rbac for asp.net? - asp.net

Is there an open rbac framework for asp.net? there a few solutions for rails but i cant find a simple rbac system for asp.net. is there something that can be used and extended?

This article looks like a good place to start (it is best to drill into the links the author references for more information, but make sure that you read the article as well):
Implementing RBAC on .Net:
Recently I worked on RBAC (Role based
access control) implementation within
.Net. A comprehensive work on this
topic is done by Mark Strembeck XoRBAC
Home Details on RBAC concept can be
found at NIST RBAC
While the design approach given in
Strembeck's work was comprehensive
enough to be realized on .Net, the
default implementation (done on XoTcl)
used extensive patterns from the
language (e.g. ability to use an
object as a class!), so a quick port
of that to a complete .Net
implementation of the design would
have taken a bit of an effort in my
current project. Well, instead of then
implementing the solution, I selected
MS Authorization Manager (I know folks
will say, Dah... that would have been
a no brainer). This is a small library
and a management console prrovided on
Windows 2003 and 2000 that implements
most of the RBAC requirements.

Maybe I've missed the point here, but ASP.NET ships with a pretty robust Role Provider framework - it should be very easy to find many open source implementations, if you really don't want to use the implementation that it comes with.

A comprehensive article on RBAC was found on RBAC Wikipedia. Instead of researching on how to implement the features mentioned in the article, I tried to find security framework which allows a non-technical guy like me to apply security on asp.net applications and found following frameworks:
Portal Guard
Visual Guard
Member Protect

Related

.NET CMS with custom authentication

I know there's tons of questions about .NET based CMS out there, but I have some specifics things I'm looking for.
1) Be able to leverage our application's existing authentication (We have our own implementation of of System.Web.Security.MembershipProvider as well as MembershipUser)
2) Be able to restrict who can view certain pages/segments based on our custom roles, in addition to restrictions on who can edit them.
Maybe most of them support this, but I haven't had much luck finding which ones specifically satisfy these requirements.
(Being lightweight is also a plus, I've read about Orchard and N2)
I don't know how much this will help you but here goes. We did a search last year for .NET content management systems and I wasn't super thrilled. There are a ton of commercial systems that are really expensive and appear to be crap.
I checked out N2 first. It seemed really clean, but it was way too barebones for our purposes. We would have had to do a ton of custom development to meet our needs. It's really a CMS framework instead of a CMS product.
Umbraco was the other system we took a serious look at. It has a lot more features built in and it's a fairly nice system as long as you don't mind a little XSLT. It does use the standard membership provider framework, so that's in your favor. I don't really know whether the roles will do what you want though. But since it's free you can play with it to see if it meets your needs.
As for Orchard, I don't know much about it. It wasn't around when we were looking, but it seems interesting. I couldn't tell in a reasonable amount of time how it handles membership and roles on the back end. It does seem like it's geared towards smaller sites, so it might be a little limiting in that respect.
We've been using Telerik's Sitefinity product with custom forms authentication. You can use forms authentication out of the box or you can customise it. It does make use of the provider model too.
More information on custom authentication can be found here.
I would suggest looking into AxCMS (at AxCMS.net). It is complete, pluggable and has extensive documentation. Specific documentation about their implementation of Membership and Security is available at : http://help.axcms.net/en_help_concepts_security.AxCMS
Microsoft's Scott Gu recommends it here at http://weblogs.asp.net/scottgu/archive/2006/02/02/437220.aspx
EPiServer is a commercial ASP.NET based CMS. It is essentially a set of .NET assemblies that you reference and build into your ASP.NET application to turn it into a first class CMS.
It makes use of standard ASP.NET features like the provider model so you can swap bits out.

GOOD tutorial(s) for learning the ASP.Net security/authentication framework

Through a lot of sticking my head in the sand, reinventing the wheel and general stubbornness, I've managed to go all this time (years) avoiding learning the built-in ASP.Net support for web application authentication, users and roles. Part of the reason is that rolling my own originally seemed like less work than getting my head around all the different layers of optional abstraction provided by the ASP.Net security framework and as such I came up with a nice library that worked fine for me.
I'm now trying to go back to using as much of the built in functionality of ASP.Net (MVC2/3, not WebForms) as possible, as I've found that the more non-standard functionality you build into an application, the harder it is for other developers to pick up your code and work with it.
The web is thick with half-tutorials, badly explained articles and information that excludes important beneath-the-hood information about the ASP.Net security framework.
Are there any good tutorials that rip the lid off ASP.Net security and show you how to use it and how it all works without trying to push you through wizards and specific provider models without understanding all of the options and their pros and cons?
This is a 18 part series articles from Scott Mitchell.
It's a very deep explanation of all the features that regards Authentication, Authorization and Membership providers in asp.net. I did never found a better source on this from the same author.
MSDN is the best for ripping the lid off: http://msdn.microsoft.com/en-us/library/ff647070.aspx

