At present on login I am inserting a row for the user into an AccessSession table that keeps details of what roles the user has along with the ASP.NET_SessionId cookie.
My custom implementation of the GetRolesForUser method of this is:
public override string[] GetRolesForUser(string username)
{
List<string> roles = new List<string>();
string[] rolesArray;
char[] splitter = { '|' };
string sessionId = HttpContext.Current.Request.Cookies["ASP.NET_SessionId"].Value;
AccessSession sessionObject = AccessSession.Get(sessionId);
if (sessionObject != null)
{
rolesArray = sessionObject.Roles.Split(splitter);
foreach (string role in rolesArray)
{
if (!String.IsNullOrEmpty(role))
{
roles.Add(role);
}
}
}
return roles.ToArray();
}
The question I have is am I wrong using this approach? If cookies are disabled then there will be no HttpContext.Current.Request.Cookies["ASP.NET_SessionId"]. My alternative plan was to insert an AccessSession object in to Session but this always appears null when the custom RoleProvider tried to access it.
I could use cacheRolesInCookie=true but again that would be no better than the above approach as disabling cookies would break the functionality.
Thanks,
Richard
Well I managed to solve it in the end by getting the roles from the FormsAuthenticationTicket which held all my roles in already. Here is an example of the code:
public override string[] GetRolesForUser(string username)
{
List<string> roles = new List<string>();
string[] rolesArray = new string[] { };
char splitter = Advancedcheck.BLL.Common.Const.default_splitter;
if (HttpContext.Current.User != null)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
if (HttpContext.Current.User.Identity is FormsIdentity)
{
FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;
rolesArray = ticket.UserData.Split(splitter);
HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(id, rolesArray);
}
}
}
if (rolesArray.Length > 0)
{
foreach (string role in rolesArray)
{
if (!String.IsNullOrEmpty(role))
{
roles.Add(role.ToLower());
}
}
}
return roles.ToArray();
}
Related
A system need single user login at a time. If tried for multiple login simultaneously the user get blocked. I have used Cookie Authentication which will manage from client browser.
Login Code:
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginViewModel oLoginViewModel)
{
try
{
bool Result = new UserBL().ValidateUser(oLoginViewModel.UserName, oLoginViewModel.Password);
if (Result == true)
{
FormsService.SignIn(oLoginViewModel.UserName, oLoginViewModel.RememberMe);
CreateAuthenticationTicket(oLoginViewModel.UserName);
return RedirectToLocal(Request.Form["returnUrl"]);
}
else
ViewBag.Error = "Invalid Username or Password / Due to simultaneous login you get blocked.";
return View();
}
catch (Exception ex)
{
throw ex;
}
}
public void CreateAuthenticationTicket(string username)
{
Users oUsers = new Users();
oUsers.Email = username;
oUsers.Role = "User";
int sessionid = new UserBL().GetByUserName(username).UserId;
string userData = JsonConvert.SerializeObject(oUsers);
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
username,
DateTime.Now,
DateTime.Now.AddYears(1), // value of time out property
false, //pass here true, if you want to implement remember me functionality
userData);
string encTicket = FormsAuthentication.Encrypt(authTicket);
var isSsl = Request.IsSecureConnection; // if we are running in SSL mode then make the cookie secure only
HttpCookie faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket)
{
HttpOnly = false,
Secure = isSsl,
};
faCookie.Expires = DateTime.Now.AddYears(1);
Response.Cookies.Add(faCookie);
//Login Repository Entry
LoginsRepository oLogin = new LoginsRepository();
oLogin.UserName = username;
oLogin.SessionId = sessionid.ToString();
oLogin.LoggedIn = true;
oLogin.CreatedOn = Utility.CommonFunction.DateTime_Now();
oLogin.IPAddress = HttpContext.Request.RequestContext.HttpContext.Request.ServerVariables["REMOTE_ADDR"];
oLogin.Status = En_LoginStatus.SingleUser.ToString();
new LoginRepositoryBL().Add(oLogin);
}
I'm saving every user login with their IP Address to check the user multiple login.
