suppose i have a forms authentication in my application. once authenticated, it can access certain folders / controllers in my website
auth level 1 -> profile,history,change password
but, certain users can access another part of site if they pass level 2 . this type of users are like resellers (like sellers of accounts, etc)
auth level 2 -> sell accounts, view online users
the question is, how can i implement this another forms authentication in mvc 3 app? can these 2 form authentication coexist? tnx
Surely you only need the one auth method.
What you are describing sounds like you want to implement "roles". I dont understand why you need 2 form authentication processes.
http://www.asp.net/mvc/tutorials/authenticating-users-with-forms-authentication-cs
https://web.archive.org/web/20211029043732/https://www.4guysfromrolla.com/articles/082703-1.aspx
Related
Java 8 + Spring MVC 4
I am learning to the programme and came across one scenario.
There are different roles
1) Admin
i) ABC Admin
ii) XYZ Admin
2) Normal
ABC Admin logged into the system and created a contract, with contract_id: 123
Edit URL is : localhost:8080/myApp/contract/edit/123
XYZ Admin logged into the system and copy pasted above edit URL in the browser.
(Ideally, XYZ Admin should not be able to edit the ABC admin contracts and vice versa)
I need some suggestions/ideas what should I use for this.
I did a search on google and got spring security will be the fit case for this.
You can use
#PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER')") for access multiple role on a single method
or
#PreAuthorize("hasRole('ROLE_ADMIN')") for only one role on method level in Controller/DAO classes.
I just don't still get Claim Based Authentication/Authorization workflow.
The application allows authentication via Facebook.com
After the user is authenticated, an admin can give her/him a claim of having the role of Manager, which creates another claim (where?)
Of course, this claim won't be on the facebook.com server, question 1: where should that claim be stored?
When the user log in again later, I get the claim of facebook.com and I should get the claim from the application. and merge them?
How is the workflow? Trying to understand claims in practical usage.
Basically, Facebook tells me that I'm john#doe.com, and 'field in the blanks' adds a claim that I'm also a manager of domain.com
then I pass those claims to domain.com?
How should I configure in asp.net the application at domain.com to trust Facebook and 'filled in the blank piece' and request claims from both?
I guess I'm using external providers for Authentication and my own provider for Authorization, how this is created on ASP.NET (web API / MVC)?
UPDATE (for clarification)
Let's get backwards. I create a web application where users can register.
'Somehow' there's an trusted ClaimsBased authority somewhere (this should be another application??) where I request the claims for a particular user to see if have particular rights on my application.
So I imagine something like :
/authserver/claims
and my validation checks if X claim is met to do certain operations.
later I add to Facebook. now I have
/facebook/claims
which tells me the user is X
and
/authserver/claims to see if can do operation X on resource Y.
how this is managed on ASP.NET? and where my own claims should be created/exposed/developed.
I think I'm missing something fundamental here.
I think the important thing to understand is the difference between authentication and authorization.
Authentication - the act of confirming the truth of an attribute of a datum or entity.
Authorization - the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular.
So, typically for secured system, the workflow starts with Authentication. When a user first connects/uses a system, then are not authenticated (lets say this user is of a type/group Anonymous). The act of the system determining the user is not authenticated is an Authentication in and of it self. Based on being Anonymous, then the act of the system determining what that type of user anonymous has access too is now authorizing what the user can do. For very secure system, the only access anonymous has is to the login screen/page. Once logged in the user is assigned a unique identity and assigned some type of group policy/role (if not already created).
with a web-based application and having a website (#1) authenticate for another website(#2) it becomes a bit more complicated. When I log into StackOverflow(#1), I use my Gmail(#2) account. I get redirected to Google with some special way for Google to know that the page I came from/to go back to. This could be a special key/url combination or for less restrictive access, usually has to do with return url (after I say, yes, where I go back too). Google will create a special authentication token that is specific to the url I am returning to. It is tied to the URL because that means that my token on StackOverflow won't allow me or anyone else to log into say NewEgg for example (in other words someone at StackOverflow with access to the database can't use my token to authenticate as me on some other website, but technically they could log in as me on StackOverflow, but they own the website, so that doesn't really matter). Now I am authenticated on StackOverflow (but technically StackOverflow doesn't even need to know any information about me, just my Token).
On StackOverflow as a new user, a new account is created. This account probably has a one to many relationship to my unique account on Stack Overflow and multiple of logins (and type of logins, OAuth, OpenID or SO Login). Once the account is created, I have whatever access they have setup by default. If I need more or some trigger (lets say based on my Reputation points :) I now have access to Administrative functionality (given some role). That role is tied to my account and indirectly tied to my authentication. This means that I can create additional logins (say a Local SO Login) but keep my Account.
As for each Authentication resource (Google, Facebook, etc) there will be difference schemes for Authentication, but there will always be at least a token (or more than one token) for a website to say who I am (in a generic way).
