Aspx Page Level windows authentication? - asp.net

I have a document approval workflow application. The workflow sends emails to appropriate users with links for Accept/Reject the document.
When the user clicks on Accept or reject link, an aspx page is shown, where he can type a comment and submit.
Now the question is I want Windows Authentication on this aspx page. If the user is authenticated I want its Userid to be checked against database if his role/profile has priveledge to view the page.
How should I achieve this?

If the whole thing is internal (within your organization) then simply use Windows Authentication on the website. Other wise you have to mix Forms and Windows Authentication on the site. Here is an MSDN article about this.
Once authentication is wired up you can access the user's identity using static
System.Security.Principal.IIdentity user = Page.User.Identity;
property. It contains IsAuthenticated and AuthenticationType properties which you can put to use.

Related

Confirm and enable users in ASP.NET identity

I an working on an ASP.NET MVC project and I want users to be disabled initially on registration until they confirm their email and phone number. But however (by default) disabled users cannot login to the app to do this unless by an admin. How can I temporarily disable the users and still allow them login but only with limited access until they confirm their email and phone number.
You can create Customer Action Filters which in turn check whether user has verified mobile number or email address from database.
Example of Action Filters is [Authorize] attribute on Controller.
You can then use this Customer Action Filters on Controller where you want to restrict them for doing any operation.
You can even display different view or Alert Message for telling users about it.
ASP.NET MVC 4 Custom Action Filters MSDN

ADFS - On premises SSO Implementation

I have an Asp.Net application that communicate with ADFS(on some other Windows Server) for authentication purpose. Currently, when we navigate to application, it redirects to ADFS SSO authentication page. I followed this blog to implement SSO and have some questions here:
Can we change implementation so that it may redirect to authentication page only when I press login button ?
Can we change implementation so that only one page/URL of my application can be accessed without any authentication ?
What parameters are returned when user is authenticated and redirected back to landing page. How do we get all available parameters ?
In this blog returning things are are Value, ValueType, Subject Name, Claim Issuer and Claim Issuer type. Can I get email or username ? so that I may link that person to a client in my application.
If anyone of above is possible, how I can get it ?
The login button is part of the ADFS screen. That's by design. The sample uses WIF so you are outsourcing authentication to ADFS.
Yes - Use the "location" annotation in the web.config. refer Location Element.
The parameters that are returned are the claims configured in the claims rules. The article show "Display-Name" and UPN. If you want email, just add another row and select it from the dropdown.

Forms Authentication issue with WebBrowser Class in asp.net

I am developing a site and in this site i m building a functionality to capture a screen shot of a page. In my site i am using forms authentication.now first of all.
So when user login to the website he/she has to enter the credentials and then go to their profile page.
So now i am just creating a thumbnail of the user profile page using WebBrowser Control but the problem is , i m using forms authentication and it's always capture the login forms page because of forms authentication.
So Please help me ASAP.
In that case you will need to perform login programtically for forms authentication. Here is the piece of code which will be required.
FormsAuthentication.SetAuthCookie(UserName, false);
And here is more info
http://weblogs.asp.net/joseguay/archive/2009/03/23/the-asp-net-capsule-2-login-programmatically-with-forms-authentication.aspx.
However, be aware that the code you are using for creation of screenshot might not go well with it. So take care of this. These posts might help you in that case Send credentials to WebBrowser
You have to simulate forms authentication via WebBrowser control - essentially, use document object model (Document property) to locate user name/password input boxes, set their values and trigger submit (either inject java-script to do form submit OR use DOM to simulate login button click).
IMO, better way would be to use WebRequest (HttpWebRequest) to simulate the POST to login page to do authentication and then issue request to user profile page. Get the page html(from response) and load it in Web Browser control using DocumentText property.
In case, you have control over the server site, you may modify user profile page to allow un-authenticated access over certain requests (for example, from local machine or specified IP etc).

How-to check if user is logged in asp.net and depending on if they are logged in display a certain page?

I have a very basic understanding of ASP.NET and I am trying to do the following. I have a home page that is set-up to be a login page. If you could just picture a username and password box that is the extent of that home page. Once the user is logged in they will go to a different page let's say the account page. However, when the user clicks the logo at the top left hand it takes them to the home page again but it shows the username and password boxes again ready to be filled.
The user status at the top of my page still shows that the user is logged in. What I am trying to do is add a piece of code that will change the link of the logo to display the account page once they are logged in and not the login page.
I don't know if this can be done through the web.config file since I read a different article that has something similar to this or if this code can be put directly next to the code where my logo link (default.aspx) sits.
Many thanks in advance!
Research the Membership Provider.
It's an industry standard in ASP.NET session management. It will manage all of your pages and allow you to customize pages, menus, etc. based on roles and permissions. Don't reinvent the wheel if you have the oppertunity to use it.
Straight from MSDN:
ASP.NET membership supports facilities
for:
Creating new users and passwords.
Storing membership information (user
names, passwords, and supporting data)
in Microsoft SQL Server, Active
Directory, or an alternative data
store.
Authenticating users who visit your
site. You can authenticate users
programmatically, or you can use the
ASP.NET login controls to create a
complete authentication system that
requires little or no code.
Managing passwords, which includes
creating, changing, and resetting them
. Depending on membership options you
choose, the membership system can also
provide an automated password-reset
system that takes a user-supplied
question and response.
Exposing a unique identification for
authenticated users that you can use
in your own applications and that also
integrates with the ASP.NET
personalization and role-management
(authorization) systems.
Specifying a custom membership
provider, which allows you to
substitute your own code to manage
membership and maintain membership
data in a custom data store

Open protected web page passing in credentials programmatically

I have code examples from some of my previous work that help me to post form values to a web page (login credentials) and retrieve the text from that page. Now I want to pass in form values (login credentials again) but actually open that web page in a browser given those credentials.
How do I do that? I'm not doing anything nefarious. In our CRM app (home-grown as it is), I want to create a link button that opens our web site's protected products page given the user's credentials (based on the user's login credentials). Normally, I'd copy the user's credentials in our login page which then takes me to the products page. I'm trying to do this now by just clicking a link button.
Any suggestions?
How are you launching the browser? Is this an internal network app? If so, I would recommend using Windows Authentication for your ASP.NET app, and then you don't have to worry about passing credentials. If you can't do that, then you'll probably have to pass the credentials on the querystring generated by your CRM app. Obviously, this is a huge security risk. But the next step would be to perform your internal authentication and then call FormsAuthencation.RedirectFromLoginPage or FormsAuthentication.SetAuthCookie().

Resources