I've got confused . We hear a lot about Provider in ASP.NET . Membership-Provider , Role Provider , XmlDataProvider ,CustomProvider, ....
What are those and why we need them in ASP.NET ?
Provider is a synonyme with "Supplier" which means:
Someone whose business is to supply a
particular service or commodity
Just as in real life, a provider is someone / something that helps you solve communicaiton with a certain service or help you solve a problem.
For instance, the Membership Provider in .NET is used to handle Membership such as Authentication, Registering new Users and many more options comes with this.
The Role Provider goes hand in hand with the above, because it helps you handle Roles attached to users that you have in ( They have Memberships! ).
You might want to read this: Microsoft ASP.NET 2.0 Provider Introduction from MSDN
Using the Provider model means that if you don't like the way something in ASP.NET works or you want/need to extend it, you can write your own. As long as it supports the core functionality that ASP.NET needs to work as part of the platform i.e. it inherits from MemrbershipProvider/RoleProvider/WhateverProvider, you can do what you want in the internals.
You can then swap out the default Provider and use yours in it's place e.g. say you don't use SQL Server, you use CouchDB for all your data storage. You can't use the SqlMembershipProvider, but you can write a CouchDBMembershipProvider* - as long as you inherit from MembershipProvider and override its' methods to work with CouchDB you're good to go.
* I'm not saying you should do this, I'm just saying you can :-)
Related
I'm building an application in ASP.NET MVC4 as a learning exercise. I'm trying to understand
authentication and authorization. That seems fine, role based authorization seems fine for restricting certain controllers/actions to users who are part of a given role.
What I'm struggling with is how I can apply this to data which belongs to an individual user. Using a forum as a simple example how could the functionality be achieved whereby a user can only edit or remove posts that they have created but can view/add comments to posts of other users. Would this have to be done in code by checking the user associated with the post to be updated against the current user before allowing the update to take place, returning unauthorized if they don't match.
Is there a more elegant solution that can be applied rather than applying this kind of logic to multiple controllers/actions?
There's a wealth of information out there I'm just trying to narrow the search. Can anyone suggest a good tutorial/article on this. I've been looking at Forms authentication and Membership but I'd be interested in something using Identity too. I'm also using Entity Framework.
Thanks
Would this have to be done in code by checking the user associated with the post to be updated against the current user before allowing the update to take place, returning unauthorized if they don't match.
Yes, that's exactly what you do. While role-based authorization is a matter of a simple relation between users and roles, data-access level authorization is usually complex and involve custom business rules.
Of course, it could help a lot to create a thin layer of managers that will be commonly used as guards so that you keep all the code close together:
[HttpPost]
public ActionResult PostFoo( FooModel model )
{
// keep the access manager separate from the
// domain layer. operate on IDs.
if ( new UserAccessManager( this.User ).
CanOperateOnFoo( model.IdSomething, model.IdWhateverElse ) )
{
}
else
// return 403 or a meaningful message
}
or
[HttpPost]
public ActionResult PostFoo( FooModel model )
{
// switch to the domain layer
Foo foo = Mapper.Map( model );
// make the access manager part of the domain layer
if ( foo.CanBeOperatedBy( this.User ) )
{
}
else
// return 403 or a meaningful message
}
Would this have to be done in code by checking the user associated with the post to be updated against the current user before allowing the update to take place, returning unauthorized if they don't match.
No, you want to avoid hard-coding authorization logic into your code. Doing so leads to:
authorization silos
poor visibility
a chance there might be errors in the authorization logic
hard-to-maintain logic
Is there a more elegant solution that can be applied rather than applying this kind of logic to multiple controllers/actions?
Yes, there is. Much like you wouldn't hard-code authentication or logging into your app, you want to externalize authorization. This is called Externalized Authorization Management (EAM). There are several frameworks that help you do that from Spring Security in Java to Claims-based authorization in .NET to XACML-based solutions.
There are 2 fundamental authorization models you want to consider:
role-based access control (RBAC)
attribute-based access control (ABAC)
You can read about both on NIST's website (RBAC | ABAC).
Given the sample rule you gave:
A user can only edit or remove posts that they have created but can view/add comments to posts of other users.
RBAC will not be enough. You will need to use ABAC (and XACML) to be able to implement the relationship between the user and the data requested. XACML, the eXtensible Access Control Markup Language is a standard that provides you with:
a standard architecture.
a request/response scheme, and
a policy language.
With the XACML policy language, you can rewrite your example as:
A user can do the action==edit or the action==remove if and only if the post.owner==user.id
A user can do the action==view on any post
A user can do the action==comment on any post
Then, from your code, all you have to do is send an authorization request: Can Alice view post #123?. The authorization engine (also called policy decision point or PDP) will determine who owns the post and will reach a decision, either of a Deny or a Permit.
A key benefit to using externalized authorization and XACML is that you can apply the same consistent authorization to any layer (presentation tier, business tier, ESB, APIs, databases...) and any technology (Java, .NET, Python...).
Other benefits include:
modular architecture
configuration-driven authorization that is easy to grow as requirements change
easy-to-audit authorization
centrally-managed authorization
cheaper to develop and onboard new applications than writing code over and over again
standards-based.
There are several open-source and vendor solutions out there that address this market. Have a look at Axiomatics (disclaimer: I work for Axiomatics) or SunXACML (open source).
HTH,
David.
I need some clarifications for ASP.NET Membership; please help me with it.
I am using ASP.NET MCV 3 framework and intending to use ASP.NET Membership for users & authentication management using either LDAP or SQL.