After login it redirects to home controller and their I checked the multiple logins logic from database table Loginsrepository which is mentioned above :
public class HomeController : CustomerBaseController
{
public ActionResult Index()
{
Users oUser = new Users();
oUser = new UserBL().getActiveUser();
// check to see if your ID in the Logins table has
// LoggedIn = true - if so, continue, otherwise, redirect to Login page.
if (new LoginRepositoryBL().IsYourLoginStillTrue(System.Web.HttpContext.Current.User.Identity.Name, oUser.UserId.ToString()))
{
// check to see if your user ID is being used elsewhere under a different session ID
if (!new LoginRepositoryBL().IsUserLoggedOnElsewhere(System.Web.HttpContext.Current.User.Identity.Name, oUser.UserId.ToString()))
{
Answers oAnswer = new Answers();
return View(oAnswer);
}
else
{
// if it is being used elsewhere, update all their
// Logins records to LoggedIn = false, except for your session ID
new LoginRepositoryBL().LogEveryoneElseOut(System.Web.HttpContext.Current.User.Identity.Name, oUser.UserId.ToString());
Answers oAnswer = new Answers();
return View(oAnswer);
}
}
else
{
oUser = new UserBL().GetByUserName(System.Web.HttpContext.Current.User.Identity.Name);
oUser.Status = En_Status.Inactive.ToString();
new UserBL().update(oUser);
FormsService.SignOut();
FormsAuthentication.SignOut();
return RedirectToAction("Login", "Account");
}
}
}
Above methods :
public bool IsYourLoginStillTrue(string userId, string sid)
{
try
{
using (var ctx = new CnSiteEntities())
{
IEnumerable<LoginsRepository> logins = (from i in ctx.LoginsRepository
where i.LoggedIn == true &&
i.UserName == userId && i.SessionId == sid
select i).AsEnumerable();
return logins.Any();
}
}
catch (Exception)
{
throw;
}
}
public bool IsUserLoggedOnElsewhere(string userId, string sid)
{
try
{
using (var ctx = new CnSiteEntities())
{
IEnumerable<LoginsRepository> logins = (from i in ctx.LoginsRepository
where i.LoggedIn == true &&
i.UserName == userId && i.SessionId != sid
select i).AsEnumerable();
return logins.Any();
}
}
catch (Exception)
{
throw;
}
}
public void LogEveryoneElseOut(string userId, string sid)
{
try
{
using (var ctx = new CnSiteEntities())
{
IEnumerable<LoginsRepository> logins = (from i in ctx.LoginsRepository
where i.LoggedIn == true &&
i.UserName == userId &&
i.SessionId != sid // need to filter by user ID
select i).AsEnumerable();
foreach (LoginsRepository item in logins)
{
item.LoggedIn = false;
}
ctx.SaveChanges();
}
}
catch (Exception)
{
throw;
}
}
It's not working properly. It keeps it true after login even if multiple simultaneous logins. I have googled it and tried it much but I didn't get any solution.
I'm wondering how I could get a list of members of an AD group.
Checking if an entered password of a user is correct works perfectly fine. For this I'm using Novell's Ldap.NetStandard:
private bool IsUserValid(string userName,string userPassword)
{
try{
using (var connection = new LdapConnection { SecureSocketLayer = false })
{
connection.Connect("test.local", LdapConnection.DEFAULT_PORT);
connection.Bind(userDn, userPassword);
if (connection.Bound)
{
return true;
}
}
}
catch (LdapException ex)
{
Console.WriteLine(ex.Massage);
}
return false;
}
What I want now is something like this:
bool isUserInGroup("testUser","testGroup");
The problem is I can't get my method working:
public bool IsUserMemberOfGroup(string userName,string groupName)
{
var ldapConn = GetConnection();
var searchBase = "";
var filter = $"(&(objectClass=group)(cn={groupName}))";
var search = ldapConn.Search(searchBase, LdapConnection.SCOPE_BASE, filter, null, false);
while (search.hasMore())
{
var nextEntry = search.next();
if (nextEntry.DN == userName)
return true;
}
return false;
}
What ever I'm doing, I'm not getting back any value from my Ldap.Search()...
