For example, in a ASP.NET page you would do something like
Cache.Add({...}) and access it via Cache["key"]. In this context, Cache is the System.Web.Caching.Cache object.
Is there anyway to do this type of ASP.NET application level caching in web API controllers?
Take a look at the MemoryCache class. From its MSDN documentation:
The MemoryCache class is similar to the ASP.NET Cache class. The
MemoryCache class has many properties and methods for accessing the
cache that will be familiar to you if you have used the ASP.NET Cache
class. The main differences between the Cache and MemoryCache classes
are that the MemoryCache class has been changed to make it usable by
.NET Framework applications that are not ASP.NET applications.
You can create a new instance of a MemoryCache yourself, or you can use the default AppDomain-wide instance via the MemoryCache.Default static property.
Edit: You'll need to add a reference to System.Runtime.Caching.dll if you wish to use this type.
If you are web hosting, why not?
var context = HttpContext.Current;
if (context != null)
{
if (context.Cache["g"] == null)
{
context.Cache["g"] = 9.81;
}
}
But you are adding a dependency on ASP.NET by doing so. Even though ASP.NET Web API has ASP.NET in the name, the Web API is host-agnostic. That is, ASP.NET/IIS is not the only hosting option; the Web API can be self-hosted as well. Something for you to consider before going down that route.
You need to type
HttpContext.Current.Cache
to access the instance. There is no Cache property declared at the Controller level, like on a Page.
Note that the context that hosts the API will need to support caching.
If you are referring to Output caching in ASP.NET Web API. Take a look at this project,
https://github.com/filipw/AspNetWebApi-OutputCache

ServiceLocator/IOC in ASP.Net environment

I have a home-grown framework that includes a simple ServiceLocator class implemented using a static Dictionary. It was developed for a WinForms environment and did what I wanted just fine.
This proves to be a disaster when using the framework in as ASP.Net framework; the Dictionary, a static variable, is instanciated upon first use and every ASP.Net application uses the same dictionary. This is NOT my design intent.
For example, the a web application attempts to register a DB Audit Service, IAuditService. Error!! The service is already registered by the first user! Just the tip of the static variable problems that can occur in a ASP.Net environment.
I have experimented with Autofac IOC. Can I avoid my static variable problems by using Autofac (or some other IOC)?
BP....
You can use an IOC framework, but if you want the object to stick around you will have to store it yourself, otherwise you will just be asking for a new object each time from the IOC Container.
I add a new instantiation type to my ServiceLocation specific to a web application.

When do asp.net role providers live and die?

I am working with a custom role provider in asp.net and it appears that once the provider is loaded into memory, it doesn't drop out of memory until the web application is restarted (like when the web.config file is changed and saved). Further, all of the requests to that web application seem to utilize the one instance of the role provider.
So my question is: When does asp.net create instances of role providers? And what is their life span? When does asp.net create new instances? And is there a way to force asp.net to refresh the current provider instance by dropping the old instance and creating a new one?
The design of ASP.NET assumes the providers are stateless objects. Therefore, you should design your provider in a manner that you won't need to know about when it is created and when it dies. Basically, if you really want to do that, you could put the actual logic in a different class that its creation and disposal will be handled by a proxy class that you introduce to ASP.NET.
Also, ASP.NET does not guarantee when it will create the role provider object. It's something like static constructors. You should only rely on the fact that they do exist whenever they are needed.

Resources