I find a few topics on this, but they point to too-generic documentation or, for the link that seemed most pertinent so far, don't work.
(I'll refer to all the built-in functionality for membership/roles in .NET as "Membership" here on out.)
Using .NET 4.0 and Visual Web Developer 2010 Express and SQL Server 2005.
I'm creating a website where, in order to sign up, you need to be a paying member. I've already created the database that holds all membership info, and I've already created the form where they sign up, as well as the pages where they themselves or site admins can manage their account info. I've also even created a class for authenticating them and checking for permission on pages based on level of access (roles).
I'm hoping for a clear, concise explanation of either of these options:
• Point "Membership" at the place where username/password are stored, disallowing it from auto-creating its own db. (I'll then go back through my site and replace my own custom authentication in the few places I have it with official .NET "Membership".)
• Or still run my own custom authentication, but in that process, say to "Membership", "Hey! User known as "username" and of role "member" is now authenticated. Note that in your own special place, assign them that role, and know what to do with it when I ask you hereafter." Could this be "Forms Authentication API"?
There's more to the account than just username/password/role. I know I can add more fields to accounts created using .NET but I also really don't want to use some randomly created, self-contained, disjointed database just for the sake of handling logins.
I have not yet learned the basics of "Membership", though I'm getting darn close in my process of learning .NET; and I can't spend the time right now making progress on that for personal reasons, but I have to proceed with making this site. I would like to be able to use many of the benefits that come along with .NET security, like being able to exclude users from folders using web.config, etc.
Mostly I'm just seeking assurance it will be possible for me to backpedal after I get some other aspects of the project shored up, but before I make it live, and without having to rewrite half of the membership forms and splitting that data into several databases and figuring out how to use "Membership" for either pieces of it or all of it when a member signs up.
Possible?
If I understand you correctly, what you are working on is similar to something I am working on here.
We have a custom authentication scripts in ColdFusion and I am creating a second .NET System with Membership login.
The way I went about it was to move all the user/role/profile information into Membership's tables and created an additional tblUserProperties table which holds all other information that the Membership standard tables cannot hold.
I have recoded the ColdFusion queries to point to the new Membership tables.
This way, if a user change password from either system, the logins will work from the other system as well.
I think keeping two systems/tables that do the same thing (authentication) is risky because of the password change reasons. There could be more, but why can't you just simply change your custom code to point to where Membership is pointing? That way you can use Membership provider to its full potential.
Related
I am creating a sort of intranet system in ASP.NET that requires me to hide/show/disable/enable certain things depending on the logged on user's role. So far I have been using ASP.NET Membership (what I learned in school) however I am running into problems with having to customize things. We need usernames and passwords but we also need to add custom fields like first name, last name, clearance level (which will be used to set the user's role when they are added) and some arbitrary descriptive fields like employee title and office location.
We're using Microsoft Access (OleDB Connection in ASP) for the bulk of our database needs and we have an employee table that stores all the info we need (like names and clearance levels). I wanted to find a way to link records in those tables to the user that was set up through ASP. We need to be able to create, edit and delete users not through the web configuration tool but through the site we're creating (it will be managed by someone not familiar with ASP). Since ASP Membership uses SQL Server, it is becoming complex for me to try and find a way to connect the user tables generated by ASP and the employee tables created for the project.
I have now read online that there are two other versions of this kind of Membership system: SimpleMembership and Identity. Just by habit I'm leaning towards the most recent iteration (Identity), however I am now reading it is harder to query the user tables for appropriate role info and such.
Which would be the best for a system that has 3 specific roles and must disable/hide specific things depending on the role? And which one would be best for allowing me to create my own Add/Edit/Delete pages for users within the system?
MembershipProvider is depricated and replaced by Asp.Net Identity. Use Identity if this is a new project. Think of migration from MembershipProvider to Identity if it is a brown-field project, but it can take a week of time.
Identity is highly customisable and it is easy to add extra fields on a user and CRUD for users is very easy, especially if you know Entity Framework.
I have used asp.net so far to create personal web applications, for example, an application where I maintain to-do tasks in an MS SQL Server database or a customer management and support system. I use the basic authentication via web.config where I can create another user who can look and work with such a database, but then all the data is shared between him and me.
But now I want to convert this application into a membership model where a user signs up and will get to use his own personal list of to-do tasks. I can think of the following approach. Please correct me if I'm wrong on some point or if I have missed something.