Now there is an implementation of System.DirectoryServices.AccountManagement for .NET Core 2. It is available via nuget.
With this package you are able to things like that:
using (var principalContext = new PrincipalContext(ContextType.Domain, "YOUR AD DOMAIN"))
{
var domainUsers = new List<string>();
var userPrinciple = new UserPrincipal(principalContext);
// Performe search for Domain users
using (var searchResult = new PrincipalSearcher(userPrinciple))
{
foreach (var domainUser in searchResult.FindAll())
{
if (domainUser.DisplayName != null)
{
domainUsers.Add(domainUser.DisplayName);
}
}
}
}
This performs a search for the user in your domain.Nearly the same is possible for searching your group. The way I used to search my AD (description in my question) is now obsolet:
Checking if an entered password of a user is correct works perfectly
fine. For this I'm using Novell's Ldap.NetStandard:
How about:
HttpContext.User.IsInRole("nameOfYourAdGroup");
(namespace System.Security.Claims)
I have started developing an intranet website using ASP.NET Web Forms (I'm a total beginner) that uses Windows Authentication to identify users, but to control access to various pages, I'm looking to assign roles to users based on set criteria based on data within SQL tables (this data can change daily).
So far, I have the 'out of the box' ASP.NET Web Forms template with Windows Authentication that has a working connection to my (remote) SQL Server database.
I apologise if this has been answered elsewhere, but I can't seem to find a solution that fits my needs.
Using some basic IF logic, I will have the following roles: 'Admin', 'Moderator', 'HRA', 'Manager' and 'Employee'.
Looking up the logged-in user's data from a SQL table (3-4 fields max), set criteria will determine the user's role as follows:
if (UserRole === null) Then
If (ORG_ID === 30001000) Then
UserRole === 'Admin'
else if (ORG_ID === 30001001) Then
UserRole === 'Moderator'
else if (ORG_ID === 30001002) Then
UserRole === 'HRA'
else if (CHIEF === 'Chief') Then
UserRole === 'Manager'
else
UserRole === 'Employee'
End If
End if
I'm guessing that this would be worked into the Site.Master file that runs once per session but I'm stuck as to how this would work exactly and if anything needs to be added to the config file etc.
Thanks in advance, I understand how this would work with php but ASP.NET and how it works is completely new to me. If there is a better solution then great!
It's also worth noting that some parts of my site (e.g a Dashboards section) will allow some UserRoles to control custom access to dashboards controlled by an SQL table - but I can look at this in the future.
I thought I'd answer this myself just incase it's of any use to anyone else. I implemented my own Custom Role Provider and connecting to sql data to assign roles like this:
public class CustomRoleProvider : RoleProvider
{
public override bool IsUserInRole(string username, string roleName)
{
var roles = GetRolesForUser(username);
foreach (var role in roles)
{
if (role.Equals(roleName))
{
return true;
}
}
return false;
}
public override string[] GetRolesForUser(string username)
{
//create our List to hold our Roles
List<string> r = new List<string>();
r.Add("Employee");
//get our sap number of current user to look up against the database
var persno = Int32.Parse(10 + HttpContext.Current.User.Identity.Name.Substring(HttpContext.Current.User.Identity.Name.Length - 5));
//connect to our sql database
string strConnString = ConfigurationManager.ConnectionStrings["hrssportalConnectionString1"].ConnectionString;
string str;
SqlCommand com;
SqlConnection con = new SqlConnection(strConnString);
con.Open();
//SQL Query
str = "SELECT org_publisher.persno, org_publisher.record_type, org_publisher.org_string, map_user_roles.role_name FROM org_publisher LEFT JOIN users ON org_publisher.persno = users.persno LEFT JOIN map_user_roles ON users.role_id = map_user_roles.role_id WHERE org_publisher.persno = " + persno;
com = new SqlCommand(str, con);
//get our data
