I have an ASP.Net MVC application and I'm using Forms authentication in SQL Server. This sets up the authentication and authorization for me. However, I have other person-based data that I need to track as well, such as the person's phone number, department, their charge-out rate, start date, etc.
WHAT the person can do (which is controlled by ASP.Net security) is related to WHO they are (which is controlled by my application).
Is there a best practice for linking ASP.Net with my application data to get a more complete person object? Can I simply extend the information in the ASP.Net tables? Is it better to keep it separate? Has anyone got any tips or links for guidance?
Since you are already using ASP.NET Forms Authentication the ASP.NET RoleProvider which can be integrated into MVC via the Authorize attribute is just as easy to setup.
And you get something like this:
[Authorize(IsInRole="Chef")]
public ActionResult Cook() { // snip ...
And if you did use all that, there's also the ProfileProvider for ASP.NET which generates profile code for you with full intellisense support. You can customize which fields you want and what data types it should be stored in etc. etc.
Both the Role Provider and Profile Provider can be customized or roll-your-own, there are many many articles on the internet that will tell you how.
Using the ASP.NET providers also gives you the benefits that the data is maintained automatically throughout the ASP.NET request processing pipeline, e.g. you can access this property:
HttpContext.Current.Profile
...from almost anywhere.
Use the built-in functionality for Profile Properties to store additional data about your users.
Related
I have an ASP.NET MVC 5 application where I want to authorize users to access specific content via roles. These roles will be passed in through the application headers. After exploring ASP.NET membership, it seems like the membership information is normally supposed to be stored in a table, but I do not need/want this. I simply need to take the role from the header when the user accesses the application, and then access it later (ideally) using ASP.NET membership to use data annotations in my models and/or views to control who can see what information.
I apologize if this is sort of ambiguous, I am just not sure where to start since I cannot seem to find an example of someone simply taking the role from the headers without storing this information in a membership table.
Thanks!
I'm writing an MVC application, using ASP.Net Membership for security. The application will allow multiple websites to run from the same app and database.
The websites running on the app will be completely independent from each other. The users of those sites will have access to their site only.
If I'm using one web.config, one MVC app and one database, can I achieve site specific security using ASP.NET membership?
Presumably I'll only have one application key so won't be able to use that to differentiate between sites. I thought about using Roles but will be exposing roles to site administrators -- and don't want admins to add / configure roles for a different site to their own users.
This potential problem has only just occurred to me so any help will be greatly appreciated.
You could you have them as sub sites of the main site (with web.config setup there) and therefore, the authentication permeates through the sub-sites.
There is an ApplicationName property that the roles provider uses to filter roles on. Try setting that property before fetching roles.
Something like this should work:
Roles.ApplicationName = "MyAppName";
var authorized = Roles.IsUserInRole("Some.user", "admin");
I haven't tried this, it is a static property and could give you weird results, so be careful. The best way to do this would be to implement your own provider so you could do something like Roles.IsUserInRole("some.user","admin","MyAppName").
I need to build a "my account" application for my friend. I plan to use asp.net MVC 3.
I have to use third party API to authenticate users. if this is regular web application, it is easy, I submit the request using third party API, get response back. if this is authorized user, create a session. ON all the protected pages, i just check the session, if it is exist, then show the content, otherwise redirect back to login page.
I probably can do the same on my mvc3 project, but I know that definitely is a wrong approach. MVC3 is very flexiable. there must be a better way to do it. After I get response back from the third party API. What should I do after that? please show me some codes if you can.
Use the ASP.NET membership provider and create a custom provider to hook into your API. This gets a lot of the hard work done for you and you're not "reinventing the wheel". There's a great overview about how to do this with MVC here: http://theintegrity.co.uk/2010/11/asp-net-mvc-2-custom-membership-provider-tutorial-part-1/
Create a new MVC 3 application using the "Internet Application" template when you do file-new project.
All the code is then created for you - in visual studio click on the "ASP.NET Configuration" icon in solution explorer.
create your users and your roles
decorate your controllers and/or action methods with
[Authorize(Roles="Administrators")]
public class MyAdminOnlyController : Controller
{
}
Configure additional features such as forgotten password functionality, password resets, etc. Some additional features will require coding.
Done!
I don't think using MVC3 for authentication is anything different than regular web app. In your controller, you will send the username and password getting from the view to the API,getting the response back.
