I have a requirement for multiple Role Providers per website. What I'm not seeing is if/how to tell ASP.Net which provider to use (similar to the membership provider property on the login controls). I have a feeling that since this is done (I beleive) in an HTTP Module the role check may be occuring before the page life cycle ever begins - but I'm hoping someone gives me a different answer.
If I want to have multiple providers per website am I going to have to junk the configuration in web.config and perform the checks manually?
The Providers property references all the role providers enabled for an application. You can control which provider you wish to use at runtime like this:
RoleProvider provider = Roles.Providers["MyRoleProvider"];
Related
I have been going around in circles trying to properly understand this.
I have an ASP .Net MVC project I am working on and need to implement user logins that authorize and authenticate against en external system (via webservice).
I can't seem to get my head around MembershipProvider and AuthorizeAttribute in the context that I require.
Which do I need to use (I believe its both) and where do I need to customize to provide the authentication against an external system.
There is one additional thing I also require on top of the default ASP .Net user principals in that the external webservice will return a session ID upon successful login that would be used for subsequent requests to external services.
Would someone be able to point me in the direction of some useful example of this sort of set up?
MembershipProvider is used to provide the users that may login the system. The RoleProvider is used to tell which roles a user has. They are used during the authentication process. i.e. identifying the user. You can read about membership vs roles
The [Authorize] attribute on the other hand is used during authorization. i.e. to check if the user is allowed to do something.
I'm using the out of the box Asp.Net Membership functionality to handle my user management and role management.
My application consists of a single database for each client and each database has its own Membership provider and role provider.
However, there are some users who work for more than one of the clients and I want to be use a single login and let them choose which client to view. I have everything setup to facilitate this "client switching" by using an intermediate database that stores all usernames and a relation to which clients they have access to. I also have it setup so any updates to a user in one database will update all of the corresponding users in the other databases. All of this logic is working very well, except that I can't seem to figure out how to tell ASP.Net to change to a specific MembershipProvider and use that one.
The process I thought I should use is as follows (when the user switches the client in the clients dropdown):
Log the current user out
Tell ASP.Net which Membership provider to use (selected based on the client chosen in the dropdown)
Log the current user in using the selected client's membership provider and refresh/redirect to the page they were viewing when they changed the dropdown
I know how to get a reference to the specific membership provider (Membership.Providers[MembershipProviderName]), but I can't find any information on how to tell ASP.Net to change its membership provider. I'm not really even sure how the asp.net Login control does this in the background either - something that would probably help me out in all of this.
I've been searching SO and the web for awhile and can't seem to find much about doing this other than a few threads where people are trying to modify the DefaultProvider attribute of the Providers element in their Web.config.
This MSDN tutorial may help you.
Is it possible to override the logic IsInRole in asp.net? I use my own tables of roles in the database and I would like to know how to use own logic.
Something like inheriting from PrincipialBase. Do you know some ways?
I would only use RoleProvider if you are using other aspects of ASP.NET authentication and authorization management. However, if you have your own database for storing role information and already have a UI for managing user roles, you can get away with just creating a GenericPrincipal with your roles and replacing HttpContext.Current.User with it during PostAuthenticateRequest (for ASP.NET).
MVC is slightly different, depending on how you are managing authorization. Here is a related question.
application role management in asp.net mvc (How)?
It is better to load all the roles for a user once per request then to check roles against the database multiple times during the request.
Then you need to implement a custom RoleProvider. Here is a guide to implement a RoleProvider.
Microsoft released the source code for the default providers (membership, role, etc...).
That is also a great reference when implementing your own provider. The one time I implemented a custom role provider, it served me very well.
I have an existing production application that uses vanilla ASP.Net Membership for authentication.
However, I'd like to provide other means of authentication as well as the current ASP.net membership system, such as Facebook.
The Windows Azure Access Control Service makes this extremely easy and straight forward. Provided, that is, you're starting a new web application from scratch.
So, in this case, how do I
Integrate the Access Control Service authentication into my app without affecting the current login system and its users?
Migrate users over or Link logins? ( not sure if this is even possible)
Thanks all
Roberto
You need to create a custom identity provider based on your membership database. See this article on custom WS-Federation Identity Providers that can be integrated to access control: http://msdn.microsoft.com/en-us/library/windowsazure/gg185933.aspx
Also see this article on one that was written on top of the membership database: http://blogs.msdn.com/b/vbertocci/archive/2009/04/23/enhance-your-asp-net-membership-based-website-by-adding-identity-provider-capabilities.aspx
Approach of creating an identity provider (IP) based on your ASP.NET membership database which Paul Tyng suggested is valid.
However, it means that if you just create an IP you'll allow log in to all people who are authorised with other IPs (e.g. Google or Facebook). I'm guessing it's not what you want - you'd still want people to first register (either plainly with username-password or with their external identity). If that's the case then your task is the following:
Add a data store for users' external identities which is related to your existing Users table.
Modify the ACS login handling within your application to check that the identity returned from ACS actually exists in your members database.
Perform member log in (instead of federated log in) if you found the returned identity in your db.
Add external identity tie in during the registration process so your Identities table can be actually populated.
(optional) Re-use the bulk of the #4 mechanism to provide an ability to attach external identity to existing user accounts (i.e. I already have a normal membership with you and now want to add an ability to log in with Google as well, for example).
There is no one single tutorial/walk-through to achieve this (or I have not found one) so I had to pull bits from a variety of sources to make it work. Please let me know in the comment if I understood your requirement correctly and I'll add a guide on how to set this up. Cheers!
Might be a bit late, but check out the following blog posts by fellow Windows Azure MVP - Dominik Bayer:
Mixing Forms and Token Authentication in a single ASP.NET Application
Mixing Forms and Token Authentication in a single ASP.NET Application (the Details)
Replacing ASP.NET Forms Authentication with WIF Session Authentication (for the better)
Invaluable readings which will help you in any way!
I'm working on a project that needs to authenticate users based on records in two different databases. All administrators are stored locally and require full functionality to manage their accounts (reset password, etc). Regular users are authenticated against a different database used by another web app, so I only need to check that their credentials are correct.
After entering their username/pass at the logon screen, my app should check if they exist in the local admins table. If so, they are given the role of 'admin' and allowed access. If not, it should then check the other app's user table and give them a 'user' role if successful.
The project is basically a large online book. Users simply need authentication to view it, rate the sections, and bookmark pages. The rating/bookmark data will be associated with their unique id. All user management is handled in the external app. Admins, however, will only be able to view/edit the pages and will NOT be rating/bookmarking things. Their accounts will be managed with this admin area.
What is the best way to accomplish this in a .NET MVC application? By 'this', I mean integrating the logon/authentication system with both and assigning them a role based on which database confirms their credentials.
Thanks in advance!
MVC really doesn't have much to do with your user validation logic - you'll need to implement a custom membership provider to handle connecting to both databases and performing the validation. This membership class could be ported to any application though, it's not specific to MVC.
Once you've got your logic in your custom membership provider, you just need to use FormsAuthentication with your MVC app, of which there are lots of tutorials around, here's a quick one.
The only tip that I would add that pertains to MVC is that you should try to keep your logic for view decisions in your controllers. It's tempting to put something like "<% if user == admin then renderPartial(this) else renderPartial(that) %>" in your View, but that violates MVC principles in my opinion. Much better to use ViewModels or populate ViewData in your controller.