I'm implementing my frist web application on asp.net mvc 4 and I need to differentiate my users according to roles ( show certain menus to some roles and hide them from others) basically what i want is to manage my users and roles. I understand that security is quite an important part of my application so I don't want to risk it by implementing something not secure while there are other options for doing this.
My question is, is there something already built on MVC 4? is it apropiate for my a small site? ( I don't expect more than 50 concurrent users) is it better to implement my own user administrator? if so, where can I start? so far what I've found is the membership provider but it seems quite big for what i need, there will be no user registration instead the new users will be added by system admins.
Thanks for taking the time for reading this, any feedback will be appreciated!
I would have recommended the default membership provider as it makes use of security industry best practices (i.e. salted hash). However, if that seems overkill, there is a simpler membership provider called SimpleMembership Provider
You can use New ASP.NET Universal Providers (updated version of legacy Membership Provider).
It can be used in small application as well as large application (if you application continues to grow).
Password is encrypted with salt, so it cannot be compromise easily.
Follow the Scott Hanselman's link and see the demo. You will see how easy to set up.
Related
Haven't done security in ASP.NET before. Need to secure an MVC site - simple username/password access for admin access to the site's logs and admin areas, not for general users.
Looked into Identity/OWIN, and it is, as of this writing, half-baked. There are multiple ways to do things, the docs are few or non-existent, and blogs dicuss deprecated or alpha versions. The samples don't correspond to anything in the docs or blogs. In short, it's a mess.
Security is hard, so I want to use something that was written by an expert, works and is tried-and-tested. Must be from Microsoft, not some third-party stuff.
So what security API came before Identity/OWIN, which works well and hasn't been compromised? They've released many, so I don't know which to use?
Forms Authentication with custom Membership and Role Providers were used for years and still can be used. The SimpleMembership is something that tries to simplify the original provider model but sacrifices too much, in my opinion plus it us still not that simple.
There are thousands of tutorials on Forms Authentication and you should be able to start immediately. The Membership/Role Provider model is also extremely well documented.
In terms of correspondence
Membership/Role Providers correspond to the Identity api
Forms Authentication corresponds to the owin security api
The predecessor to Identity/OWIN was SimpleMembership.
However, according to my question "What is MVC4 security all about?", SimpleMembership is an oxymoron.
I'm creating an ASP.NET website and intend to have multiple "Applications", each with its own set of users. Effectively I need a way to have different groups that people can register with, so "UserA" can be created in "ApplicationA" and "UserA" can also be created in "ApplicationB". I do not want UserA to be created in all Applications, the user has to feel as though they're creating a separate user account for each application.
I think I can do this with ASP.NET's Membership provider and the Applications table, but I'm having a hard time finding good tutorials on how to do this (searching on "Applications" just leads me to how to create ASP.NET Applications, not how the Applications table relates to the ASP.NET Membership). Can anyone point me in the right direction here?
Yes, you can use ASP.Net Membership for your applications that you have stated.
Please use new ASP.Net Universal Provider. (Membership which generates aspnet_xxx tables is an old one.)
Also make sure to set the following in web.config -
set applicationName (in membership, roleManager) for each appliation.
set machineKey
here is the schema:
http://superpatrick.files.wordpress.com/2007/11/aspnet_membership_schema_updated.png
here is some info about the membership
http://www.asp.net/web-forms/tutorials/security/membership/creating-the-membership-schema-in-sql-server-vb
Hai,
i am trying to store the user permissions for my web site.But I am little bit confused with xml and Database. For each user in site have different permissions. Have u ever faced this issue? for Example , if my site is a shopping site , for a local user , the report menu need not to display. A sales man need not to display the purchase page. and so on ..
I think you understood my problem .I have done this user management using a xml file . For each user a new node will create according to the menu and keep in the xml file . Next time the user login ,checks the permissions and and show only the allowed menus.
My boss tell me to do the same thing using the Database. by using XmlDataSource it is quite simple to bind data to the treeview (for setting permission) and binding to the menustrip also.
He is pointing the security problem . i don't think like so.
Which is better ? DB or XML
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
My advice would be to use asp.net membership and roles (written by Microsoft). It is a very good security solution - login security, roles (permissions) and is stored in a SQLServer database (not sure if it can be stored elsewhere).
I use it on my site and you can use membership controls straight out of the box (login forms, change password, etc.) or you can roll your own.
The only tricky bit I found was setting up the membership tables, views and stored procs in my dB (you download a dB script), but really it was fairly straightforward to implement.
Here's a link to asp.net membership and roles
ASP .NET Membership and Roles (part of the Provider Model introduced on ASP .NET 2) is (IMHO) nice only when you need some basic stuff. The issue is that you need to use the whole system using SQL Server, but if you are planning to move to a different DB provider (MySQL, SQLite, etc..) then you'd have to implement your own provider (which is at best painful), and learn how the whole pieces fit each other. Granted, finding a custom implementation it's quite easy, but is not a copy & paste thing.