So website #1 (Stack Overflow) has requested website #2 (Google) to Authenticate me. But only website #1 knows what am I Authorized for.
For role specific functionality, there are a good number of answer on SO dealing with ASP.Net Identity and the Role Manager:
Creating Roles in Asp.net Identity MVC 5
mvc 5 check user role
A much more Indepth look into Identity with MVC - Extending Identity Accounts and Implementing Role-Based Authentication in ASP.NET MVC 5
If you're using ASPNET.Identity (http://www.asp.net/identity/overview/getting-started/introduction-to-aspnet-identity), you can add a Role claim type to the user. It'll be associated with the userlogin, so when the user authenticates with Facebook, these user claims will be added and available in MVC.
See the following code fragment:
var acRes = await UserManager.AddClaimAsync(userId, new Claim(ClaimTypes.Role, "MyRole"));
I am the lead engineer on a web-based application that we would like to tightly integrate with salesforce. Specifically, we would like to:
Save email, hashed password / salt with contact record, and implement basic authentication service
Save entitlement information as part of the contact record
Basically, we would like to use salesforce as an authentication / entitlements service. Once a contact has been "converted" into a full fledged user of our system, we would like to be able to add user credentials to the contact object, and build an apex remote call that our system would use to authenticate the user. Furthermore, we would also like to enable / disable certain functionality on our site based on entitlements configured as part of the contact record.
I have read about using salesforce as an identity provider, but I don't think that this what we want. The contact record does not allow salesforce login.
Any direction would be appreciated.
They're probably going to need to be Customer Portal or Partner Portal Users.
I believe what you want to do may bypass SF's terms on users. If you want to authenticate users through salesforce, I believe you need a user license for every user (but there are some cheap licenses for high amounts of users, contact salesforce).
If you want access based on the contact object, you can map contacts to portal users, which creates an additional user object. From there on I do think the Salesforce Identity they are building, may be what you want ?
http://www.salesforce.com/company/news-press/press-releases/2012/09/120919-7.jsp
You don't need customer portal or partner portal, there are a set of tools that help you integrate Salesforce with third party application
look here :
http://wiki.developerforce.com/page/Integration
Hope this helps :)
The customers (clients) of an ASP.NET webapplication are companies and each company may have many users that have access to the site.
So, for instance CompanyA subscribes to the site to consume the site's services. Immediately a superuser of that company is created. Then, this supersuser has the permission to create more users of CompanyA that have access to the site.
So, in general, each user is identified by a CompanyName and a UserName.
Typical ASP.NET forms authentication provides automatic login and register functionality but only with Username and Password fields.
Does the .NET framework provides a way to include a CompanyName and CompanyPassword fields in the Login and Register controls?
A company and the initial superuser may also be registered in the system by the Site's administrator.
Actually what I would like is to include a CompanyName field in the provided .NET Login control, and not only Username and Password.
Is there a .NET framework way to do this, or do I have to custom-code it? In the latter case, which is the best practice?
Your scenario should NOT require a company name at all. So long as the username is a unique column, you should be able to lookup to which company does the user belong to. All you need is a user_company table which will link usernames to company ids. Once the super user is created, you know the company he belongs to and when he creates a user, you also know which company that user will belong to. On the login page you still only need to ask for username and password only; that's of course, if you don't want to allow users from different companies with the same username, which I think is reasonable and a good trade off for simplicity.
You can use any pre-existing or planned authentication scheme you want with ASP.Net Forms authentication.
See this (overly simplified) example from MSDN where you can even hard code the auth scheme if you so choose - not that you should, but it gives you the overall idea.
ASP.net Membership is provided to you by Microsoft if you want to use it (you don't have to). It has all the scaffolding you need if you use it (including the database you mention) and is used by Forms Authentication by default (not exclusively).
Hi i like to design a asp.net application(app1) where we can create role and actions. here action is such as create student details and delete student details... this both actions comes underneath to a role1.. so, the application will have some roles with set of actions. This roles and action will be used later in another applications(app2 and app3).
i have designed app1 with single sign on for all the application(app2,app3). when a user enter into app2, he/she will be redirected login page which resides in app1. There user validation will take place. once validated, authentication ticket will be send back to requested application(app2).
Once app2 receive the ticket, it will make another request app1 to get the roles and action belongs to singed user. the app2 should behave based the actions belongs to role.
*A user can have more roles.
how to control the user activities based on the actions?
Is there any framework to achieve this model?
Can you provide me any guidance for achieve my idea?
You should investigate the use of a RoleProvider which is built into the .NET Framework.
In addition to the role provider you can use the Authorization Manager to create Operations, Tasks, and Roles. You can then link Operations to specific function in you application and map roles in a variety of ways.
How To: Use Authorization Manager (AzMan) with ASP.NET 2.0