I have existing User tables in my project, and existing code that I want to maintain for persisting users to my database. This is a new ASP.NET site, but it just needs to play nice with existing tables and objects.
In most of my previous developing efforts, I would simply use FormsAuthentication to handle the HTTP Authentication, use its static methods to set the cookies and redirect the browser, and customer prepare the roles on the Principle. While this has worked well for me in the past, I am worried that FormsAuthentication is headed for the same fate as Dodos, Newspapers, and Record Stores, and I am also trying to challenge myself to not avoid new technologies simply because they are new (-er.)
Also, my project is utilizing ADO.NET and not the Entity Framework, and I am hoping to not have to use EF just for the users.
Can anyone point to a tutorial or walkthrough that would help in my getting up to speed on the Identity process and customizing it to fit my needs?
Thanks
I am hoping to not have to use EF just for the users.
Identity uses Entity Framework Code First. You cannot get away with EF if you want to use Identity's auto-generated tables.
Adam Freeman (author of Pro ASP.NET MVC 4 & 5) offers free 3 Chapters just for Identity.
Please take a look at a project I have created for this topic on github https://github.com/giorgos07/AspNet.Identity.AdoNetProvider Hope you like it.
Related
I support a legacy webforms application with SQL backend and have been trying to upgrade it bit by bit
I have upgraded to .NET 4.6 (highest the hosting provider allows), added some jQuery, EF 6 goodness, refactoring in general and attempting to switch to code first from database first edmx, my next plan is to start creating new features using some kind of front end library like Vue.
But...
My problem at the moment is Membership.
It is used throughout the code and statements like
new Guid(Membership.GetUser().ProviderUserKey.ToString())
are literally too many to bear.
And the database has 10 tables and 9 views for it.
vw_aspnet_Applications
vw_aspnet_MembershipUsers
vw_aspnet_Profiles
etc..
The application is using it for authentication and for keeping track of which user is doing what.
Is there a way to upgrade that to a modern solution without much hassle?
I can take the effort out of my own time but I'd prefer a solution that is not overkill.
the amount of users is probably less than 20 so the alternative doesn't have to be complex.
It just has to support most of what Membership is doing.
I've played with Auth0 for a bit in my own time but it seems to be not suited for this.
There is MS Identity as well but I'd prefer to take advice before going into a rabbit hole.
Thanks!
Definitely no simple upgrade. Here's what we did in our case.
Created ASP.NET Identity tables. We made it similar to Membershipusers table and later migrated the whole table.
Added ApplicationUser, ApplicationRole,ApplicationUserManager , ApplicationSignInManager, ApplicationDbContext
Implements Autofac for DI defined at Startup.cs.
Worked on Login/Signup Controller classes.
Finally migrated the whole Membership DB to new aspnetusers table.
Application was initially designed using NOPCommerce (asp.net webforms) and its was relieve to replace Membership.GetUser().ProviderUserKey.ToString() to User.Identity.GetUserId()
Hassle free ? Do you mean easy path (or) scalable path ?
Design is more an opinion rather than objective. It's mostly based on the facts one know about the problem statement. Based on your's i would recommend the following.
Separate all the membership related code into a library (if not already done)
Now write interfaces that will abstract the actual authentication mechanism from the member ship related code in your project. That way your code doesn't need to be changed for any authentication related mechanism. This wouldn't also require change of database schema.
Now for real authentication use something like Auth0 (https://auth0.com/blog/add-auth-to-native-desktop-csharp-apps-with-jwt/) something like this will be easy to implement. But i don't know if your's is a commercial project / how the licensing will work. I know there is a free version for auth0, but i request you to check it out.
I'm implementing my frist web application on asp.net mvc 4 and I need to differentiate my users according to roles ( show certain menus to some roles and hide them from others) basically what i want is to manage my users and roles. I understand that security is quite an important part of my application so I don't want to risk it by implementing something not secure while there are other options for doing this.
My question is, is there something already built on MVC 4? is it apropiate for my a small site? ( I don't expect more than 50 concurrent users) is it better to implement my own user administrator? if so, where can I start? so far what I've found is the membership provider but it seems quite big for what i need, there will be no user registration instead the new users will be added by system admins.
Thanks for taking the time for reading this, any feedback will be appreciated!
I would have recommended the default membership provider as it makes use of security industry best practices (i.e. salted hash). However, if that seems overkill, there is a simpler membership provider called SimpleMembership Provider
You can use New ASP.NET Universal Providers (updated version of legacy Membership Provider).
It can be used in small application as well as large application (if you application continues to grow).
Password is encrypted with salt, so it cannot be compromise easily.
Follow the Scott Hanselman's link and see the demo. You will see how easy to set up.
I have a usermanagement table into my sql server 2008 i want to check each user with their particular role frm my database & not from asp.net predefined database. please help me with the code for the same. also what i need to change into my web config file.