//SqlDataReader reader = com.ExecuteReader();
//reader.Read();
DataTable dt = new DataTable();
dt.Load(com.ExecuteReader());
//if we have rows returned do our checks
if (dt != null)
{
//get our data for checking
//string org_string = reader["org_string"].ToString();
//string line_manager = reader["record_type"].ToString();
string org_string = dt.Rows[0]["org_string"].ToString();
string line_manager = dt.Rows[0]["record_type"].ToString();
//Line Manager Role check
if (line_manager == "<ChiefPosition>")
{
r.Add("Manager");
}
//HRSS Role Check
if (org_string.Contains("30001803"))
{
r.Add("HRSS");
}
//HRA Role Check
if (org_string.Contains("30003237"))
{
r.Add("HRA");
}
//add all custom roles by cycling through rows
if (dt.Rows.Count > 0)
{
foreach (DataRow row in dt.Rows)
{
if (row["role_name"].ToString() != null)
{
r.Add(row["role_name"].ToString());
}
}
}
//close our sql objects
dt.Dispose();
con.Close();
//return List as an array
string[] rolesArray = r.ToArray();
return rolesArray;
}
else
{
//if no Rows returned from SQL, return only Employee role from List
string[] rolesArray = r.ToArray();
return rolesArray;
}
}
public override void AddUsersToRoles(string[] usernames, string[] roleNames)
{
}
public override string[] FindUsersInRole(string roleName, string usernameToMatch)
{
throw new System.NotImplementedException();
}
public override void CreateRole(string roleName)
{
throw new NotImplementedException();
}
public override bool DeleteRole(string roleName, bool throwOnPopulatedRole)
{
throw new NotImplementedException();
}
public override bool RoleExists(string roleName)
{
throw new NotImplementedException();
}
public override void RemoveUsersFromRoles(string[] usernames, string[] roleNames)
{
throw new NotImplementedException();
}
public override string[] GetUsersInRole(string roleName)
{
throw new NotImplementedException();
}
public override string[] GetAllRoles()
{
throw new NotImplementedException();
}
public override string ApplicationName { get; set; }
}
Then in web.config:
<roleManager defaultProvider="CustomRoleProvider" enabled="true">
<providers>
<clear/>
<add name="CustomRoleProvider" type="ClassLibrary.CustomRoleProvider"
applicationName="WebApplication1" writeExceptionsToEventLog="false"/>
</providers>
</roleManager>
I am working on a new app and am using ASP.NET Identity and was wondering if there was a way to enforce a specific claim type be present on the ClaimsIdentity. Here is what I have so far.. It works but it seems there this is something that would / should be built in and maybe I am just not finding it.
public void SignIn(IUserIdentity user, string authenticationType, bool isPersistent)
{
if (user == null)
{
string msg = "UserIdentity or UserIdentity is null";
_logger.Error(msg);
throw new NullReferenceException(msg);
}
List<Claim> claims = _claimService.GetClaims(user.UserId);
var identity = new ClaimsIdentity(claims, authenticationType, ClaimTypes.Name, ClaimTypes.Role);
if (claims.Any() && claims.Single(c => c.Type == ClaimTypes.Name).Value != null)
{
_owinContext.Authentication.SignIn(new AuthenticationProperties
{
IsPersistent = isPersistent
}, identity);
}
else
{
throw new SecurityException("Invalid or null Name Claim");
}
}
I am not aware of any built-in way to assert that a claim exist.
Edit:
You are right. My original solution is over-engineered. I think your solution is the only way to go.
The validation is incorrect though for two reasons:
an exception is throw if the claim isn't found since .Single is used
Claim's value can never be null since it's constructor prevents it
It should be:
List<Claim> claims = _claimService.GetClaims(user.UserId);
if (claims.Any(i => i.Type == ClaimTypes.Name)
{
var identity = new ClaimsIdentity(claims, authenticationType, ClaimTypes.Name, ClaimTypes.Role);
Or
var claims = _claimService.GetClaims(user.UserId);
var identity = new ClaimsIdentity(claims, authenticationType, ClaimTypes.Name, ClaimTypes.Role);
if (identity.Name != null)
{
Original:
How I would do it is to separate authentication and authorization.
