As I understand it "forms" is just a method to authenticate users. Is this correct?
But what "membership" really is I don't know. I've written a custom membership provider but I still don't really see what "membership" is about it if I'm using a custom user table and custom roles table.
So what is forms?
And what is membership?
"Forms" authentication is using the ability to use a form to authenticate a user through them entering a username and password. This is in contrast to using Windows authentication.
"Membership" is a way of storing information against a certain user once they have been authenticated and are logged into the system.
Hope this helps.
By "forms" it means we use a web form to facilitate authentication. Where as Membership gives us built-in way to validate and store user credentials.
As far, as I understand:
Forms is a method to identify requests. it's provide mechanism to store and check authorization cookies in a secure way.
Membership is a "backed" service for forms, that verifies provided credentials across SQL, ActiveDirectory and others.
Related
As the question states I would like to check what type of user is logged in by using data annotation
[Authorize(Roles="Admin")]
I have seen multiple questions and tutorial but none of them explain it clearly or use older mvc.
Is there a simple way to achieve that without using the stock authentication system provided with individual account authorization?
I simply do have a table for users with usernames passwords etc.
You have to deal with two things Authentication and Authorization.
Authentication
You can authenticate users using Owin forms Authentication or the old fashioned Forms Authentication if you prefer.
Authorization
For authorization you can create a custom Role Provider if you want to use Roles (as your did in your sample code) or you can use Claims Authorization.
This article is from 2013 but I successfully followed it to implement a custom role provider in my MVC5 application.
I am relatively new to uisng ADFS (in ASP.NET) which is what my company wants to use and just have a few basic questions about that:
Am I correct there is no explicit "Authorize" call you can do like with ASP.NET Membership Providers? Unless you on a domain it presents you with a login screen and once you enter credentials it does validation and returns back a token with claims information.
Can you configure some forms to allow anonymous access like you can do with Forms Authentication?
Thanks.
Yes, you can setup pages in your app that don't require authentication. It works exactly like you'd do with Forms Auth.
On #1: in a claims based model, your app relies on an external system to authenticate users and receives evidence that the user is valid in the form of a token. You can completely automate this (using WIF and config files), or you can explicitly trigger the authentication process. In any case, your app won't be responsible for validating legitimate users anymore. It is a responsibility that it delegates to the STS (e.g. ADFS). That's why apps are called "relying parties".
I'd suggest you read the first couple chapters of the A Guide to Claims based Identity for a better understanding of the underlying principles.
What is the difference between these two providers. Do i have to implement both of them for custom authentication?
Thanks
One is for authentication, the other is for role-based authorisation.
You do not need to implement both, that would down to your own requirements. If you only need to log people in, then use FormsAuthentication. If you need more than that, implement both.
All our inhouse projects use Active Directory authentication and impersonation as this is the accepted security policy for the company.
I currently have a scenario where I need to store user profile information, and I would like to use the built-in Profile Providers which is standard in ASP.Net. I've previously used this happily with Forms Authentication, however I can't find any helpful information on how to implement this when using Windows Authentication.
Is there any way I can get just the Profile Provider working with Windows Authentication out of the box?
Will I be forced to create a custom profile provider?
The data will be stored in the database, not in Active Directory. However if the latter is possible some guidance would be appreciated.
Notes
I don't need to use the Role provider, this is handled by AD.
I am not sure if I need to implemented the AD Membership provider to get the Profile Provider to work.
you can just use the standard SqlProfileProvider. As username, use the Context.User.Identity.Name property. ASP.NET will create a user entry in it's standard tables himself to keep track of it. The role provider also works in combination with windows authentication. See this link for more information: http://weblogs.asp.net/scottgu/pages/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server.aspx
if you enable and configure the profile provider in the web.config, you can use it like this:
ProfileBase profile = ProfileBase.Create(Context.User.Identity.Name, true);
profile.SetPropertyValue("MyProfileProperty", propertyValue);
profile.Save();
Good luck!
I need to implement a user authentication system that supports anonymous users, like how this site works. Can it be done with the default asp.net membership provider? if not, what are some of the things I need to do?
Yes, it can be done. There's even a special event to migrate anonymous user details once the user logs in:
http://msdn.microsoft.com/en-us/library/system.web.profile.profilemodule.migrateanonymous.aspx