You can then save it to session and check against it on any page you want to be protected.
MVC is just the way to separate view logic, business logic and data model. The application flow is the same.
ASP.NET already build ASP.NET membership provider. The back end data can be stored in ASP.NET Configuration website, SQL Server database,Active Directory, and another database but you need to custom the authentication provider.
this is the expample for SQLServer Membership provider, for the detail documentation you can read from here
For ASP.NET Configuration management Membership provider, you can read from Music Store ASP.NET MVC tutorial in Membership and Authorization section. If you want to learn about ASP.NET MVC authentication/authorization. Music Store example is a recommended tutorial for exploring ASP.NET MVC3 feature, Entity Framework and Authentication also.
In asp.net mvc default application you get he account controller which enable user registration, log in, log out and changing password.
I was wondering is it possible to implement litle more like enabling administrator to delete some user or give some user different roles like in asp.net configuration where you create user, roles and asign roles to users?
I already figured out and extend profile for users, so now they have much more infos and profile picture.
If you have any experience or examples of user management in asp.net mvc.
Although a bit outdated, this project maybe can give you a few hints on how to implement membership administration in ASP.NET MVC:
Asp.Net MVC Membership Starter Kit
Quote
What is the Asp.Net MVC Membership
Starter Kit?
The starter kit currently consists of
two things:
A sample website containing the controllers, models, and views needed
to administer users & roles.
A library that provides testable interfaces for administering users &
roles and concrete implementations of
those interfaces that wrap the
built-in Asp.Net Membership & Roles
providers.
Out of the box, the starter kit gives
you the following features:
List of Users
List of Roles
User Account Info
Change Email Address
Change a User's Roles
Update
For restricting certain operations to specific user roles, you can create these roles using the project I mentioned earlier, and then decorate your own application's controllers and/or actions with an Authorize attribute, referencing the desired roles:
[Authorize(Roles = "Administrator, HR")]
public ActionResult DeleteUser(int UserId)
{
// do something
}
This would prevent users that are not Administrator or HR to delete users.
Here is my try for a reusable user & role management:
https://github.com/Epstone/Simple-MVC-User-Management
If I were you I'd create a Admin "module" which handles all of these things. I don't know of any asp.net documentation on this, but if you look around on PHP documentation (Zend Framework, CakePHP or other) you get the basic ideas of the structures you should use to achieve this. Just remember to keep things seperated, admin stuff goes into a admin module not a user module (but maybe a user controller inside a admin module).
I answered a similar question here:
User Management in ASP.Net MVC 3
This provides you with an MVC 3 Razor based User Management Tool. This does not include Roles, but if you get this far, it should not be real difficult to add them.
I want to add login for registered users in my website. How shall I proceed with it? Is it through the use of sessions? What will happen to the Session variable once the logout happens??
Your question is extremely broad and there are many different ways that you can implement what is, in effect, a "membership" system for an ASP.NET website.
I would suggest that you start by reading the "Introduction to Membership" article from MSDN. This article will give you an overview of how ASP.NET membership works in the most "standard" way.
It also mentions using the various ASP.NET membership "controls" (Login, LoginView, LoginStatus & PasswordRecovery for example).
Using these controls along with the built-in ASP.NET membership providers (for example, ASP.NET provides a SQL membership provider to work against SQL Server as the data store for your user accounts and credentials) will allow you to implement a complete membership and authentication system with virtually no code at all (i.e. all the functionality is provided by the built-in "membership" controls and declarative mark-up).
Finally, a really good series of articles on this subject is:
Examining ASP.NET 2.0's Membership, Roles, and Profile
from the 4guysfromrolla site. It's starts at the very beginning of the membership topic and goes right the way through to touching on the implementation of a custom membership provider and administrative interface for managing user credentials to round out the whole subject.
I'd take a look a related questions, such as
Login Membership .NET
This topic is already covered quite a lot on SO.
Session state and log in are somewhat orthogonal. You have a session regardless of whether or not you are logged in.
You should use the provided Login control and Membership system.
About Session vars, nothing special will happen. ASP.NET forms authentication does not use SessionState by default.
I would recommend using forms authentication with perhaps a custom backend using IIdentity and IPrincipal. There’s lots of information available how to do this but I think this link forms a good starting point http://msdn.microsoft.com/en-us/library/aa480476.aspx