I am trying to create my first web application using ASP.NET. I've created new sample ASP.NET project application.
First of all I want to understand how do I switch from local App_Data file to proper database and how whole authentication process is working.
Db switch. What I did is, attached current example of .mdf file through SQL management studio on a server. But I am not sure how should I modify my connection string. Could you help me please?
connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|\aspnetdb.mdf;User Instance=true"
Could you please explain how authentication is working? Say after user enter its credentials and hits enter, somewhere in a code it has to validate username and password, but I can't find where it happens.
Lets say my user A is Moderator and user B is simple user. How should I detect which one it is? How do I display extra features for user A, since he is a Moderato?
For the connection string, the best option is to use Visual Studio. Go to Data -> Add New Data Source and follow the UI. Failing that, connectionstrings.com is a great reference.
There are different types of authentication in ASP.net, but given that you want to implement roles (user/moderator), Forms Authentication is probably a good choice. There are lots of resources on how to set this up, see here for example.
The final step is to implement roles so that your application knows who is a user, and who's a moderator. Once you have this configured correctly, your application can use simple logic like if (User.IsInRole("moderator")) ...
1.) connection string varies by the used database and the actual server settings. Consult this with your hosting provider if you can't figure it by yourself
2.) this depends on the actual implementation. Basic idea looks like this:
Provide user a login form. User sends back the form with filled in credentials. On the server there's a function, that compares these credentials to those stored in persistence medium (like a db) and if they match, the user is authenticated. If they don't match, you get an error.
Related
A client requested that we develop a site for them but instead of the standard ASP.NET authentication or using Active Directory accounts, they would like us to use SQL server accounts for authentication. (That is, an account using SQL Server authentication.)
This website would be exposed to the public Internet and would have users that are not employed by the client and the client's Active Directory is not available in their DMZ.
So I have a few questions on this:
1) Is this a good idea? (Our gut feeling is that it's not.)
2) How should we best go about doing this?
Off the top of my head, the best answer I can come up with for how to do this would be to dynamically build a connection string based off the credentials the user enters in a web form. If the connection is successful, continue to the site. Otherwise, kick them back out to the login page. (And, of course, make sure accounts get logged out in the event of too many failed logins.)
Is there a better way?
Thanks.
1) Is this a good idea? (Our gut feeling is that it's not.)
There are a few problems using this. Notably, you would have to run your application as an escalated user to perform user maintenance-- add/inactivate users, change passwords, etc... Running a web-app with escalated permissions on the database is generally frowned on. If you run this kind of thing outside of your application, then you'll need to get your DBA to run all the user maintenance stuff, which isn't fun. Also, if you have requirements around password complexity, password rotation, etc., you may find SQL Server authentication lacking over what would be available in AD, for example.
2) How should we best go about doing this?
You can easily test credentials provided by attempting to login to SQL Server using the supplied credentials. You can read the connection string from your configuration settings, but then load it into a SqlConnectionStringBuilder object (in System.Data.SqlClientsomewhere), manipulate it to use the supplied credentials, and then connect using the result of that manipulation to test if the credentials were valid.
You would want to use that only for testing your login. After that, you could go back to using your normal connection strings.
I'm using the out of the box Asp.Net Membership functionality to handle my user management and role management.
My application consists of a single database for each client and each database has its own Membership provider and role provider.
However, there are some users who work for more than one of the clients and I want to be use a single login and let them choose which client to view. I have everything setup to facilitate this "client switching" by using an intermediate database that stores all usernames and a relation to which clients they have access to. I also have it setup so any updates to a user in one database will update all of the corresponding users in the other databases. All of this logic is working very well, except that I can't seem to figure out how to tell ASP.Net to change to a specific MembershipProvider and use that one.
The process I thought I should use is as follows (when the user switches the client in the clients dropdown):
Log the current user out
Tell ASP.Net which Membership provider to use (selected based on the client chosen in the dropdown)
Log the current user in using the selected client's membership provider and refresh/redirect to the page they were viewing when they changed the dropdown
I know how to get a reference to the specific membership provider (Membership.Providers[MembershipProviderName]), but I can't find any information on how to tell ASP.Net to change its membership provider. I'm not really even sure how the asp.net Login control does this in the background either - something that would probably help me out in all of this.
I've been searching SO and the web for awhile and can't seem to find much about doing this other than a few threads where people are trying to modify the DefaultProvider attribute of the Providers element in their Web.config.
This MSDN tutorial may help you.
Question: What is the standard method for accessing back end data, which logon should you use?
Examples:
For example we have applications that require the user to login but then use an admin account to access the data from the backend.
But there are also applications that require the user to login and use those credentials to access the backend data.
Reason: We are in the process of creating an application that will require the user to login and would like to implement the more common method(standard practice) of accessing data.
If there are alternatives those are also welcome.
