I'm somewhat confused by membership providers for .NET. I have built a MVC 3 web application, but obviously login pages don't work out-of-the-box because I need to wire up a membership provider. I would have expected this process to be easy, but when I search for help I find numerous articles on writing custom providers. Can't I just set up a table or two, wire up a few details in web.config and have things work based on some default MVC membership provider?
I have no desire to re-invent the wheel!
TIA.
The MSDN membership installation documentation is still applicable through to .NET 4, although note that the default Membership provider changes in 4.5 - totally different table structures.
TL;DR
Create the aspnet membership database OR add the tables to your existing database (aspnet_regsql.exe, which is in the .net 2 framework folder)
Add the necessary membership and role provider configuration sections to your web.config.
Use the site admin tool to add users (or at least an initial Admin User)
Related
What is the difference between Simple Membership and Membership in asp.net? Is Simple Membership introduced in mvc 4.0?
ASP.NET membership was the traditional approach for authentication, authorization from the microsoft team.But, with the release of mvc 4, they introduced new improved version with name Simple Membership.Simple membership relies on Extended Membership Provider
Behind the scenes, the SimpleMembershipProvider and the ExtendedMembershipProvider, as well as DotNetOpenAuth are all at work.
These changes was the need, because many web sites no longer want to store user credentials locally. Instead, they want to use OAuth and OpenID so someone else is responsible for keeping passwords safe, and people coming to the site have one less password to invent (or one less place to share an existing password). With these changes it is easy to authenticate a user via Facebook, Twitter, Microsoft, or Google. All you need to do is plugin the right keys.
Summary:
1)SimpleMembership has been designed as a replacement for the previous ASP.NET Role and Membership provider system.
2)SimpleMembership solves common problems developers ran into with the Membership provider system and was designed for modern user / membership / storage needs.
3)SimpleMembership integrates with the previous membership system, but you can't use a MembershipProvider with SimpleMembership.
4)The new ASP.NET MVC 4 Internet application template AccountController requires SimpleMembership and is not compatible with previous MembershipProviders.
5)You can continue to use existing ASP.NET Role and Membership providers in ASP.NET 4.5 and ASP.NET MVC 4 - just not with the ASP.NET MVC 4 AccountController.
6)The existing ASP.NET Role and Membership provider system remains supported, as it is part of the ASP.NET core.
7)ASP.NET 4.5 Web Forms does not use SimpleMembership; it implements OAuth on top of ASP.NET Membership.
Hope, you got the clear concept of your question.
I am writing a new web site and am looking at Asp.Net Identity 2.0. Out of the box, it uses Entity Framework for all of its data access. For the rest of the site, we were creating middleware web services for data access. Our original plan for security sake was that the web servers would talk to middleware and middleware would talk to the database via Entity Framework. We had planned on blocking via firewall database access from the web server.
I see that I can create a custom provider for Identity 2.0 and it in turn could use middleware for it's data access.
Here are my questions:
Is it more secure to not allow the web servers to have direct database access?
If it is more secure, why would Microsoft not build it that way out of the box
If you were starting from scratch like we are, would you recommend using entity framework or writing a custom provider that goes through our middleware layer?
Thanks.
1.) It can be secure. I don't see it as a security issue but coupling issue. What if you want to upgrade or change from Entity Framework in the future? What if you want to change from Identity 2.0? What if you want to upgrade one but you can't because the other doesn't support it yet.
2.) Microsoft wanted to promote it products first and foremost. For simplicity sake if your ok with Entity Framework and Identity 2.0 and don't mind how coupled they are it could be perfectly fine solution.
3.) How much time/effort can you afford to spend on the custom provider? It might not be worth the effort to create your own provider.
Asp.NET Identity out-of-the-box is actually Asp.Net Identity on Entity Framework. It generates a database, connection string, the model files, the controllers and a context class for you, which you can redirect to your own database for it to generate the Identity tables within. Everything is very secure, and they've taken care of a lot of the authentication/password hashing for you. I wouldn't say it is worth it to create your own provider, but you can also create your own provider within Identity if you want. Identity 2.0 is great. Very easy to add custom table properties, etc.