Implementation of a ASP.NET based portal-like application

There is the requirement, to write a portal like ASP.NET based web application.
There should be a lightweigted central application, which implements the primary navigation and the authentication. The design is achieved by masterpages.
Then there are several more or less independent applications(old and new ones!!), which should easily and independent be integrated into this central application (which should be the entry point of these applications).
Which ways, architectures, patterns, techniques and possibilities can help and support to achieve these aims? For example makes it sense to run the (sub)applications in an iframe?
Are there (lightweighted and easy to learn) portal frameworks, which can be used (not big things like "DOTNETNUKE")?
Many thanks in advance for you hints, tips and help!
DON'T REINVENT THE WHEEL! The thing about DotNetNuke is that it can be as big or as small as you make it. If you use it properly, you will find that you can limit it to what you need. Don't put yourself through the same pain that others have already put themselves through. Unless of course you are only interested in learning from your pain.
I'm not saying that DNN is the right one for you. It may not be, but do spend the time to investigate a number of open source portals before you decide to write your own one. The features that you describe will take 1000s of hours to develop and test if you write them all from scratch.
#Michael Shimmins makes some good suggests about what to use to implement a portal app with some of the newer technology and best practice patterns. I would say, yes these are very good recommendations, but I would encourage you to either find someone who has already done it this way or start a new open source project on codeplex and get other to help you.
Daniel Dyson makes a fine point, but if you really want to implement it your self (there may be a reason), I would consider the following components:
MVC 2.0
Inversion of Control/Dependency Injection (StructureMap for instance)
Managed Extensibility Framework
NHibernate (either directly or through a library such as Sh#rp or Spring.NET
A service bus (NServiceBus for instance).
This combination gives you flexible user interface through MVC, which can be easily be added to via plugins (exposed and consumed via MEF), a standard data access library (NHibernate) which can be easily configured by the individual plugins to connect to specific databases, an ability to publish events and 'pick them up' by components composed at runtime (NServiceBus).
Using IoC and DI you can pass around interfaces which are resolved at runtime based on your required configuration. MEF gives you the flexibility of defining 'what' each plugin can do, and then leave it up to the plugins to do so, whilst your central application controls cross cutting concerns such as authentication, logging etc.

ASP.NET SqlMembership Provider Scalability

I've got an upcoming project that is going to be dealing with 70,000+ users (education). I was wondering if the ASP.NET SqlMembership Provider has been used at such large capacities? Assuming the hardware is there, is there anything special that needs to be done to make it work smoothly? We're doing all the obvious things like separating boxes for databases and applications, but is there anything code wise that I need to watch out for?
I know one site that, owner of this site wrote a brilliant article about asp.net performance(http://www.codeproject.com/KB/aspnet/10ASPNetPerformance.aspx)
On this article there is one subject that author describes a patch about profile provider for higher performance. Please read that section.
Inbuilt SqlMembershipProvider is very reliable and workable. They tightly integrate with FormsAuthentication and Login Controls. So authentication is reliable and it is also quick to implement.
Only problem I see is the complexity of the Database table structure, they are quite tidy and not so straight at first. So you can basically write your own MembershipProvider that will talk to your own users table with more simplistic design and implementation. Also Managing Members on admin is also painful due to table design but in a way it is fairly possible to do so. For these reasons we wrote our own MembershipProvider based on Sql. It's working amazingly and we've had good experience of the same.
If you have a small website or project
you can straight go on with inbuilt
SqlMembershipProvider but for a large
project like yours I'd recommend
writing your own MembershipProvider.

ASP.NET wiki with AD authentication

I am exploring the options of establishing a wiki site for my company's division of developers, numbering over a hundred. We are a pure Microsoft (Certified Partner) shop, so it is natural to base an implementation on ASP.NET and IIS for familiarity's sake as well as extended learning opportunities.
It looks like Screwturn wiki does not offer a user provider that can hook up to Active Directory. Is there a wiki engine that natively supports AD? Managing two user bases would not be the most efficient of activities when we wish to control access.
UPDATE: looks like ScrewTurn now has an official AD provider
http://www.screwturn.eu/blog/?p=255
Have you had a look at Sharepoint Wiki? Sicne you are a Microsoft shop, it's probably the easiest to set up.
As expected, it integrates with Active Directory out of the box. It's not really written about much since it's part of Sharepoint Server. Here's the Microsoft Page
To be honest, it's not the greatest Wiki around. The markup is HTML based, which is clunky coming from MediaWiki, but It fit in nicely.
The N2 Open Source ASP.NET CMS is a lightweight CMS framework to help you build great web sites that anyone can update. It contains a package of functional templates with News, Wiki, Photo Galleries, FAQs, RSS, Data Entry, Polls and more. Also, N2 leverages on ASP.NET features such as existing web controls site map and membership providers.
We've been using Perspective Wiki - it integrates with Windows AD fairly well, and has most of the features you'd expect of a wiki - which is more than could be said for the SP Wiki - we've not migrated to MOSS wiki's yet mostly because of missing features.
MindTouch is OpenSource and .Net based. Ohloh has rated it as a 5. The source code is pretty tight, and there are connectors for SqlServer as well as a scripting language. Finally it supports LDAP and ActiveDirectory.
MindTouch is a generally considered a good open source alternative to SharePoint as you can quickly create customizations with it's toolkits as well as integrate with MS Office.
According to their website LiteWiki supports the ASP.NET membership providers and is pretty lightweight.
It might not be what you are looking for but my compnay has MediaWiki on Linux/Apache running with integrated AD security. It is locked down to users in a particular AD group and we log on with our AD credentials.
MediaWiki seems to be a very good wiki too.
You can add AD support with a couple line of code. Check the Screwturn wiki forums for various examples

Resources