Note: This will be made in ASP.Net 3.5 or higher and may include Windows Applications(VB.Net) as well.
Thanks in advance.
Edit: I dont want to have two sets of credentials. What I am asking is which credentials are normally used to access the Database. For example one one application may access 2 or more database's. Now would you use the same credentials they used to login to the application or would you use the admin account to access the data?
Edit 2: Maybe this should be a seperate question but if I ended up using integrated security to access the database would the user be able to simply connect to the database using his AD account? Either through an ODBC connection and MS Access or equiv.
Why not just create a login table and a table of roles for the user? You can have a user be an Admin or a User just by setting their roles either in the Login table or in a separate table if a user can be more than one. Having 2 sets of credentials seems a pain to me.
You would typically use a single restricted permission account to access the database. This would be used as part of an application level connection string.
If you are set on having individual accounts for each user to access the database then you will need to construct the connection string dynamically using the appropriate individual username and password. You will need to store these in a table somewhere. You may find that SQL Server connection pooling becomes less effective with many different connection strings being used.
An alternative would be to use Windows authentication but this would generally require all users to be part of the same domain and you haven't indicated whether this would be possible in your case.
I have an application which connects to a database, retrieves a username from a user's table and matches it against the username retrieved with System.Security.Principal.WindowsIdentity.GetCurrent.Name
On my localhost, everything works fine. The database exists on the development server but the application lies on my localhost. All of my authorization and authentication techniques are running smoothly.
However, when I publish my application to the development server, I'm faced with the following error.
Cannot open database requested in login 'databaseName'. Login fails.
Login failed for user 'DevelopmentServerName\ASPNET'.
I can't put my finger onto what would cause this. Any help would be greatly appreciated.
Thanks!
Edit: Here is the connection string!
<add name="connectionStringName" connectionString="Initial Catalog=myDatabase;Data Source=DevelopmentServerName;Integrated Security=True"
providerName="System.Data.SqlClient" />
Also, for context. This authentication needs to grab the user's Windows username and match it against the username in the database. Users will have the Computername\Myname username built into the database (if they are authorized to use the required section of the program, that is).
Thanks again :)
It appears that your application is attempting to connect to the database under the ASPNET account, which may have limited permissions on the development server, as opposed to logging in on your own (you local machine may actually be using your windows identity). I can see two potential solutions.
Make sure to add into the system.web section of your web.config file.
Check with the system administrator and the SQL administrator to make sure the ASPNET account has proper authorization to connect to the database, if indeed your environment allows this account to connect.
Adding some additional code to your question, such as your connection string may help things out as well.
EDIT:
Okay, you are indeed using IntegratedSecurity, so typically with this kind of setup (using impersonation), you need to make sure you are getting prompted to add your Username and Password to authenticate against.
We have a similar setup, and to do this, we have to go to the IIS settings for the virtual directory, select the Directory Security tab, and click the Edit button under Anonymous access and authentication control.
Make sure Anonymous access is unchecked, and you may will most likely need to enable the proper authentication for your environment. Unfortunately we're still using Basic authentication (clear text) here, but Integrated Windows authentication may will work for you too. It depends on your environment.
I'm adding this comment to the main post since this seemed to have done the trick...
I just found this post which may help you get the proper configuration setup to handle what you need based on your IIS environment.
The answer may lay with your connection string. My guess would be that you are using integrated authentication to log into the database. This works fine when it's your machine because the application is using your credentials. When you publish to the development server you would be using the aspNet user and wouldn't have the right credentials to login. I would either add this user to your database server or change your connection string to use SQL authentication.
It could be a firewall setting that's preventing your server from seeing your database.
It might also have something to do with your connection string. If you're using anything besides a username/password combo in your web.config file, you will probably require additional configuration to convince the database server to let you connect.
It seems that what you want to do is impersonate the caller of the web page. You need to add a line to your web.config to do this:
<identity impersonate="true" />
See this article for an explanation.
Here's the flow I'm looking for for authentication:
Attempt to pull in the user's name from windows authentication
If that failed (user is external to network), use BASIC authentication to get the username/password.
Check the username/password against the SQL database. If windows, password isn't required, if BASIC authentication and password is incorrect, prompt again
Create the Identity object with the user name, and populate the user's roles via another SQL database call
This would need to be used for multiple applications.
What would be the best method of implementing this? Creating a HTTPModule? If so, what do I need to keep in mind (security, virtual directory setup, etc)
This type of authentication is called Mixed Mode authentication (some google searches on this will get you alot of hits). We have a flavor of this running on a site I work on, however there are some quirks to our setup that have to do with odd business requirements.
Here is an article that might get you going on the subject:
http://www.15seconds.com/Issue/050203.htm
It is a big topic to give a huge detailed explanation of how you could set it up in one post.
Good luck!