Authentication - verifies the user
Authorization - verifies what the user is authorized to do.
public class ClaimsAuthorizeAttribute : AuthorizeAttribute
{
public string[] ClaimTypes { get; set; }
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null) { throw new ArgumentNullException("httpContext"); }
var principal = httpContext.User as ClaimsPrincipal;
return principal != null && HasAllClaimTypes(principal) && base.AuthorizeCore(httpContext);
}
private bool HasAllClaimTypes(ClaimsPrincipal principal)
{
return ClaimTypes == null || ClaimTypes.All(claimType => principal.HasClaim(claim => claim.Type == claimType));
}
}
Enforce claim types that all controllers require in global filters like so:
filters.Add(new ClaimsAuthorizeAttribute { ClaimTypes = new[]{ ClaimTypes.Name } });
When a claim type is not present, the user is redirected to the log in page. (you may want to change this behavior though)
See this article too http://leastprivilege.com/2012/10/26/using-claims-based-authorization-in-mvc-and-web-api/
I'm using ASP.NET Membership. If all I ever care about is whether or not I have a non-null Membership.GetUser(), is there ever a reason to use Request.IsAuthenticated?
During development, I have inadvertently created situations where Request.IsAuthenticated is true, but Membership.GetUser() is null, so I would pass the [Authorize] filter test (which is applied globally, with [AllowAnonymous] applied specifically as required), but fail later on. While this is a situation that would probably not occur in production, I'd still like to account for it.
Given this, would it be appropriate to write a custom filter, say AuthorizeMembership or some such, that checks against Membership.GetUser() rather than Request.IsAuthenticated? Any gotchas to be aware of?
If so, would it also be okay to use that filter to populate a global UserInfo object with the user properties I typically need to process a request? I don't use Membership Profile at all, but manage my user properties independently in a separate application database.
The main different is speed.
The Request.IsAuthenticated is faster and use an internal cache flag, than the Membership.GetUser().
To see why the one is faster than the other I place here the code.
public virtual bool IsAuthenticated
{
get
{
if (this.m_isAuthenticated == -1)
{
WindowsPrincipal principal = new WindowsPrincipal(this);
SecurityIdentifier sid = new SecurityIdentifier(IdentifierAuthority.NTAuthority, new int[] { 11 });
this.m_isAuthenticated = principal.IsInRole(sid) ? 1 : 0;
}
return (this.m_isAuthenticated == 1);
}
}
but the GetUser() have too many calls because actually need more information's to give.
public static MembershipUser GetUser()
{
return GetUser(GetCurrentUserName(), true);
}
private static string GetCurrentUserName()
{
if (HostingEnvironment.IsHosted)
{
HttpContext current = HttpContext.Current;
if (current != null)
{
return current.User.Identity.Name;
}
}
IPrincipal currentPrincipal = Thread.CurrentPrincipal;
if ((currentPrincipal != null) && (currentPrincipal.Identity != null))
{
return currentPrincipal.Identity.Name;
}
return string.Empty;
}
public static MembershipUser GetUser(string username, bool userIsOnline)
{
SecUtility.CheckParameter(ref username, true, false, true, 0, "username");
return Provider.GetUser(username, userIsOnline);
}
internal static void CheckParameter(ref string param, bool checkForNull, bool checkIfEmpty, bool checkForCommas, int maxSize, string paramName)
{
if (param == null)
{
if (checkForNull)
{
throw new ArgumentNullException(paramName);
}
}
else
{
param = param.Trim();
if (checkIfEmpty && (param.Length < 1))
{
throw new ArgumentException(SR.GetString("Parameter_can_not_be_empty", new object[] { paramName }), paramName);
}
if ((maxSize > 0) && (param.Length > maxSize))
{
throw new ArgumentException(SR.GetString("Parameter_too_long", new object[] { paramName, maxSize.ToString(CultureInfo.InvariantCulture) }), paramName);
}
if (checkForCommas && param.Contains(","))
{
throw new ArgumentException(SR.GetString("Parameter_can_not_contain_comma", new object[] { paramName }), paramName);
}
}
}