Another bad thing of the default provider model is that you will get a ton of SQL stored procedures, also called maintainance nightmares. The issue is that if your site scales, then these SP's will make your life a living hell (been there) and if you even dare to change hostings then you're in for a treat, so my advice would be make your own permissions hierarchy and use it the way you wish. Also, look for advices and some pre-existing solutions to the permissions problem which is quite common.
Website security can be split up into to distinct parts.
Authentication: Logging in
Authroization: Roles/Permissions.
The ASP.NET Forms Authentication Provider is a great way to implement authentication. I recently created a custom provider that communicates with our companies X500 directory (LDAP). It was very straight forward.
For Authorization, we implemented the entlib security application block. It allows you to keep Roles/Permissions in a separate location that can be accessed by your UI as well as your service layers (assuming your developing a scale-able solution). You may also want to look at the Windows Itentity Foundation which is slated to supersede entlib security application block, however it is only available for .NET 4.0.
I am currently converting a very old, but working classic ASP site to ASP.Net.
It has a completely custom written user management system. Whilst it works fine, it really needs a refresh as I want it to be more flexible for some future projects in the works.
When I asked someone about this, they said "You need to use the Microsoft Provider" and gave a lecture on how Microsoft release all these things for free and how good they are and should be re used as much as possible.
I have done quite a bit of research on it (mainly looking at the videos on http://asp.net/learn ) and am very impressed by some of the features as there appears to be drag and drop components for items that would take me ages to write.
However, the current membership database is complicated to explain, it is a completely custom written database that has many internal relations... It is not really "compatible" with the default Microsoft Provider.
I have taken a look at How Do I: Create a Custom Membership Provider?, but I feel a little out of my comfort zone and worried it will either be slow, introduce a security hole or simply won't work.
At the end of the day, the Microsoft Membership Provider should work for me - the only customisations I really need is the login to use the username/password field in my database and the create user script which has a lot of custom code to several third party systems (needing to provision services etc.).
I was just wondering, what would you do if faced with a similar situation?
Use the Microsoft Membership Provider and somehow get it to work for you (although I would like suggestions)
Use the Microsoft Membership Provider but use custom provider that is customised around your code.
Use your own completely customised solution?
That video does complicate things :) If you're going to implement a custom provider then reflector over the existing one is a good place to start :)
As a quick and dirty option you could, of course, hack the stored procedures that the SQL Membership provider uses but the custom code to provision services is probably stretching that.
If you think about it the remote provisioning of services doesn't really belong in a membership provider, it's not really a membership function - all membership does is provide usernames and passwords and authentication around them. My own feeling is that you should move the provisioning of services out of there, and perform it on the ASP.NET site after a user has been created - even if that's just calling a stored procedure once the membership provider has done its thing. If you do this you may find that the SQL membership provider will do everything you need it to (probably with the Roles & profile providers too), and thus you have way less code to write!
I've been in similar situations in the past. In both cases we created custom implementations of the providers (MembershipProvider, RoleProvider, ProfileProvider) around the existing mechanism.
In both cases we only used the provider implementations for read-only access, e.g. to give us the easy validation gubbins in web.config and suchlike. The user administration code was left well alone as it worked just fine.
If the existing provider works (has the right fields for your data), use that to start. You can VERY easily replace that with a customer provider later (just a single config value change).
Beware there isn't an "out of the box" ASP.NET management interface for that, you'll need to roll your own or use a third party one.
Use my specialized MembershipProvider to work against my own database tables.
In my current project, we need to authenticate users of an ASP.NET application against Active Directory. I think it can be achieved using the membership provider without too much problems. but we need also to manage user roles that will be kept in the ASP roles management tool.
Did anyone implement this configuration? Does it look feasible?
Any tip for one or the other point?
Thanks.
David
Yes! The ASP.NET role provider is designed to work exactly in that case - the particulars of the authentication provider are irrelevant to the role provider, and it will store the bare essential information to make the two work together - basically the user's AD identity (domain\user) is tracked in the role database and matched up when necessary.
There is an ActiveDirectoryMembershipProvider that can be used to use Active Directory for authenticating users.
Alternatively, you could roll your own MembershipProvider by extending the abstract MembershipProvider class and then use System.DirectoryServices to check against Active Directory when validating a user (ValidateUser method of MembershipProvider). This is pretty straightforward to do and you need only implement the methods that you actually need in the custom provider.
You might consider implementing your own RoleProvider too, depending on whether the default fits your needs.
Use it all the time, intranet only of course.
You may be interested in the WindowsTokenCachingRoleProvider. In scenarios where performance is essential, this really shines:
http://lvildosola.blogspot.com/2007/02/improve-performance-when-using.html
Simple and elegant.
Please take a look at this question, seems like you're asking for pretty much the same thing, and my answer there should give you what you need.
ASP.NET Membership and Role providers that can be used from ASP.NET and WinForms/WPF clients as needed.