I am new to working with Blazor and Authorization. Background is desktop apps in Vb.Net, so I have been reading everything I can on it, but it still is very confusing when I only want a specific subset of the options out there.
I have a very simple intranet Razor Server based app that is getting the windows user name correctly with default authentication. (I use the name in calls to stored procedures for logging, so I know that is working correctly.)
What I need is to implement authorization (role based would be fine) based on information I have already in the database tied to the user name).
Where and how does one add roles to an existing authstatetask or other object instantiated by the default processes?
Everything I have seen deals with the EF version of Identity or wants to override the authorization task.
I have Simple DB calls being made in Dapper which will return an identifier from which I can set roles.
I just need pointers to the proper method and where in the app I should put it. I have just a single .razor page being loaded, Navbar is disabled.
You can either :
Implement Identity stores for Dapper following instruction in this blog : ASP.NET CORE IDENTITY WITHOUT ENTITY FRAMEWORK
Use Policy-based authorization and create authorization handlers meeting your requirements
Related
I have developed a simple asp.net core razor app with Windows authentication to be used in our intranet, hosted on prem.
In order to distinguish a normal user from admin user (the the user who is allowed CRUD), I check for the logged in user principal against the AD group member. I have a static helper function which does that.
At the moment I use a public flag on each page by calling that helper function, to be used in the razor page to show/hide the edit/delete buttons.
Is it possible to run this function only once (say, in the index page) and set a global flag to be used across all pages?
It sounds like you need a cache server to store the data fetched in the static helper function.
Of course, from your current design, the least code change is to use redis cache. Then inject the middleware of redis cache into Controller or Razor Page.
If global variables are used in .net core, an object can be set when the program is initialized to store userid and read-write permission. But when running the static helper function, the data may not be dynamic and real-time. So I think the design might be flawed.
But I think you should use Role-Based authorization in your project. Because you also use Azure AAD. So I recommend you to read the article below.
IMPLEMENT APP ROLES AUTHORIZATION WITH AZURE AD AND ASP.NET CORE (Microsoft MVP's Blog)
Our current API leverages ASP.Net Identity and Policy Based permissions for Authorization. It uses User Roles as claims for this. These claims are intercepted by a ClaimsTransformer class and the user permissions are read from a database containing the user mappings (cached). This all works fine.
The problem I'm having is with the API's scope expanding to include different "Projects", such that for instance, a User can be a Creator in one project but a Consumer in another. Is there a way to reconcile these requirements with .NET Core's Role/Policy based Authorization? Or is the best approach here to query the Database for these permissions upon each request?
Authorization is hard and a good starting point is to watch this video:
Implementing authorization in web applications and APIs.
Then using the policies and requirements is how I would approach this and this resource is a good reference:
Custom authorisation policies and requirements in ASP.NET Core
The picture below shows how the concept of requirements work in ASP.Net Core where you can define a requirement and then have one or many handlers independently "vote" if the user is approved or not.
I'm a newbie to asp.net mvc, so I created a simple internet application from the template. I added some user and some roles and connected them (in database). Then I added [authorize(Roles = "MyRole")] and everything works fine. Can anyone tell me from where authorize takes the information about users and roles and so on? Where is the magic that wired that up? (As I said: simple application from template mvc 5 "internet application")
There's not really any magic here. Once you've authenticated, a principal is registered and filled with some of the basic information for the user, including any roles they're associated with. This information ultimately comes from your database of course, but how the authorization layer retrieves that and implements the principal from it is low-level and dependent ultimately on the authentication provider being used (Membership, Identity, Windows Auth, etc.).
Regardless, the Authorize attribute merely looks at the roles on the principal and if there's a match, allows the action to proceed. Otherwise, it does a redirect, usually to the sign in page of the application, or returns a 401 Not Authorized, depending on whether the user is authenticated or anonymous.
I'm a student intern and I've been assigned a project where I have to redesign their customer support webpage. I am new to ASP so they asked me to migrate the code to MVC 4 so I'll learn it for future projects.
The webpage has form authentication using custom classes, extending MembershipProvider and RoleProvider and the data is displayed with asp:SqlDataSource queries, defined directly inside .aspx files.
As I've learned, the point of MVC is to separate the front-end (view), controller and back-end (models, db access). I've done some progress towards that, but I have problems at authentication. I've managed to enable login using explicit MembershipProvider and RoleProvider initialization (which should be done automatically as configured in Web.config). With calling the MembershipProvider.ValidateUser() and FormsAuthentication.RedirectFromLoginPage() I verify user details and store their username to preserve it upon navigation.
This works, but removes all the functionality of WebSecurity methods, also the specific authorization, e.g. [Authorize(Roles = "...")], doesn't work as expected, it doesn't authorize any role. The MVC sample project in Visual studio uses SimpleMembershipProvider for user authentication, but I haven't found any projects or tutorials on how to implement custom authentication same way as I did with extending MembershipProvider class and overriding its methods.
The problem is that there is already a T-SQL database with a lot of users, who are linked to other services, so obviously I can't alter it in any way nor can I create new database / tables. The projects I've looked at create databases from scratch, I haven't found any project using custom authentication / authorization using WebSecurity and existing database.
I'd like to ask you for any advices, examples or links to projects or tutorials where I could see how to implement WebSecurity instead of FormsAuthentication. As I've mentioned, I already have a fully functional MembershipProvider and RoleProvider and I belive that SimpleMembershipProvider and SimpleRoleProvider have similar methods, so it shouldn't be that hard on this part. Also, I don't want to mix Webforms and MVC, I want pure MVC application.
I'm using ASP.NET MVC 4 with C# and Razor engine, T-SQL and LINQ to SQL for database access.
It's been my experience, when migrating old pages from webforms to mvc, that you kind of have to 'forget' that it was ever a webform page to begin with.
to more directly answer your request for help resources, maybe this will be useful: http://kylehodgson.com/2013/01/08/asp-netmvc-web-security-basics-csrf/
I am still pretty new to ASP.NET Web API. I am currently working on the authentication part of a new application based on Web API, which is developed using some libraries/kinda framework of the company.
There is already some MVC application - they are using forms based authentication and they are not using the IPrincipal to store information about the user, rather a unity based approach, keeping data in a custom IUser object (basically kept on the session).
The Web API application is going to be stateless (no session), just that I am going to add some user related information in the authentication cookie (retrieved per request in the Application_PostAuthenticateRequest).
I am a bit undecided to keep this user related data in a custom implementation of IPrincipal (as I noticed to be a practice) or use the current approach of other applications in the company utilizing an IUser - served by Unity, using a per request lifetime manager.
Which do you consider to be the better approach?
If you're keeping track of Users per session, try using Singleton classes, if you're about to make a log of the users that entered the session, write it down in a textfile like a whitelist.