Steps:
Add a membership user table and use the primary key of this table to access other tables where I will need to add this column, the to-do list in this case.
Next, I will need to write the Login, Signup and User management logic to maintain the user table. Here, I was hoping to find some working samples but all searches give me only ASP.NET MVC membership samples. I don't want to use MVC because I am using third-party asp.net components. As far as I know I can not use MVC with those components. Any links to ready made samples similar to MVC but for asp.net?
I also want the users to be able to login with their google id, dropbox id, etc. Is this possible while having my own login/signup? How does user table change then? Is the Email Address the only data to link up all these things? For example, if someone logs in with google id, I authenticate using Google oauth 2 API but use the email address as the data to add or locate that user to give him his data tables. I'm confused on how this kind of user table looks where all kinds of logins are possible along with a custom one. Any ideas?
http://www.shiningstar.net/ASPNet_Articles/SqlMembershipProvider.aspx
This should help talk you through what you need to do.
I got the exact solution that combines membership with oauth and is built into ASP.NET 4.5. What is more, there is a video that demos it all!
http://www.asp.net/vnext/overview/aspnet/oauth-in-the-default-aspnet-45-templates
I just discovered ASP.net uses its own profile system to register users and there seems to be a lot of features available as bonus with it (such as secure authentication). However it seems rather specific to have such a feature for a general purpose development environment and things which work in the background the way the profiles system does without me really knowing how (like where the user data is stored) kind of scares me.
Is it worth developing a website which requires user authentication using the asp.net profile system or would it be better to develop my own using SQL databases and such? I'm not going to avoid using SQL anyway, even if I use profiles I'll use the profiles unique ID to identify user data in the SQL table so in that sense I'm not going to avoid using SQL for user information at all.
My favorite thing about profiles is that you can create custom permissions in Web.config files using them () and avoid having to type in the same code to the top of all your aspx source files to do the authentication check.
The other thing I kind of like about it is that security is built in with secure authentication cookies, so I wouldn't have to deal with them myself.
But it doesn't seem like that big of a deal really. I'm just confused as to where profiles stand as far as ASP.Net development goes and what they're designed to accomplish.
The Profile/Membership and Role provider API is very intertwined, and specifies things very narrowly. The benefit is that there is little you have to do to get a lot of functionality working. The disadvantage is when what you need doesn't match what is provided. Nevertheless, there are many potential gotcha's that the API takes care of for you that it really does make sense to use it, at least for authentication.
My needs did not match what the API provided, and I really only needed the Membership portion. The problem is that I had a piece where I needed to use the same authentication and authorization across a web application and a desktop application. My needs are pretty unique, but it's designed for a classroom setting.
Getting the membership to work for my needs wasn't that difficult. I just had to implement the Membership API. There are several features I just didn't need with the Membership API like self-registration, etc. Of course this did present me with a challenge for role management. Typically, as long as your user object implements IPrinciple it can be used directly--but there are serialization issues with the development web server Visual Studio packages if your user class is not defined in the same assembly. Those problems deal with serialization, and your choices include putting the object in the GAC or handle cross-appdomain serialization yourself with objects that are in the GAC like GenericPrincipal and GenericIdentity. That latter option is what I had to do.
Bottom line is that if you don't mind letting the API do all the management for you, than it will work just fine. It is a bit of smart engineering work, and attempts to force you down a route with decent security practices. I've worked with a number of different authentication/authorization APIs (most were not CLR based), and the API does feel a bit constraining. However, if you want to avoid pitfalls with session/state/cache management you really need to use the API and plug in your own providers as necessary.
With your database, if you need to link a user with any database element you'll be storing the user's login id (Context.User.Identity.Name).
You seem to mix the Profile/Membership/Role provider API. But to answer your question: why not use it? I would use it unless there is a real constraint that makes it unusable...
Hai,
i am trying to store the user permissions for my web site.But I am little bit confused with xml and Database. For each user in site have different permissions. Have u ever faced this issue? for Example , if my site is a shopping site , for a local user , the report menu need not to display. A sales man need not to display the purchase page. and so on ..
I think you understood my problem .I have done this user management using a xml file . For each user a new node will create according to the menu and keep in the xml file . Next time the user login ,checks the permissions and and show only the allowed menus.
My boss tell me to do the same thing using the Database. by using XmlDataSource it is quite simple to bind data to the treeview (for setting permission) and binding to the menustrip also.
He is pointing the security problem . i don't think like so.
