Can anyone tell me, if it is possible to use both basic and forms authentication on my site without the 2 interfering with each other?
I have a new site that I want only certain people to see for approval purposes.
The site has a members area that uses Forms authentication and now when anyone enters the site after passing basic authentication they are being directed to the forms authentication page, even though they should be viewing a page that isn't protected by forms authentication.
I need a situation whereby anyone who clears basic authentication can then view the whole site excluding the members area of the site where they will need to log in via forms authentication.
It sounds like you just haven't configured forms authentication for just the particular members area, but have it configured for everything.
Look at the authorization element and the location element (if you want to control the settings in the main Web.config, instead of creating a Web.config for the member's area).
See also ASP.NET Forms Authentication and a "No Authentication" subfolder (except you want the reverse).
One option is to write your own basic authentication filter attribute and protect the action that just require basic authentication with the custom attribute . The controller action which requires forms authentication should be protected with the normal [Authorize] attribute. Please refer the following example :-
http://www.ryadel.com/en/http-basic-authentication-asp-net-mvc-using-custom-actionfilter/
I had a similar issue in the past but was more along the lines of providing basic authentication for REST calls and form authentication when someone access the mvc site. We ended up creating our own authentication filter
Related
I am failing to find good examples of user and activity based authorization for my ASP.NET web forms site. Currently, i am using user roles in web config to allow/deny access to pages within folders. But this method is proving to be a nightmare to maintain, especially when users come up with special case scenarios, which completely deviate from existing role permissions.
So i am looking for a way to be able to store and retrieve user access rights, from the database and then enforce them on my web site dynamically.
My Second problem is how to show/hide certain site master html from certain users. I was also thinking to store this information in the database, so that these rights are dynamically allocated also.
Currently, i am hard coding in my site master code behind the hide/show permissions by saying:
If(isInRole("Admin"){
// Show Everything
}
else
{
// hide certain html
}
So this approach works currently, but is problematic to maintain and not very flexible.
Finally, I was looking at activity based authorization, the pros and cons of which were well described in this article: http://ryankirkman.com/2013/01/31/activity-based-authorization.html.
So how would i implement that in my ASP.NET web forms site?
In conclusion there is three things i am after:
Dynamically Control Visibility of HTML elements in my site master page based on user authorization.
Dynamically control user authorization to my aspx pages
Dynamically control user activity based authorization
Any input on this would be highly appreciated. Thank you
You should switch from role based authentication to claims based authentication. Here's an article describing the basics of claims based authentication:
http://dotnetcodr.com/2013/02/11/introduction-to-claims-based-security-in-net4-5-with-c-part-1/
Claims will give you fine grained control over the rights for each individual user. ClaimsPrincipal can also be used in webforms:
https://visualstudiomagazine.com/articles/2013/09/01/going-beyond-usernames-and-roles.aspx
An attribute can be applied to pages and methods in an ASP.NET Web Forms application (described in the article above):
[ClaimsPrincipalPermission(SecurityAction.Demand,
Operation="Update", Resource="Customer")]
public partial class CustomerUpdate : System.Web.UI.Page
{
Check this link Authorization Based on User
Or Another thing you can do is, separation of Concern according to Roles
Keep the Views According to the Access Level and Roles, so that you can easily manage the access.
Another thing that I've Seen people doing is Having a DB table with all Roles/Users and Access Links
I built an ASP.Net MVC 4 application which uses forms authentication by means of a custom membership provider inheriting from the Simple Membership.
Everything is working fine, but now I have a new requirement: I need to integrate a JSP application with mine.
This means that it has to authenticate against the same user database of my application and that they should somehow share the session in order to achieve a kind of Single Sign-On among the two applications (if an user is already authenticated in the ASP.Net application, he should be able to access the JSP application without logging in again, and vice-versa).
What architecture do you suggest me to use?
I would like to change as little as possible the ASP.Net application.
Thanks!
If you need to auhtenticate accross different domains:
You can implement your own security token service (like facebook, google does) Here is some ready to use implementation: http://thinktecture.github.io/Thinktecture.IdentityServer.v2/
If the sites are running on the same domain (subdomain), then you can try to share an authentication cookie within these domains.
An explaining article: http://www.codeproject.com/Articles/106439/Single-Sign-On-SSO-for-cross-domain-ASP-NET-applic
I want to implement single sign on in my asp.net web application. Scenario is something like below:
user will get registered / sign up at "account.example.com"
there will a link to "professional.example.com"
when user goes to this link (step 2), they must remain logged in over here.
What is the best solution for this?
You want to set the Domain property on the cookie object to ".example.com" and it will work for any sub-domain of "example.com".
If you're using ASP.NET's forms authentication, this article is a good place to start to find out all the options for configuring it.
If you are using Forms Authentication you need to set your forms and machinekey sections in web.config to be identical.
Here is a good link -> Forms Authentication Across Applications
I need to secure my website without using the ASP.NET built in login controls or the Forms Authentication.
Its need to support "normal" users and admin users.
Any suggestion? Thanks
Well, it's impossible to build anything in ASP.NET without a tag = )
I can't tell exactly what you are asking, so I will try to go over the whole groundwork.
ASP.NET Provides Different Authentication Models
You can use ASP.NET's built in authentication with Membership and Roles
You can write your own ASP.NET membership model
You can use another ASP.NET authentication model, such as Shibboleth, Windows/IIS, and others, see JD's post.
You can skip all of these and use your own "authentication", perhaps it is stored as a simple Session variable
ASP.NET Provides Different Controls
There is a handly Login control that integrated with ASP.NET's built in membership making things very easy.
If you don't want to use that, you can simply use ASP TextBoxes, Buttons, etc, and basically create your own login form.
In adition to JD's and rlb.usa's posts you can also use opemid or windowslive id authentication perhaps. both of these have membership providers for asp.net. Checkout Codeplex for those; however if you want a truly customazieable solution perhaps its best for you as rlb.usa pointed out a simple session variable solution.
Perhaps you want to use Windows Authentication (rather than Forms Authentication) with ASP.NET? You should choose Windows authentication if your user accounts are maintained by a domain controller or within Active Directory and there are no firewall issues. I think this is what you are after. Here's a decent write up.
Umm, a quick response is for you to checkout Authentication features provided by IIS. These include Kerbros, NTLM, Basic Auth, just to name a few.
I am trying to figure out how to implement an ASP.NET page with Windows Authentication without getting that annoying IIS login box.
I currently have 3 domains in my network so all the people logging in would have to prefix their user names with the domain. This is not user friendly. I would like to have a custom login page that would have a domain combo box.
Most examples I found implement this using Form security, however I need Windows Authentication since I want to connect to the SQL server using Integrated Authentication rather than a hard coded user name and password.
Does anyone know of a good article or sample code that shows how to implement this?
The following links to an article that explains how to authenticate a windows user using forms authentication, it uses a call to the native win32 api function LogonUser to acheive this. This way you can design your own custom login page with a drop down list to select a domain. Take a look, perhaps it will help.
Windows Authentication using Form Authentication
To get this setup so you don't have the authentication prompt, you are going to need to have the domains trust the accounts from one another. This article should get you pointed in the right direction:
http://technet.microsoft.com/en-us/library/cc787646%28WS.10%29.aspx