I am building a simple ASP.NET 5 admin site, using ASP.NET Identity 2 to password protect the actual admin pages. It will be used by 2 to 4 users.
My employer doesn't want me to use a database for various reasons beyond my control. The plan is to store all user info in a text file. When a user needs to be added/removed, a dev will log into the server and update the text file. So users can only login, they can't register, change password, etc.
I would still like to use ASP.NET Identity so I can use the Authorize attribute on my MVC controllers, etc. It also makes it easier to start using a database later on.
I haven't been able to find an ASP.NET Identity provider that uses an unencrypted text file. Does such a provider exist somewhere?
I have not came across the text-file storage, but I've seen a lot of samples using some other storage mechanisms. Take a look on this post for samples and have a look on documentation about implementing custom storage.
In your case I'd store all user objects in a list and then serialise that into a JSON-string that is persisted into a file.
However it is strongly advised not to use plain text for password storage and use provided hashing mechanisms. (I'm sure you are aware of this). Just point your employer on http://plaintextoffenders.com/ for samples of why it is best not to store plain-text password.
While I was trying to understand how asp.net Indentity works I put together a sample solution where I explore the customization of the provider to use a simple storage.
You can find the code on github.
In the folder Custom.Identity you can see how I've implemented the different classes and managers.
Trailmax has written a lot about it on his blog.
Taiseer Joudeh has a written a series of articles which will help you to understand all the pieces involved.
Related
I find a few topics on this, but they point to too-generic documentation or, for the link that seemed most pertinent so far, don't work.
(I'll refer to all the built-in functionality for membership/roles in .NET as "Membership" here on out.)
Using .NET 4.0 and Visual Web Developer 2010 Express and SQL Server 2005.
I'm creating a website where, in order to sign up, you need to be a paying member. I've already created the database that holds all membership info, and I've already created the form where they sign up, as well as the pages where they themselves or site admins can manage their account info. I've also even created a class for authenticating them and checking for permission on pages based on level of access (roles).
I'm hoping for a clear, concise explanation of either of these options:
• Point "Membership" at the place where username/password are stored, disallowing it from auto-creating its own db. (I'll then go back through my site and replace my own custom authentication in the few places I have it with official .NET "Membership".)
• Or still run my own custom authentication, but in that process, say to "Membership", "Hey! User known as "username" and of role "member" is now authenticated. Note that in your own special place, assign them that role, and know what to do with it when I ask you hereafter." Could this be "Forms Authentication API"?
There's more to the account than just username/password/role. I know I can add more fields to accounts created using .NET but I also really don't want to use some randomly created, self-contained, disjointed database just for the sake of handling logins.
I have not yet learned the basics of "Membership", though I'm getting darn close in my process of learning .NET; and I can't spend the time right now making progress on that for personal reasons, but I have to proceed with making this site. I would like to be able to use many of the benefits that come along with .NET security, like being able to exclude users from folders using web.config, etc.
Mostly I'm just seeking assurance it will be possible for me to backpedal after I get some other aspects of the project shored up, but before I make it live, and without having to rewrite half of the membership forms and splitting that data into several databases and figuring out how to use "Membership" for either pieces of it or all of it when a member signs up.
Possible?
If I understand you correctly, what you are working on is similar to something I am working on here.
We have a custom authentication scripts in ColdFusion and I am creating a second .NET System with Membership login.
The way I went about it was to move all the user/role/profile information into Membership's tables and created an additional tblUserProperties table which holds all other information that the Membership standard tables cannot hold.
I have recoded the ColdFusion queries to point to the new Membership tables.
This way, if a user change password from either system, the logins will work from the other system as well.
I think keeping two systems/tables that do the same thing (authentication) is risky because of the password change reasons. There could be more, but why can't you just simply change your custom code to point to where Membership is pointing? That way you can use Membership provider to its full potential.
I have used asp.net so far to create personal web applications, for example, an application where I maintain to-do tasks in an MS SQL Server database or a customer management and support system. I use the basic authentication via web.config where I can create another user who can look and work with such a database, but then all the data is shared between him and me.
But now I want to convert this application into a membership model where a user signs up and will get to use his own personal list of to-do tasks. I can think of the following approach. Please correct me if I'm wrong on some point or if I have missed something.
Steps:
Add a membership user table and use the primary key of this table to access other tables where I will need to add this column, the to-do list in this case.
Next, I will need to write the Login, Signup and User management logic to maintain the user table. Here, I was hoping to find some working samples but all searches give me only ASP.NET MVC membership samples. I don't want to use MVC because I am using third-party asp.net components. As far as I know I can not use MVC with those components. Any links to ready made samples similar to MVC but for asp.net?
I also want the users to be able to login with their google id, dropbox id, etc. Is this possible while having my own login/signup? How does user table change then? Is the Email Address the only data to link up all these things? For example, if someone logs in with google id, I authenticate using Google oauth 2 API but use the email address as the data to add or locate that user to give him his data tables. I'm confused on how this kind of user table looks where all kinds of logins are possible along with a custom one. Any ideas?
http://www.shiningstar.net/ASPNet_Articles/SqlMembershipProvider.aspx
This should help talk you through what you need to do.