Which is better ? DB or XML
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
My advice would be to use asp.net membership and roles (written by Microsoft). It is a very good security solution - login security, roles (permissions) and is stored in a SQLServer database (not sure if it can be stored elsewhere).
I use it on my site and you can use membership controls straight out of the box (login forms, change password, etc.) or you can roll your own.
The only tricky bit I found was setting up the membership tables, views and stored procs in my dB (you download a dB script), but really it was fairly straightforward to implement.
Here's a link to asp.net membership and roles
ASP .NET Membership and Roles (part of the Provider Model introduced on ASP .NET 2) is (IMHO) nice only when you need some basic stuff. The issue is that you need to use the whole system using SQL Server, but if you are planning to move to a different DB provider (MySQL, SQLite, etc..) then you'd have to implement your own provider (which is at best painful), and learn how the whole pieces fit each other. Granted, finding a custom implementation it's quite easy, but is not a copy & paste thing.
Another bad thing of the default provider model is that you will get a ton of SQL stored procedures, also called maintainance nightmares. The issue is that if your site scales, then these SP's will make your life a living hell (been there) and if you even dare to change hostings then you're in for a treat, so my advice would be make your own permissions hierarchy and use it the way you wish. Also, look for advices and some pre-existing solutions to the permissions problem which is quite common.
Website security can be split up into to distinct parts.
Authentication: Logging in
Authroization: Roles/Permissions.
The ASP.NET Forms Authentication Provider is a great way to implement authentication. I recently created a custom provider that communicates with our companies X500 directory (LDAP). It was very straight forward.
For Authorization, we implemented the entlib security application block. It allows you to keep Roles/Permissions in a separate location that can be accessed by your UI as well as your service layers (assuming your developing a scale-able solution). You may also want to look at the Windows Itentity Foundation which is slated to supersede entlib security application block, however it is only available for .NET 4.0.
I am currently converting a very old, but working classic ASP site to ASP.Net.
It has a completely custom written user management system. Whilst it works fine, it really needs a refresh as I want it to be more flexible for some future projects in the works.
When I asked someone about this, they said "You need to use the Microsoft Provider" and gave a lecture on how Microsoft release all these things for free and how good they are and should be re used as much as possible.
I have done quite a bit of research on it (mainly looking at the videos on http://asp.net/learn ) and am very impressed by some of the features as there appears to be drag and drop components for items that would take me ages to write.
However, the current membership database is complicated to explain, it is a completely custom written database that has many internal relations... It is not really "compatible" with the default Microsoft Provider.
I have taken a look at How Do I: Create a Custom Membership Provider?, but I feel a little out of my comfort zone and worried it will either be slow, introduce a security hole or simply won't work.
At the end of the day, the Microsoft Membership Provider should work for me - the only customisations I really need is the login to use the username/password field in my database and the create user script which has a lot of custom code to several third party systems (needing to provision services etc.).
I was just wondering, what would you do if faced with a similar situation?
Use the Microsoft Membership Provider and somehow get it to work for you (although I would like suggestions)
Use the Microsoft Membership Provider but use custom provider that is customised around your code.
Use your own completely customised solution?
That video does complicate things :) If you're going to implement a custom provider then reflector over the existing one is a good place to start :)
As a quick and dirty option you could, of course, hack the stored procedures that the SQL Membership provider uses but the custom code to provision services is probably stretching that.
If you think about it the remote provisioning of services doesn't really belong in a membership provider, it's not really a membership function - all membership does is provide usernames and passwords and authentication around them. My own feeling is that you should move the provisioning of services out of there, and perform it on the ASP.NET site after a user has been created - even if that's just calling a stored procedure once the membership provider has done its thing. If you do this you may find that the SQL membership provider will do everything you need it to (probably with the Roles & profile providers too), and thus you have way less code to write!
I've been in similar situations in the past. In both cases we created custom implementations of the providers (MembershipProvider, RoleProvider, ProfileProvider) around the existing mechanism.
In both cases we only used the provider implementations for read-only access, e.g. to give us the easy validation gubbins in web.config and suchlike. The user administration code was left well alone as it worked just fine.
If the existing provider works (has the right fields for your data), use that to start. You can VERY easily replace that with a customer provider later (just a single config value change).
Beware there isn't an "out of the box" ASP.NET management interface for that, you'll need to roll your own or use a third party one.
Use my specialized MembershipProvider to work against my own database tables.