If I use windows authentication inside an asp.net mvc web project , I will not get any membership database, unlike form based authentication . But I can still use Roles. So i have the following questions:-
So where are these roles managed, and how I will be assigning users to roles when using windows authentication ?
are these roles managed and created only inside Active directory ? and if I want to add a user to specific role, I will be doing this inside the active directory ?
so can anyone advice ?
Edit
Now if i understand your point well, let say that i want to restrict calling an action method to only our company admininstrators. where currently inside active directory we have a group of users named "OurCompanyAdminsitrators"
so let say i create a new asp.net mvc5 web project , and i specify to use Windows authentication , then inside my action method i wrote the following:-
[Authorize(Roles = "OurCompanyAdminsitrators")]
will asp.net mvc5 recognize the OurCompnayAdministrators user group ? or i need to do extra work for my asp.net mvc web project to be able to read and check against the active directory groups ?
I think there are many ways to approach this, 2 I can think of off the top of my head:
Use Active Directory to manage your roles and add users to the Active Directory groups as required. You can then access them through the users Identity in which you can get from the http context.
Create a separate service/component to manage the security for you where you map user credentials to roles that you define yourself completely away from AD. Obviously there is more of a time investment here and you will need to duplicate some information.
We can use SimpleMembership provider. "SimpleMembership: The future of membership for ASP.NET".
http://weblogs.asp.net/jongalloway//simplemembership-membership-providers-universal-providers-and-the-new-asp-net-4-5-web-forms-and-asp-net-mvc-4-templates
http://www.codeproject.com/Articles/689801/Understanding-and-Using-Simple-Membership-Provider
http://www.mono-software.com/blog/post/Mono/226/Adding-ASP-NET-SimpleMembership-to-an-existing-MVC-4-application/
Edit:
We can use SqlRoleProvider.
http://msdn.microsoft.com/en-us/library/system.web.security.roleprovider.aspx
http://weblogs.asp.net/scottgu/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server
Related
We are looking at enhanching our current security access model which is basically a check if the user is logged in. We now require the acesss to modules and pages and possible certain sections in the page such as dropdown restrictions based on your role.
I'm not sure how to design but maybe a few pointers and writing the requirements here will help.
The user usually belongs to an company.
The user usually has a role within that company
The company is made up of 1 or more sub companies
The user/role can have access to some modules in the system
The user/role can have access to some or all sub companies.
A role must be completely configurable on the fly.
A interface is required to configure the access for the users and the roles.
The menu needs to be configured based on access rights
The page needs to be configured based on access rights
We are using asp.net 2.0 at the moment but could possibly upgrade.
So based on that I think we need
User, Group, Role ( but roles need to be configurable) and Modules
A role for one organisation may have same name but have access to completely different Modules.
I am not sure asp.net membership is suitable so would like some opinions as it seams that access to pages is all hardcoded in config etc?
Yes, you can use ASP.Net Membership Provider for what you have stated.
As you said you are using ASP.Net 2.0, you cannot use new ASP.NET Universal Providers which is based on Entity Framework.
However, Membership Provider is introduced in ASP.Net 2.0. So you can still use the old version which uses aspnet_regsql.exe to create tables with the correct schema.
Here is the link for step-by-step instruction -
https://web.archive.org/web/20211020202857/http://www.4guysfromrolla.com/articles/120705-1.aspx
Please note that you cannot migrate from old ASP.Net 2.0 Membership to new Universal Providers.
I have an ASP.NET MVC3 web application. I use Windows Authentication. I need to achieve the following:
create an admin Role
add specific user to admin Role.
create a database table to map users to their role to allow the application to check access permissions
The third point is the most important point. How do I do that?
If you want to use the default Membership and Role Provider please refer to this msdn article on how creating an intranet application with asp.net mvc 3. But if you want to implement your own membership and role provider i recommend to use this library.
Just insert in the web.config the call to the membershipRoleProvider.
than for implementing the roles just call the AddRole, while to check if a user is in a role just call IsUserInRole.
You can find samples and documentation here and here
I'm writing an MVC application, using ASP.Net Membership for security. The application will allow multiple websites to run from the same app and database.
The websites running on the app will be completely independent from each other. The users of those sites will have access to their site only.
If I'm using one web.config, one MVC app and one database, can I achieve site specific security using ASP.NET membership?
Presumably I'll only have one application key so won't be able to use that to differentiate between sites. I thought about using Roles but will be exposing roles to site administrators -- and don't want admins to add / configure roles for a different site to their own users.
This potential problem has only just occurred to me so any help will be greatly appreciated.
You could you have them as sub sites of the main site (with web.config setup there) and therefore, the authentication permeates through the sub-sites.
There is an ApplicationName property that the roles provider uses to filter roles on. Try setting that property before fetching roles.
Something like this should work:
Roles.ApplicationName = "MyAppName";
var authorized = Roles.IsUserInRole("Some.user", "admin");
I haven't tried this, it is a static property and could give you weird results, so be careful. The best way to do this would be to implement your own provider so you could do something like Roles.IsUserInRole("some.user","admin","MyAppName").
i'd like to create a Unique Web Site Administration Tool (UWSAT) to admin all users for all my websites on production server.
Basically the idea is to have the UWSAT with only an admin user; when the admin log the tool he could navigate the applications, select one and see its users . He could add new user to an existing application, or create a user specifying a new application name (as far as i know that create the application too).
The problem i'm facing is that to add a user to an application i have to set the Membership.ApplicationName but i read this should be avoided.
So i ask you : should i create a different MembershipProvider for each application and call it when i have to manage users for that application?
Thanks.
I recommend creating a role, and assigning it to the users. The role would be the application they should have access to.
The RoleProvider is one way to do this.
If I am using Windows Authentication in an ASP.NET app, and I want to use custom roles instead of using Windows security groups as roles, do I need to write a custom Role provider? The solution needs to be able to map Windows users and groups to application specific roles.
If I understand your question - no you don't need to use roles from Active Directory security groups as roles for your ASP.NET application. And you dont need to implement a custom Role provider. The default one simply retrieves the Roles from the ASP.NET application database.
You can simply have application defined roles in this database, that you create with the aspnet_regsql.exe utility (in the .NET 2.0 framework folder).
Probably the greatest collections of resources/information on this topic:
http://weblogs.asp.net/scottgu/archive/2006/02/24/ASP.NET-2.0-Membership_2C00_-Roles_2C00_-Forms-Authentication_2C00_-and-Security-Resources-.aspx
Actually you CAN use the built in ASP.NET security configuration web site. You have to temporarily switch to Internet Mode, Then you can add users DOMAIN\username as username, enter some password (it won't be used once you switch back), you can then assign these to roles. Once you switch back to Windows mode these users will be used automatically.