I'm writing an MVC application, using ASP.Net Membership for security. The application will allow multiple websites to run from the same app and database.
The websites running on the app will be completely independent from each other. The users of those sites will have access to their site only.
If I'm using one web.config, one MVC app and one database, can I achieve site specific security using ASP.NET membership?
Presumably I'll only have one application key so won't be able to use that to differentiate between sites. I thought about using Roles but will be exposing roles to site administrators -- and don't want admins to add / configure roles for a different site to their own users.
This potential problem has only just occurred to me so any help will be greatly appreciated.
You could you have them as sub sites of the main site (with web.config setup there) and therefore, the authentication permeates through the sub-sites.
There is an ApplicationName property that the roles provider uses to filter roles on. Try setting that property before fetching roles.
Something like this should work:
Roles.ApplicationName = "MyAppName";
var authorized = Roles.IsUserInRole("Some.user", "admin");
I haven't tried this, it is a static property and could give you weird results, so be careful. The best way to do this would be to implement your own provider so you could do something like Roles.IsUserInRole("some.user","admin","MyAppName").
Related
If I use windows authentication inside an asp.net mvc web project , I will not get any membership database, unlike form based authentication . But I can still use Roles. So i have the following questions:-
So where are these roles managed, and how I will be assigning users to roles when using windows authentication ?
are these roles managed and created only inside Active directory ? and if I want to add a user to specific role, I will be doing this inside the active directory ?
so can anyone advice ?
Edit
Now if i understand your point well, let say that i want to restrict calling an action method to only our company admininstrators. where currently inside active directory we have a group of users named "OurCompanyAdminsitrators"
so let say i create a new asp.net mvc5 web project , and i specify to use Windows authentication , then inside my action method i wrote the following:-
[Authorize(Roles = "OurCompanyAdminsitrators")]
will asp.net mvc5 recognize the OurCompnayAdministrators user group ? or i need to do extra work for my asp.net mvc web project to be able to read and check against the active directory groups ?
I think there are many ways to approach this, 2 I can think of off the top of my head:
Use Active Directory to manage your roles and add users to the Active Directory groups as required. You can then access them through the users Identity in which you can get from the http context.
Create a separate service/component to manage the security for you where you map user credentials to roles that you define yourself completely away from AD. Obviously there is more of a time investment here and you will need to duplicate some information.
We can use SimpleMembership provider. "SimpleMembership: The future of membership for ASP.NET".
http://weblogs.asp.net/jongalloway//simplemembership-membership-providers-universal-providers-and-the-new-asp-net-4-5-web-forms-and-asp-net-mvc-4-templates
http://www.codeproject.com/Articles/689801/Understanding-and-Using-Simple-Membership-Provider
http://www.mono-software.com/blog/post/Mono/226/Adding-ASP-NET-SimpleMembership-to-an-existing-MVC-4-application/
Edit:
We can use SqlRoleProvider.
http://msdn.microsoft.com/en-us/library/system.web.security.roleprovider.aspx
http://weblogs.asp.net/scottgu/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server
I built an ASP.Net MVC 4 application which uses forms authentication by means of a custom membership provider inheriting from the Simple Membership.
Everything is working fine, but now I have a new requirement: I need to integrate a JSP application with mine.
This means that it has to authenticate against the same user database of my application and that they should somehow share the session in order to achieve a kind of Single Sign-On among the two applications (if an user is already authenticated in the ASP.Net application, he should be able to access the JSP application without logging in again, and vice-versa).
What architecture do you suggest me to use?
I would like to change as little as possible the ASP.Net application.
Thanks!
If you need to auhtenticate accross different domains:
You can implement your own security token service (like facebook, google does) Here is some ready to use implementation: http://thinktecture.github.io/Thinktecture.IdentityServer.v2/
If the sites are running on the same domain (subdomain), then you can try to share an authentication cookie within these domains.
An explaining article: http://www.codeproject.com/Articles/106439/Single-Sign-On-SSO-for-cross-domain-ASP-NET-applic
We are looking at enhanching our current security access model which is basically a check if the user is logged in. We now require the acesss to modules and pages and possible certain sections in the page such as dropdown restrictions based on your role.
I'm not sure how to design but maybe a few pointers and writing the requirements here will help.
The user usually belongs to an company.
The user usually has a role within that company
The company is made up of 1 or more sub companies
The user/role can have access to some modules in the system
The user/role can have access to some or all sub companies.
A role must be completely configurable on the fly.
A interface is required to configure the access for the users and the roles.
The menu needs to be configured based on access rights
The page needs to be configured based on access rights
We are using asp.net 2.0 at the moment but could possibly upgrade.
So based on that I think we need
User, Group, Role ( but roles need to be configurable) and Modules
A role for one organisation may have same name but have access to completely different Modules.
I am not sure asp.net membership is suitable so would like some opinions as it seams that access to pages is all hardcoded in config etc?
Yes, you can use ASP.Net Membership Provider for what you have stated.
As you said you are using ASP.Net 2.0, you cannot use new ASP.NET Universal Providers which is based on Entity Framework.
However, Membership Provider is introduced in ASP.Net 2.0. So you can still use the old version which uses aspnet_regsql.exe to create tables with the correct schema.
Here is the link for step-by-step instruction -
https://web.archive.org/web/20211020202857/http://www.4guysfromrolla.com/articles/120705-1.aspx
Please note that you cannot migrate from old ASP.Net 2.0 Membership to new Universal Providers.
I have many pages in web application, i want display some pages to all including anonymous user and some pages should be protected from anonymous user can it is possible through authentication and authorization.. if it is possible then please tell me how......
There is built in functionality in ASP.NET for this. See ASP.NET Authorization on MSDN for an introduction.
You can specify what roles are allowed to access different pages/paths. With a membership and role provider you get a built in handling of users and roles. If you are in a corporate environment you probably want to integrate with Windows authentication, otherwise there is a good SqlMembership provider that handles all the user storage in the database in a secure way.
If you want to keep away from building an authentication system into your application you're best bet is to look at putting the pages that need protection into a separate directory on the webserver, then using : http://httpd.apache.org/docs/2.0/howto/auth.html to protect them.
This of course assumes you're using apache.
It is no longer recommended to use the .htaccess files.
I am creating a website in ASP MVC. Can anyone give me some advice on using the built-in membership provider in the following way.
I want my users to create an Administrative account for themselves and then create accounts for the people in their organization, or the people that they want to give access to.
I guess in a Database it will look something like this:
Companies have Administrators. Administrators can give users access.
I am sure this pattern is used all over the place, I am just not sure how to implement it. Especially using the membership providers.
Thanks,
David
There is nothing special in implementing this. It can be easily accomplished by built-in features of ASP.NET 2.0:
Configure Web site to use membership (via web.config)
Enable role management (via web.config <roles enabled="true"> tag)
Add administrator accounts to Administrators role.
Control access to the administrative pages by using [Authorize(Roles="Administrators")] attribute in the controller action.
Require authentication on other non-admin actions ([Authorize])
When I did this, I used the Membership Provider for authentication however, the organization concept I created externally from the Provider. You could use the Profile Provider.
As for roles I would still use the Roles within the ASP.Net Membership Model.
You can create a role for those people and name it something like organizational-admin, though that's a bit long, you catch my drift :). And give those the power to create users with a regular user role. At least that's how i did it in one of my applications.
Ofcourse you'll keep the admin to yourself or to the person who is in charge of this particular site.
Gu's blog has a small example of how to implement the roles in an action filter.