I got the exact solution that combines membership with oauth and is built into ASP.NET 4.5. What is more, there is a video that demos it all!
http://www.asp.net/vnext/overview/aspnet/oauth-in-the-default-aspnet-45-templates
Hai,
i am trying to store the user permissions for my web site.But I am little bit confused with xml and Database. For each user in site have different permissions. Have u ever faced this issue? for Example , if my site is a shopping site , for a local user , the report menu need not to display. A sales man need not to display the purchase page. and so on ..
I think you understood my problem .I have done this user management using a xml file . For each user a new node will create according to the menu and keep in the xml file . Next time the user login ,checks the permissions and and show only the allowed menus.
My boss tell me to do the same thing using the Database. by using XmlDataSource it is quite simple to bind data to the treeview (for setting permission) and binding to the menustrip also.
He is pointing the security problem . i don't think like so.
Which is better ? DB or XML
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
My advice would be to use asp.net membership and roles (written by Microsoft). It is a very good security solution - login security, roles (permissions) and is stored in a SQLServer database (not sure if it can be stored elsewhere).
I use it on my site and you can use membership controls straight out of the box (login forms, change password, etc.) or you can roll your own.
The only tricky bit I found was setting up the membership tables, views and stored procs in my dB (you download a dB script), but really it was fairly straightforward to implement.
Here's a link to asp.net membership and roles
ASP .NET Membership and Roles (part of the Provider Model introduced on ASP .NET 2) is (IMHO) nice only when you need some basic stuff. The issue is that you need to use the whole system using SQL Server, but if you are planning to move to a different DB provider (MySQL, SQLite, etc..) then you'd have to implement your own provider (which is at best painful), and learn how the whole pieces fit each other. Granted, finding a custom implementation it's quite easy, but is not a copy & paste thing.
Another bad thing of the default provider model is that you will get a ton of SQL stored procedures, also called maintainance nightmares. The issue is that if your site scales, then these SP's will make your life a living hell (been there) and if you even dare to change hostings then you're in for a treat, so my advice would be make your own permissions hierarchy and use it the way you wish. Also, look for advices and some pre-existing solutions to the permissions problem which is quite common.
Website security can be split up into to distinct parts.
Authentication: Logging in
Authroization: Roles/Permissions.
The ASP.NET Forms Authentication Provider is a great way to implement authentication. I recently created a custom provider that communicates with our companies X500 directory (LDAP). It was very straight forward.
For Authorization, we implemented the entlib security application block. It allows you to keep Roles/Permissions in a separate location that can be accessed by your UI as well as your service layers (assuming your developing a scale-able solution). You may also want to look at the Windows Itentity Foundation which is slated to supersede entlib security application block, however it is only available for .NET 4.0.
I'm a newbie at this, so please be nice to me =^)
I'm creating a website with ASP.net and I have a sign up page. The user has to enter a name and password in textboxex, and choose a location and reason for joining from dropdown lists. (There is a built in wizard for new user sign-up but I chose not to use it).
I would like to save the information entered in a table in a database in the App_Data folder. How do I do this?
You will also need to learn ADO.NET which is the database access technology of choice for .Net.
Here's a basic tutorial to get you started...
Also Googling for asp.net ado.net tutorial will bring up good hits.
If you're creating a public-facing website, you need to put some serious thought into how you process, store, and retrieve user information. ASP.NET provides a lot of good functionality for this type of thing using the Membership class. You'll find this class in the System.Web.Security namespace.
You can also use the aspnet_regsql.exe application to generate the tables and stored procedures necessary to store this information correctly (i.e. storing hashed values for passwords and secret questions/answers, etc.)
As mentioned previously, many good tutorials (both written and video) can be found on these topics on the ASP.NET site as well as on MSDN.
As the godfather of ASP.NET, Scott Guthrie, might say: "Hope this helps."
You need to:
1) Have a schema representing the database and create it on the machine
2) Have an ability to execute queries against the data
3) Write a query to insert the user data into the database.
I'm sure google has a ton of ASP tutorials.
I am trying to make an asp.net website using Visual web dev and C# that accesses data in an SQL database. For my site, I need to be able to save and access additional user properties such as age and gender. I have been playing around with the built in .NET Login tools but I don't understand how to keep track of the additional properties (age, gender...) I could store all the users information in my own database but how do I correlate the users data in my DB to the usernames in the member database that is automatically created?
Probably profiles are perfect and quite easy to use for your purpose. ASP.NET manages the relation between users and their associated profile data (which you can customize for your needs) quite comfortable. Here is short introduction video:
http://www.asp.net/learn/videos/video-44.aspx
Are you using an ASP.NET website project or web application project? The video (and most information in MSDN) is related to website projects. For web applications there are some complications to take into account when you use profiles.
(Some hints if you are using a web application project:
How to assign Profile values?
If you are using an website project you can ignore this)
As Slauma said ASP.Net Profiles is a great way to do this using the Membership API.
But I don't like the way profiles use delimited list serialized in the database, and I've heard reports of speed issues under heavy load.
I Use Membership API on just about all applications, except for the profile bit.
To store user profiles, you can create a separate table. Maybe called 'UserProfile'. Add a column with a unique index for 'username' and/or 'email'. Which ever you treat as the user's username. Now you can use that column to pull profile information at runtime.
As a bonus, if you use an ORM like Entity framework, you can now write simple LINQ queries to pull your user information.