I want my website to be seen by anonymous users. and i don't want it to have a login /register user part.
i just need one user as administrator and its username and password is chosen manually.
what is the best practice to implement this login part (website has only one user for ever).
my question is how to implement this one user login part, where store username and password and does it need a table in database?
For me - if you're having such a simple system, then merely storing the username / pwd in the web.config is fine.
I'd create a helper class to wrap up talking to the config file (ConfigurationManager.AppSettings on MSDN) and use and evaluate a simple "logon" action.
No table needed.
Finally - make sure you add the AuthoriseAttribute to your controller that will be doing the admin actions...
HTH
Simplest way - just delete the controller and the view responsible for registering new users, change the routing to the login page and you're set.
Related
I'm building a shop system at the moment. Using Symfony+CommerceTools as backend and Twig as frontend.
What I want to achive:
In store A, called with a.store.com, you should be always redirected to /login page if you arent logged in yet. This store can only be used when logged in.
In store B, called with store.com, you can access anything without being logged in.
Right now, anyone can access everything. Thats right for store B.
I could add a rule to the security.yaml, that redirects to /login if not logged in, that would work for store A.
But I need a solution, that have both. Depending on a variable in commerceTools.
So if you have logins set up this is quite straight forward using roles in Symfony. If you don't have a login form set up yet check out this Symfony login guide.
To use roles you will have to ensure you have your security system set up which is in this Symfony Security guide - Note this will need to be set up first if you intend to use the Symfony login forms I linked to first.
The bit you need in particular to restrict access to certain sections of your site is Section 4) Denying Access, Roles and other Authorization in the above guide.
Essentially in your User entity class you have roles set to your users. Then, my preferred way of securing certain parts of your site would be by adding role requirements into the controllers for the views you want to secure, for example:
// src/Controller/ShopAController.php
// ...
public function shopA(): Response
{
$this->denyAccessUnlessGranted('ROLE_USER');
}
You will notice when setting up the security system, that there are settings to give any registered users the role of ROLE_USER, so you can use this to secure parts of your site to only registered users, or you could create a new role such as ROLE_CUSTOMER or something.
If a none logged in user tries accessing this secured view, they will be redirected to the login page.
Then for the views of your site you want anyone to be able to access you simply don't set any role access rules in those controllers.
This avoids needing to add URL paths to your security.yaml as you wanted as well.
I hope this was helpful! Give it a try and follow the Symfony tutorials I linked, they're very easy to follow :)
So i have Symfony 4 app which should allow login via LDAP and based on your groups modify some of the values in this ldap directory.
The Login itselfs, and mapping from Ldap Groups to ROLE_ works perfectly.
The idea was that only the currently logedin user does a modification. Not a hidden Directory Admin.
For this i would need to $ldap->bind() with the user credentials each time a loged in user wants to modify the directory.
But for this i would need the password. The only way i could think of, would be to save the password in the session - but form a security standpoint this would be a very very bad idea.
Is there any other way? Like store the already binded connection somehow?
As far as I see in the Symfony security component - the UserProvider only refreshes the user from sesison - without calling ldap again.
The LdapBindAuthenticationProvider only uses the ->bind() call with the given credentials and catches an exception if password doesnt match.
But the connection itself is a simple fire & forget.
I am having a problem and would like to know if someone has a suggestion. On a site I am developing, I was using Asp.net Simple Membership but now I am migrating to Asp.net Identity 2. I have 2 roles: "User" and "Admin". The admin can do admin stuf, configuration, database management, etc. But cannot do "user things". So, the admin is not a "super user" - it only has different function.
The problem I am facing is that the unique identifier for the user is their email. So, if someone wants to use the system all by himself he has to create 2 accounts (one admin and one user), so he has to have 2 emails. This is a problem. I could easily add both "user" and "admin" roles to that users but that would make the system harder to use for the "user" role and I would like to avoid this.
