I have created an ASP.NET MVC 5 application, which uses MongoDB as a database. The application allows users to register and log in as standard. I want to know how I can reset this, i.e. remove all user names. Which directory is all this registration data stored? Am I right in thinking that the user registration / authentication system has nothing to do with the MongoDB database? Thanks :)
Related
i want to decide between using a session parameter like Session["state"] = "logged"; or saving the state on my SQL server database ?
i also want to know is there any other way to save login state after i authorize a login ? because i have my special login code and its OK but is there any other way to store login state and retrieve it when user opens special pages ?
You should use an existing security framework, and not build your own.
If you want to persist session information, you can persist it in a database. See https://support.microsoft.com/en-us/kb/317604
You don't authorize a login, you authenticate it.
I'm developing an ASP.NET MVC application. I need to support multiple authentication mechanisms (this app is used by multiple customers, each with their own preferred authn provider). One auth provider will be Active Directory. The AD integration for authentication is straightforward and I have no problems with that.
For authorization, roles will be stored in a local database (NOTE: we cannot use Active Directory groups for doing authorization - roles need to be local application roles because we support multiple authn providers and AD admins won't want to create custom groups in AD just for our app). My expectation is that we will need to create "stub" user accounts in our local database in order to do the User-is-assigned-which-Roles mapping. These stub user accounts will also be used to indicate which users are authorized to access the application (not everyone in the AD database should have access).
The anticipated flow of control will be:
User accesses login page > enters credentials > posts credentials to app server.
The app validates the credentials against AD. At this point, we know if the user is authenticated.
The app checks the user's SID to see if a "stub" user account with that SID exists in the local database. If not, the app displays an "not authorized" error message to the user.
The app will look up roles for the user in the local database user-is-assigned-which-roles table.
User identity info including roles will be stored as claims and the app will use typical claims based authorization (i.e. ClaimsAuthorizationManager).
My question is what is the best way to create "stub" user accounts into my local database? My guess is that we should use some sort of AD export script to export AD accounts for those users that should be granted access to the ASP.NET app and then import those users into the local database (NOTE: I expect that the stub account will contain minimal info - perhaps just the user's SID from AD and maybe the username).
A batch export/import is probably OK as an initial deployment process. After the app is up-and-running and new users join the organization, I expect a more user-friendly mechanism will be desired for granting a new user access to our app (other than exporting/importing the new user's account from AD to our local database). My guess is that we'll need some sort of user browser screen so that an admin in our app can browse the AD directory, select a user, click a button and then have that user's "stub" account created automatically in our app.
Has anyone implemented an application with similar requirements? If so, how did you bootstrap the creation of "stub" accounts in your local database? Is there a better way to address these requirements?
Please feel free if this can Help You Custom Annotation Authorization
It's only a workaround, or just an idea, not a solution...
To use it you only need to use Annotation in the controller
e.g.
[ARQAuthorize]
public class BlaBlaController : Controller .....
I am currently implementing a similar solution. Here is how the application works. I'm using ASP.NET MVC 5, ASP.NET Identity 2.2.1.
I am using the Identity framework to manage users and roles within the application. The user goes to a login page, enters their credentials. The application checks against the application DB to see if the user exists. If not it throws an error that the user doesn't exist in the database. If the user exists, it authenticates against AD. If authentication fails they get an error message, if it doesn't fail I create a ClaimIdentity from the user out of the database (not the user in AD) and pass that to my SignIn method.
My user in the application DB has the same username as the AD username and I use that as my stub. I also include the domain of the user in the DB as well in the case that I might have multiple domains I need to support. With Identity, don't forget to also populate the SecurityStamp field with a guid.
The plan is to bulk import the users and permissions from a spreadsheet and I have some standard CRUD actions created to allow creation of individual users and assigning of roles after that.
I am using WCF Library(which contains Buisness logic), Asp.Net C# Web pages(Home page, Welcome Page), SqlServer,
how to get username when user logged in with email id and password and that username can be Display in all web pages in asp.net website. How it possible? pls help me..
Write a stored procedure to retrieve all the user related data that needs to be used frequently used in the application and store it in a session. Manipulated session according to your needs.
Create list of the things you want across all the web pages & keep it in session.
So, I've gotten weary with trying to search for my problem online.
I am currently creating an ASP.NET 2.0 application. The application currently is connected to a database which stores all the information I need to store. I also have connection to the LDAP directory at my workplace on it. I am using the LDAP directory for my application as everything is tracked by employee ids. I now need to add authentication and authorization.
Since my workplace is large, I need the ability to limit who has access to the website within the company as well as what they are allowed to do on the website. I know that ASP.NET has some sort of authentication and authorization, but I am completely oblivious as to how it works.
My current solution is to add a table to my database with two columns (employee id and access_id). The employee id can be used to pull information from LDAP about the employee whenever I need to. The access_id is a set of integers that represent what the user is allowed to see on the website.
When the user first starts a session on my website I use their nt id and pull the employee id from LDAP. I then look up all the access_id's and store them in an array for the session. Everytime a user accesses part of the website, I check whether they have the access_id associated with that section and allow or disallow them based on that. My first access_id of 1 allows the user to see the webpage by setting the visibility of in C# as
if(access_id == 1)
Enter.visible = true;.
What kind of LDAP directory are you using? If it's Active Directory, try:
http://msdn.microsoft.com/en-us/library/ff650308.aspx
or
http://msdn.microsoft.com/en-us/library/ff647405
You could also consider: http://msdn.microsoft.com/en-us/library/ff649313
If it's not AD, you could implement your own MembershipProvider: http://msdn.microsoft.com/en-us/library/f1kyba5e.aspx
It's better to use the framework(s) where you can and only roll your own code when you have to.
I'm making a small portal in ASP.net (with C#.net4) where users can login and add, edit their personal information (PI). But I don't get how to load information (stored in a SQL server DB) in the page when a specific user is logged in.
For example: If Sam is logged in, he can view his PI. When Vicky is logged in, she can view her PI.
who can help me with this?
thanks in advance.
You need to retain the ID of the logged in user in a session variable and then use it to filter the query with which you fetch each user's info.
So if a user's ID is 278 then your query would run as:
SELECT first_name, last_name, * FROM user_table WHERE user_id = 278
From a session variable stored like:
Session["UserId"] = currentUserId;
The ASP.NET membership provider has already taken care of this for you. Have you considered using it? You can manage all of your authentication, permissions, roles, and access/edit profile information -- which you define. You access the data via the membership objects, and you won't need to write a single line of SQL to do it. It will save you loads of work instead of trying to reinvent the wheel.
Use the regular membership as described in the other answers. Then leverage the Profile system so that each user can view/edit their info when logged in (per the question). CAVEAT: ASP.NET profile system only works out of the box with the Website project template. If you want to use the Web Application project template, then follow the steps here:
ASP.NET: Web Site versus Web Application Project
When you have the profiles up and running, the profile data can be stored in session objects while the user is logged in.