For what I've understood until now; ASP.NET Membership is:
[User] has [Role] or [Role] has [Users]
But in my project I have a more complex business logic; where I need this hierarchy to next level like
[User] has [Role] -> has [Tasks]
So I can dynamically assign/revoke tasks/permissions to my MVC controllers or actions;
I plan to get started with Membership with SQL Provider and than may be later on I'll switch to LDAP/AD.
I've also explored AzMan and NetSqlAzMan; they look ok to resolve the error but their usage seems odd; (not as neat as ASP.NET Membership; where we can simply use annotations to assign roles/tasks to a controller or its action.
Is ASP.NET Membership limited to Roles only? & no tasks/operations?
Or is there any workaround for that?
Can I enjoy the simplicity of usage of ASP.NET Membership and on the same road have a next level hierarchy for Roles -> Tasks -> Operations.
Any help would be greatly appreciated.
Thanks!
ASP.NET's Membership provider only supports roles out of the box. It doesn't support tasks or operations. However it is relatively easy to create a custom Role Provider to meet just about any need.
For a good start check out 'Implementing a Role Provider' at http://msdn.microsoft.com/en-us/library/ie/8fw7xh74.aspx . You can also find a sample Role Provider at http://msdn.microsoft.com/en-us/library/ie/tksy7hd7.aspx .
ASP.NET Membership only supports Roles, no tasks or operations.
You can use attributes to signify which operations are allowed for which roles, like so:
[Authorize(Roles="Administrator")]
public ViewResult Edit(int id)
{
return View("Edit");
}
Or your code can do checking using the IsInRole method:
if (User.IsInRole("Administrator"))
{
...
}
Good luck!
I need to slightly tweak the functionality of the ASP.NET Membership provider to add custom logging functionality. Instead of creating a wrapper class around the methods I wish to modify, I was toying with the idea or creating a custom Membership Provider and override a few of the methods.
All the examples I could find would show how to create it from scratch. I don't want to overwrite everything... just override a few methods. Can somebody point me in the right direction?
Thanks!
EDIT:
DOH! I can simply inherit from SqlMembershipProvider and override the methods. However, how can I get at the connection string?
What is it that you are trying to log?
If you simply want to monitor success and failure of authentication, ASP.NET Health Monitoring is already in the box. Events are logged to the WebEvent tables.
If you have other motives, well then..... ;-)
to answer your question about the connection string, override Initialize and capture the value from the config argument before calling base.Initialize
I have two web applications in ASP.NET which are quite the same (same business logic, same DAL, same DB scheme but different instance).
The only thing that I need to change is the design (logo, color,...) and the text (global and local resource) to adress two separate business sector. We cannot "subdomain" the application because we need the two app "seems to be" independant.
Is it a good idea to run only one instance for the 2 web applications.
For example :
I will have 2 hostnames : mycompagny.com and mycompagny2.com and I will put an HTTP Module which will set a string which will be propagated in my application like 'company' and 'company2'. I will instanciate the dal only once but the connection string will change depending on the string 'company' or 'company2'.
Any pros and cons ? Any other alternatives ?
[Updated]
Just for information it is a Multi-Business and Multi-Tenant application because both application will have custom theme for some parts of the application.
For example :
mycompagny.com/Busineess1, mycompagny.com/Busineess2, mycompagny.com/Busineess3,..
and
mycompagny2.com/Busineess2, mycompagny2.com/Busineess2, mycompagny2.com/Busineess3,...
It sounds like you are describing a Multi-Tenant application. Here is a nice overview of some of the challenges of working Multi-Tenant in ASP.Net. There is actually quite a lot of information being produced recently on Multi-Tenant ASP.Net MVC applications, so that is also worth a look.
Yes this is done all the time..even for large sites.
In ASP.NET, you can parse the Request.Url and determine which content to display or which data to retrieve, depending on the domain name.
When you're instantiating the DAL, you'll have to specify which db you want to connect to.
So at each request, you check the Request.Url, instanciate the DAL and then process your ressources ? I thought that you should instantiate the DAL at Application.Start()...
So How and "where" do you set the config to prevent passing the Request.Url string?
I'm a bit worried because instantiate a DAL is a costly process... so is there a future "performance problem" ?
All the security stuff I have worked with in the past in ASP.Net for the most part has been role based. This is easy enough to implement and ASP.Net is geared for this type of security model. However, I am looking for something a little more fine grained than simple role based security.
Essentially I want to be able to write code like this:
if(SecurityService.CanPerformOperation("SomeUpdateOperation")){
// perform some update logic here
}
I would also need row level security access like this:
if(SecurityService.CanPerformOperation("SomeViewOperation", SomeEntityIdentifier)){
// Allow user to see specific data
}
Again, fine grained access control. Is there anything like this already built? Some framework that I can drop into ASP.Net and start using, or am I going to have to build this myself?
Have you looked at Authorization Manager (AzMan)? http://msdn.microsoft.com/en-us/library/bb897401.aspx
It was included with Server 2003 and has had a few updates in server 2008, and comes with an MMC admin tool.
You can store you data in an xml file or AD/ADAM partition using server the 2003 version, and in server 2008 they added SQL support.
This tool lets you link your security objects together in a hierarchical structure of roles, tasks & operations.
You can use this as a role based provider in Asp.net but they also include .net classes so you can access the authorization store contents directly.
I think you might be looking for Declarative security. Declarative security allows you to well, 'Declare' who can access what as attributes on the code here is a page on Role Based security also on MSDN. Here is an example:
[PrincipalPermissionAttribute(SecurityAction.Demand, Role="admins")]
public class foo
{
[PrincipalPermissionAttribute(SecurityAction.Demand, Role="Domain Admins")]
public void bar()
{
....
}
}