Asp.net user authentication and authorization - asp.net

Iam new to asp.net and working on a web project. There are different users and each user has specific role.Like admin, visitor, registered user etc. The question is what method to use to implement security. Is there any standard way to implement both authentication and authorization. I am using SQL Server 2008. Please tell a standard method.
Thanks

Look into the following topics:
Asp.net roleprovider : http://msdn.microsoft.com/en-us/library/system.web.security.roleprovider.aspx
Asp.net memberschipprovider: http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
Additional information: http://www.asp.net/security/tutorials/role-based-authorization-cs

You need to understand the basic principles before you proceed.
Start with ASP.NET Web Application Security
How ASP.NET Security Works
Guide to Claims–based Identity and Access Control

You can use a database, which is most definately the best way to go about it, this will be supported if you are running SQL server. This should help you build the database, and give you some insight into how to implement users and permissions.
http://publib.boulder.ibm.com/infocenter/wpdoc/v510/index.jsp?topic=/com.ibm.wp.ent.doc/wpf/setup_sql.html
Good luck!

Related

Asp.NET and Asp.NET Core Identity model over the same database

I have two applications, one in asp.net and the other in asp.net core. I want to share a common database, as well as the same login. Ie, a user can register via asp.net application, and then their identity will be shared with asp.net core application.
Is this possible? I notice that each have their own identity models, and I am looking for a way of sharing this, ie. some documentation to resolve this.
Looking for:
- Is this possible?
- Documentation and more information on implementation (how to)
I am resolving by use of Identity Server, which both applications will hook into. Will just take a bit of re-jigging.

How to use session for verifying login in ASP .Net Core 2.0 by MVC (no authentication)

I had created a login form using MVC 5 No authentication template and connected with MS-SQL local Server, Now I need to verify the login status using session. I tried surfing about it but I can't able to find the optimal solution. So please some one help me to identify the optimal solution.
Unless you are a security expert I would strongly advise that you don’t roll your own authentication.
Most of the documentation you will find on the web for authentication in an mvc app will be referencing asp identity. I would recommend using that unless you have a good reason not too.
Things like using
[Authorize]
On controller actions
And using
User.Identity.IsAuthenticated
To check if a user is logged in is all baked in.
No need to re-invent the wheel

SSO for sharepoint 2010 and asp.net app using adfs

I was tasked with creating an SSO solution from an existing asp.net app to a new sharepoint 2010 app.
The existing asp.net app uses forms authentication, but not against a single data source. It checks a database, active directory and a few mainframe tables to authenticate, and finally creates a forms authentication ticket.
I was looking to share the token between sp2010 and the asp.net app, but I am now realizing this is not possible, due to the fact the sp2010 does not use simple FBA tokens any more.
So now I am looking to go the STS and claims-based route. After looking in to it a little, I understand that using ADFS would be much better than building a custom STS for the asp.net side. My issue is that since I have the custom ticket creation authentication method on the asp.net side, I don't have a single data source to "feed" the adfs. I am new to sharepoint and adfs and I really don't know how to begin this type of integration.
Can anyone help me get my head around this?
Thank you!
ADFS attribute stores might solve your problem, although for this to make sense you would ideally integrate Windows Identity Foundation (WIF) into your application, which might be an intrusive change.
http://technet.microsoft.com/en-us/library/adfs2-help-attribute-stores(v=ws.10).aspx
In short, ADFS is not limited to AD for collecting user data. You can configure it to query other user attribute stores, such as your database. You can then author rules within ADFS to tell it what queries to make, and ADFS will use these queries to populate user claims into the token that ADFS issues to your application.

Asp.Net MVC - Mixed Auth Mode

I'm looking for the most reliable way to use both Windows and Form based auth IN ASP.NET MVC 2 I know how to do it in webforms, but because I cannot adjust the permissions (In IIS) on a per file basis in MVC. Im struggling to transfer the concept.
Any suggestions? Links?
There are following post:
http://aspadvice.com/blogs/rjdudley/archive/2005/03/10/2562.aspx
http://aspadvice.com/blogs/rjdudley/archive/2005/03/10/2561.aspx
http://msdn.microsoft.com/en-us/library/ms972958.aspx
All describe it for classic asp.net. But the concept should be transferable to mvc.
I implemented this using mvc and a custom membership provider.
The whole application is running with aspnet anonymous account. That means that your files must be accessible to this account. On my machine I had to give read access to this IIS account.

Linking User to Profile with forms authentication

I am moving a legacy winform app to the web and would like some advice on forms authentication. Am I correct in assuming that forms authentication is better than rolling up my own user authentication functionality?
It would be easy enough to roll my own since the this is what the winform application did and the table structure already supports it, but forms authentication looks like it would do a much better job securing the site and the user authentication info.
I'm an old programmer, but pretty young in web dev and I have learned over the years that using MS built in tools sometimes looks better than it works...forms authentication isn't one of those cases is it?
Thanks!
I'd say that Forms Authentication is a case where you're likely to experience no "buyers remorse". You can opt in to use some pretty nice features. The model is very flexible because it allows you to implement your own Membership Providers.
Using forms authentication doesn't means you don't get to use those tables. You will do the check for username/password, and tell asp.net that the user is authenticated. Asp.net will continue from there, ensuring further requests from that user are identified and authenticated (based on an authentication ticket).
Update 1: Later on asp.net included membership providers, with some controls for it. Even then you can still implement your own membership provider, which in really simple cases you can do by implementing only 1 or 2 of the methods. If you have several features, and they don't map well with what the membership provider supports, I would stick to a custom implementation.

Resources