I am trying to re-learn ASP.NET and building some application, however tutorial seems to be running shorts.
I understand ASP.NET comes now with built in membership which allows users to created and edit, login to users. However, is there a way for me to create a User Controller. From what I have read, its a big no, because it may conflict with the AccountController. Maybe this is wrong, but I would like to be sure first.
Also I understand that I can use the word [Authorize] in a controller ( action, or class ) to limit access to users. However if I provide [Authorize(Roles="Admin")] How can I define the roles to a users? Is there a field that already exists in the membership providing this or do i need to supply a second nuget packages. If its a field from the user, how does it know Roles is the value in the User tables?
You're confusing multiple things. Asp.net is the basic web technology, and there are three technologies that sit on top of that. Webforms, Web Pages, and MVC.
Membership has been a part of asp.net since Version 2, released in 2005. This is nothing new. There has been much written about it over the years.
If you're using MVC, which it seems you are, and you're using MVC4, then the default internet template uses SimpleMembership, which is not compatible with the built-in membership editor in Visual Studio (known as the Web Site Administration Tool or WSaT). This is only compatible with the old SqlMembership database tables, and SimpleMembership does not use those tables.
You can use SqlMembership with MVC4, but you have to configure it to use SqlMembership. Or, you can just not use WSaT and configure your user yourself.
Oh, and don't listen to people that tell you to create custom membership providers. This is the worst advice possible unless you know what you are doing, because it's non-trivial to create secure password hashing techniques. And 99% of people that try (even people that should know better) get it wrong unless they pay very close attention.
Use a provider from a reputable source unless you have VERY good reason not to. And then, check, double check, triple check your hashing code and then have an expert check it.
For Authentication and Authorization in asp.net, have a look at Forms Authentication and Membership Provider (and Role Provider for roles)
A quick search gives this article: Here
have a look at other searches for "Custom Membership Provider"
This also looks interesting: How do I create a custom membership provider for ASP.NET MVC 2?
I'd like to make an OOB Silverlight app based on the Silverlight Business Application template in Visual Studio. The template uses the default ASP.Net membership provider. I understand how to use that to add users and roles, etc. I've found plenty of tutorials on that. What I'd like to be able to do, is configure the Silverlight template so that it uses an existing ASP.Net membership base. We'd like this app to have a companion website (ASP.Net based).
To clarify: We've been able to setup an ASP.Net website and have created a SQL database with the required tables (aspnet_Users, aspnet_Membership, etc.). I'd like to configure a Silverlight app to access the same users and roles that are in those tables.
Can anyone help me out in terms of what I'd need to put in the Web.config? Do I just need a connection string? I'm new to ASP.Net authentication, but I'd rather use what ASP.Net gives me out of the box than have to write my own authentication service. I feel like this should be really easy, and is just a matter of pointing the Silverlight app in the right direction.
I'd like to use Silverlight 5 and .Net 4.5 if I can but I don't mind using an older version of either if it makes things easier.
You can just point the connection string to the existing database.
From this answer:
You can point your connection string for authentication to a database that all application can access.
So if you have the default database that .NET creates, you can point your other application to that as well for authentication.
I am trying to build an MVC 4 app with MySQL as database and using asp.net System.Web.Providers, Entity Framework 5 with Code First approach. So far it's been hell!
I have made it work using MVC 3 AccountModel (since my mysql connector does not support the SimpleMembership yet).
So far users can be created, but I would like to have a little more information about the users stored in the database, e.g. what post they have authored, their website, etc.
For this purpose I have created a UserProfile class that stores this information.
How do I relate my UserProfile class to the asp.net auth-stuff, so I can get the extra user stuff, whenever I have my MembershipUser available?
Is the reverse possible?
Without more information it is hard to answer your question.
In general regards to MVC3 Membership, it sounds like you would be best looking at a custom membership provider. Try these for help
Code Project - Custom Membership Providers
ASP.NET MVC 2 Custom Membership Provider Tutorial
ASP.Net MVC 3 Custom Membership Provider with Repository Injection
or maybe the links in this StackOverflow answer
If custom membership seems over the top, you could try creating separate models that map to the UserProfile as mentioned in this and this.
Hope this is helpful.