I am looking for days for the right solution. I am have user name and password stored in my DB.
I want only specific users to get access to some controller methods. How can I implement it, checking by User Id if he has permission or not?
Thanks!
You can implement basic authentication in web api , adding [Authorize] attribute on specific controllers which need provider user's credential . Please refer to below article for code samples :
https://codeburst.io/adding-basic-authentication-to-an-asp-net-core-web-api-project-5439c4cf78ee
https://beetechnical.com/rest-api/how-to-validate-rest-api-using-basic-authentication-in-web-api-net-core/
https://jasonwatmore.com/post/2019/10/21/aspnet-core-3-basic-authentication-tutorial-with-example-api
Related
I'm logging in the user via an AccountController. The user is authenticated against Active Directory. A user claim is created with a name attribute with their user name. I'm using CookieAuthentication.
I want to authorize against an existing user table that will provide the role(s) for authorization. In ASP.NET MVC I set up a custom authorize attribute but that doesn't seem to be available. I've seen some very elaborate examples (using authorization policies, etc) for authorization. They look great but I'm actually doing something rather simple.
I want to be able to decorate the controller or action method with the role(s) required. For example:
[CustomAuthorize(Roles = "Admin")]
Could someone provide a simple example or point me in the right direction?
I am using auth0 to register users on my application, and hope to also use their api auth.
However, I have some endpoints like POST /api/v1/events which requires a authenticated user.
In the application side, each event has a createdByUserID which is the user id of the requestor. I would like to get the userID from each request that comes in.
How can I accomplish this? I'm trying to follow their docs but I am having a pretty hard time.
You can use a rule in Auth0 to call your application when a user is registered. See this forum post. You can access details about the newly registered user in your rule, to extract data to pass to your application - see the Auth0 doc.
I'm a newbie to asp.net mvc, so I created a simple internet application from the template. I added some user and some roles and connected them (in database). Then I added [authorize(Roles = "MyRole")] and everything works fine. Can anyone tell me from where authorize takes the information about users and roles and so on? Where is the magic that wired that up? (As I said: simple application from template mvc 5 "internet application")
There's not really any magic here. Once you've authenticated, a principal is registered and filled with some of the basic information for the user, including any roles they're associated with. This information ultimately comes from your database of course, but how the authorization layer retrieves that and implements the principal from it is low-level and dependent ultimately on the authentication provider being used (Membership, Identity, Windows Auth, etc.).
Regardless, the Authorize attribute merely looks at the roles on the principal and if there's a match, allows the action to proceed. Otherwise, it does a redirect, usually to the sign in page of the application, or returns a 401 Not Authorized, depending on whether the user is authenticated or anonymous.
I am novice to MVC4 environment. And trying to restrict access to specific controller on basis of role.
[Authorize(Roles = "Administrators")]
public class AdminController : Controller
{
}
It work fine and ask for user credentials. But I don't want it to ask for credentials. Rather it should check automatically the role of window user. And if he is member of specific role, allow him to access website page.
Can you please guide me how to do that?
With help of #Wiktor comment I was able to conclude to solution for it.
See my answered comment at - Window authentication not working in MVC4
I am going to design an application which authenticates user from another application . Basically my application is going to get only if the user is authenticated (true or false) and the user role .
Can I use spring security to make use of this role and give fine grained control ?
Basically , I do not want to use spring security for authentication , but for authorization.
If this is possible , can you point me to any example or documentation ?
Thank you.
if I understand you right you want to look if a user is already authenticated in another application and if so you want to authorize the user in your new application?
I think what you can do is apply a custom authentication filter in the spring security filter chain (http://goo.gl/uQpq9) which checks for the authentication in your other application. At this point you would have the possibility to set the user's roles (GrantedAutority) the user gets in your new application.
A short tutorial can be found here: http://teja.tejakantamneni.com/2008/08/spring-security-using-custom.html
I hope this is what you are looking for,
Jens