Our client uses multiple applications that are developed with Symfony. Older use Symfony 1.3.x and newer Symfony 2.x. User management and security is based on sfGuard using Propel. The client has created own bundle for handling security with sfGuard based ORM-objects in Symfony 2. Now client wants to upgrade user management component. Current user management is made with automatic CRUD-app-generation for Symfony 1.x.
Upgrading user management to Symfony 2 Using FOSUserBundle seems to be reasonable solution, but is it possible to use existing Symfony 1.x apps with sfGuard-plugin handling user management with FOSUserBundle?
I'm quite new to Symfony, so I would appreciate clear guidelines to resolve the issue one way or another.
FOSUSerBundle use another kind of password storage.
I'm sure than with FOSUserBundle is not be able to check passwords created with sfGuard.
Maybe you can use https://github.com/FriendsOfSymfony/FOSAdvancedEncoderBundle for change the password encoder for FOSUserBundle.
Related
I have an old project written in Symfony 3.4 where I used FOSUserBundle for authenticating users.
Recently I started to upgrade the project to Symfony 6 - quite a long journey where I actually created a new project and copied most of the code from the old project.
Now the last challenge is to let existing users authenticate using their current credentials.
Does anyone have an advice on how to tackle this?
How can I use the new Symfony authenticate method (with MakerBundle and Security) but for the passwords and hashing algorithm that FOSUserBundle used?
I have an old .net based system with its own, custom, database of users.
Can I implement IdentityServer4, such that all login and related requests are delegated to my legacy application, either via API of that application, or directly accessing the legacy DB?
If so, are there any examples or how-tos for this?
Yes, its trivial to integrate existing users with IdentityServer. The really nice thing is that all you need to is to implement the IProfileService interface.
IdentityServer never writes to the user database, its read-only. So its just a simple load operation that you need to implement to get it to work.
Also see this link and this link
I've been Googling terms like
configure database for mvc authentication
But I can't find anything from this decade that relates to my configuration.
I've created an MVC application using .NET Framework 4.6 with authentication support (database first). Now where do I find step-by-step instructions for creating the database tables and configuring MVC to use them?
Thanks for any tips!
The correct thing to google for is 'ASP.NET Identity'.
If you generate an MVC app straight from one of the templates it will generate a number of classes to handle security and identity.
One of these classes will implement interface IUserStore. The class provided will inherit from Microsoft.AspNet.Identity.EntityFramework.UserStore<TUser>, and uses Entity Framework to check the database if the tables exist, and create them if they are not there.
If you are uneasy about giving your application enough privileges to modify your data schema (ew!), you can create your own class that implements IUserStore and plug that into the system.
It's a big topic, but hopefully this is enough to get started with.
I am writing a new web site and am looking at Asp.Net Identity 2.0. Out of the box, it uses Entity Framework for all of its data access. For the rest of the site, we were creating middleware web services for data access. Our original plan for security sake was that the web servers would talk to middleware and middleware would talk to the database via Entity Framework. We had planned on blocking via firewall database access from the web server.
I see that I can create a custom provider for Identity 2.0 and it in turn could use middleware for it's data access.
Here are my questions:
Is it more secure to not allow the web servers to have direct database access?
If it is more secure, why would Microsoft not build it that way out of the box
If you were starting from scratch like we are, would you recommend using entity framework or writing a custom provider that goes through our middleware layer?
Thanks.
1.) It can be secure. I don't see it as a security issue but coupling issue. What if you want to upgrade or change from Entity Framework in the future? What if you want to change from Identity 2.0? What if you want to upgrade one but you can't because the other doesn't support it yet.
2.) Microsoft wanted to promote it products first and foremost. For simplicity sake if your ok with Entity Framework and Identity 2.0 and don't mind how coupled they are it could be perfectly fine solution.
3.) How much time/effort can you afford to spend on the custom provider? It might not be worth the effort to create your own provider.
Asp.NET Identity out-of-the-box is actually Asp.Net Identity on Entity Framework. It generates a database, connection string, the model files, the controllers and a context class for you, which you can redirect to your own database for it to generate the Identity tables within. Everything is very secure, and they've taken care of a lot of the authentication/password hashing for you. I wouldn't say it is worth it to create your own provider, but you can also create your own provider within Identity if you want. Identity 2.0 is great. Very easy to add custom table properties, etc.
I am trying to re-learn ASP.NET and building some application, however tutorial seems to be running shorts.
I understand ASP.NET comes now with built in membership which allows users to created and edit, login to users. However, is there a way for me to create a User Controller. From what I have read, its a big no, because it may conflict with the AccountController. Maybe this is wrong, but I would like to be sure first.
Also I understand that I can use the word [Authorize] in a controller ( action, or class ) to limit access to users. However if I provide [Authorize(Roles="Admin")] How can I define the roles to a users? Is there a field that already exists in the membership providing this or do i need to supply a second nuget packages. If its a field from the user, how does it know Roles is the value in the User tables?
You're confusing multiple things. Asp.net is the basic web technology, and there are three technologies that sit on top of that. Webforms, Web Pages, and MVC.
Membership has been a part of asp.net since Version 2, released in 2005. This is nothing new. There has been much written about it over the years.
If you're using MVC, which it seems you are, and you're using MVC4, then the default internet template uses SimpleMembership, which is not compatible with the built-in membership editor in Visual Studio (known as the Web Site Administration Tool or WSaT). This is only compatible with the old SqlMembership database tables, and SimpleMembership does not use those tables.
You can use SqlMembership with MVC4, but you have to configure it to use SqlMembership. Or, you can just not use WSaT and configure your user yourself.
Oh, and don't listen to people that tell you to create custom membership providers. This is the worst advice possible unless you know what you are doing, because it's non-trivial to create secure password hashing techniques. And 99% of people that try (even people that should know better) get it wrong unless they pay very close attention.
Use a provider from a reputable source unless you have VERY good reason not to. And then, check, double check, triple check your hashing code and then have an expert check it.
For Authentication and Authorization in asp.net, have a look at Forms Authentication and Membership Provider (and Role Provider for roles)
A quick search gives this article: Here
have a look at other searches for "Custom Membership Provider"
This also looks interesting: How do I create a custom membership provider for ASP.NET MVC 2?