I use roles to authorize routes on the server (MVC and web api) and to basic (like hide elements) things on the UI (SPA), so, it is already part of the system - but I am willing to change it, if necessary.
I was thinking in doing something like this:
When the user is configured to be a administrator, every time he log on, I ask if he want to be an admin or user on this session.
If he choose "user", I set a user role for him and log in.
If he choose "admin", I set a "admin" role for him and log in.
What do you think about that? Does someone have a better idea? This feels like a hack and hacks do not go well with security :/
I see a problem with that - Sometimes I need to send emails to admins (when they are offline). With this, I cannot rely on the UserRole table only, will always have to check the User.IsAdministrator flag too. It is not a big problem but add a small complexity to things.
You need to use roles for this. A user can be a member of several roles at once, so you can have a user that is a member of the 'user' roles, a user that is a member of the 'admin' role or a user that is a member of both the 'user' and 'admin' roles.
You have already suggested this idea and this is how I would do it, if you then wanted to control what they could see (so that an 'admin' member could only see stuff that normally a 'user' role user can see) then you could have a drop down on any form (or put it on your master page) that allows the user to turn the admin stuff on and off, you can then remember their selecting in the session object and refer to that each time the page loads. e.g.
if user.IsInRole("Admin") and IsNothing(Session("HideAdmin")) Then
'Show Admin Stuff
End If
Or somthing similar.
This type of problem is solved at DataBase Design time not at development time. You have few choice the best I see is create a Third user who will have both rights.
I was wondering if it is possible to make it so the editors within sitecore can set it so you require a username/login to only one specific page.
www.yourwebsite.com - No password required
www.yourwebsite.com/internalstuff - password required and set within CMS by the editors.
This is explained extensively in the Security Administrator's Cookbook that is supplied by Sitecore.
This is what you need to do, in a few short steps:
Create a user group with the User Manager (on the Extranet domain, that's how it's called by default, could be different in your installation)
Add users to the group
Go to the Security Editor, select the item(s) you want to protect, and disallow Read rights for the Anonymous user (this makes it impossible for not-loggedin users to view it)
Enable Read rights on your item(s) for your new user group
Make sure to read the cookbook so you know how to use security inheritance properly. That will save you a lot of time in the future.
Actually it's possible with no coding if you have Web forms for Marketers installed. It's not an enterprise ready login with e-mail activation etc. but it works. First, you should of course set up access rights and roles as mentioned in this answer by Ruud plus you need WFFM ready with forms styled and a placeholder configured to accept forms.
Go to WFFM and create a registration form (username as single-line text field, password as password-confirmation field)
as save action add "Create User" (configure correct domain/role there) (you could also add a "User Login with Password action and log the user in directly after registration)
add the registration form to a public page
create a login form (username as single-line text field, password as password field); again map the data to the username, password and domain set up for your extranet)
add the login form to a public page
enjoy :)
Note: this requires you to have write access to the asp.net user tables (by default set up in the core database). Make sure your security requirements are compliant with that. And as already mentioned this will not give you a basic e-mail validation up on registration.
I'm trying to create a custom login for my flex web app with spring-security.
I have an working version where we use the channelset.login with blazeds.
The problem i have is that i would like to split the authentication and the authorization.
I would like to ask the user to make some choices after the authentication to determine its roles.
Since the roles the user is authorized to are determined by this choices.
This means the user has to be authenticated and then the client needs to do a service call to the service and then the authorization process needs to take place.
Does anyone know if this is possible and have some tips of how this can be done?
Thanks in advance,
Arjen
Yes, that doesn't sound too far-fetched.
You can store the user roles in the database, make each role for new users something like SIGNUP which will only allow the user to signup, once his new role is determined, simply update that role and restrict the new role from being able to update the role again, unless you're admin.
You can also override the authentication process to do whatever you want to do: http://mark.koli.ch/2010/07/spring-3-and-spring-security-setting-your-own-custom-j-spring-security-check-filter-processes-url.html
The session object might need to be refreshed if you're using some form of ORM.