You probably want to implement (roll your own) version of the membership provider to make this job easier, more secure and less error prone - it will also save you writing tons of additional plumbing code.
In essence it means implementing the IIdentity and IPrincipal interfaces (Sounds scary but its really not that bad). See this blog here http://www.bradygaster.com/custom-authentication-with-mvc-3.0 for a step by step guide. Additionally it is worth reading the comments and links to enable proper Forms Authentication via Auth Cookie rather than the basic session management referenced directly in the post!.
Also note this example on the blog is for MVC 3 BUT its equally applicable to Web Forms projects too.
Hai,
i am trying to store the user permissions for my web site.But I am little bit confused with xml and Database. For each user in site have different permissions. Have u ever faced this issue? for Example , if my site is a shopping site , for a local user , the report menu need not to display. A sales man need not to display the purchase page. and so on ..
I think you understood my problem .I have done this user management using a xml file . For each user a new node will create according to the menu and keep in the xml file . Next time the user login ,checks the permissions and and show only the allowed menus.
My boss tell me to do the same thing using the Database. by using XmlDataSource it is quite simple to bind data to the treeview (for setting permission) and binding to the menustrip also.
He is pointing the security problem . i don't think like so.
Which is better ? DB or XML
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
My advice would be to use asp.net membership and roles (written by Microsoft). It is a very good security solution - login security, roles (permissions) and is stored in a SQLServer database (not sure if it can be stored elsewhere).
I use it on my site and you can use membership controls straight out of the box (login forms, change password, etc.) or you can roll your own.
The only tricky bit I found was setting up the membership tables, views and stored procs in my dB (you download a dB script), but really it was fairly straightforward to implement.
Here's a link to asp.net membership and roles
ASP .NET Membership and Roles (part of the Provider Model introduced on ASP .NET 2) is (IMHO) nice only when you need some basic stuff. The issue is that you need to use the whole system using SQL Server, but if you are planning to move to a different DB provider (MySQL, SQLite, etc..) then you'd have to implement your own provider (which is at best painful), and learn how the whole pieces fit each other. Granted, finding a custom implementation it's quite easy, but is not a copy & paste thing.
Another bad thing of the default provider model is that you will get a ton of SQL stored procedures, also called maintainance nightmares. The issue is that if your site scales, then these SP's will make your life a living hell (been there) and if you even dare to change hostings then you're in for a treat, so my advice would be make your own permissions hierarchy and use it the way you wish. Also, look for advices and some pre-existing solutions to the permissions problem which is quite common.
Website security can be split up into to distinct parts.
Authentication: Logging in
Authroization: Roles/Permissions.
The ASP.NET Forms Authentication Provider is a great way to implement authentication. I recently created a custom provider that communicates with our companies X500 directory (LDAP). It was very straight forward.
For Authorization, we implemented the entlib security application block. It allows you to keep Roles/Permissions in a separate location that can be accessed by your UI as well as your service layers (assuming your developing a scale-able solution). You may also want to look at the Windows Itentity Foundation which is slated to supersede entlib security application block, however it is only available for .NET 4.0.
Does anyone have any examples of using Sqlite with ASP.NET membership? I am building a small "drop-in" type web application and don't want to rely on an SQL database for storing user credentials, etc. Sqlite seems like a good option, and I have been impressed with its performance in Elmah; I wouldn't mind using xml as a data store either.
On another note, perhaps asp.net membership isn't a good choice for basic form level security? The app will not require more then a couple users for those who implement it, and at this time I don't see a need for roles. My thought of using asp.net membership is simplicity to setup and get running; why build a security class if I don't need to, right?
Any other suggestion are surely welcome; thank you for your time.
It looks like Roger Martin's project - http://www.codeproject.com/KB/aspnet/SQLite-Providers.aspx - is now the recommendation for SQLite connectivity.
This is suggested by Peter Bromberg (http://twitter.com/peterbromberg/status/5031854389) and the next top resource on Google is the above by Roger Martin, who suggests that as the place to get the provider (http://galleryserverpro.blogspot.com/2009/08/new-release-adds-support-for-flash.html#comments).
Seeing as how it's part of a semi-commercial product (and the author is trying to get back to work on it as a full-time job), it seems this will be kept up to date.
EDIT 1: More information about the ordering of released providers for SQLite: http://sqlite.phxsoftware.com/forums/p/75/397.aspx
I am a big fan of SQLlite as well. I would say asp.net membership is good enough for the basic stuff.
Peter at Eggheadcafe has this right article about sqllite, check it out.
Article
For using the membership provider with other databases look at a custom membership provider
There's a new, updated source for Roger Martin's SQLiteMembershipProvider
nuget package: https://www.nuget.org/packages/SQLiteMembershipProvider
sourcecode: https://bitbucket.org/jkuemerle/sqlitemembershipprovider