I develop a web application. It has a three-tier architecture (data access layer, a business logic layer and the presentation layer). A data access layer is implemented with a NHibernate ORM (S#arp Architecture). I have the following table:
public partial class Role {
public Role()
{
this.Users = new Iesi.Collections.Generic.HashedSet<User>();
}
public virtual long Id
{
get;
set;
}
public virtual string Name
{
get;
set;
}
public virtual Iesi.Collections.Generic.ISet<User> Users
{
get;
set;
}
}
public partial class User {
public User()
{
this.Drivers = new Iesi.Collections.Generic.HashedSet<Driver>();
this.UserPhotos = new Iesi.Collections.Generic.HashedSet<UserPhoto>();
this.Roles = new Iesi.Collections.Generic.HashedSet<Role>();
}
public virtual long Id
{
get;
set;
}
public virtual string Login
{
get;
set;
}
public virtual string Email
{
get;
set;
}
public virtual string Salt
{
get;
set;
}
public virtual string Hash
{
get;
set;
}
public virtual string Name
{
get;
set;
}
public virtual Iesi.Collections.Generic.ISet<Driver> Drivers
{
get;
set;
}
public virtual University University
{
get;
set;
}
public virtual Iesi.Collections.Generic.ISet<UserPhoto> UserPhotos
{
get;
set;
}
public virtual Iesi.Collections.Generic.ISet<Role> Roles
{
get;
set;
}
}
public partial class Driver {
public Driver()
{
this.Trips = new Iesi.Collections.Generic.HashedSet<Trip>();
}
public virtual long Id
{
get;
set;
}
public virtual Car Car
{
get;
set;
}
public virtual User User
{
get;
set;
}
public virtual Iesi.Collections.Generic.ISet<Trip> Trips
{
get;
set;
}
}
There is a User in the system. Table Driver inherits the user table. Each user in the system may have several roles.
I want to implement a few things.
1) User registration. Is it a correct way to implement this features?
[Authorize]
public class AccountController : Controller
{
private readonly IUserTasks userTasks;
public AccountController(IUserTasks userTasks)
{
this.userTasks = userTasks;
}
// GET: /Account/Register
[AllowAnonymous]
public ActionResult Register()
{
return View();
}
// POST: /Account/Register
[HttpPost]
[AllowAnonymous]
public ActionResult Register(RegisterViewModel model)
{
if (ModelState.IsValid)
{
var userToCreate = this.userTasks.Create(model);
return View(customerToCreate);
}
return View(model);
}
}
2) User authentication. Is it a correct way to implement this features?
// GET: /Account/Login
[AllowAnonymous]
public ActionResult Login(string returnUrl)
{
ViewBag.ReturnUrl = returnUrl;
return View();
}
// POST: /Account/Login
[HttpPost]
[AllowAnonymous]
public ActionResult Login(LoginViewModel model, string returnUrl)
{
if (ModelState.IsValid)
{
var user = userTasks.Find(model.UserName, model.Password);
if (user != null)
{
///......
return RedirectToLocal(returnUrl);
}
else
{
ModelState.AddModelError("", "Invalid username or password.");
}
}
return View(model);
}
3) User authorization. User authorization. I want to write some attribute, for example,
[Authorize(Roles = "Admin")]
public string Get(int id)
{
return "value";
}
I do not know how to do it.
In many examples a new library Microsoft.AspNet.Identity is used. Should I use it? There is a implementation NHibernate.AspNet.Identity. However, I do not understand what benefit I get from this.
Also I do not know how to implement user authentication.
I'll be glad if you tell me a vector for further research.
You have 2 choices. Either:
you use OWIN as explained in Setting up Forms Authentication for multiple Web Apps in MVC 5 based on OWIN
you use traditional form-based authentication. See here: MVC 5 External authentication with authentication mode=Forms
As for authorization, Microsoft provides something called claims-based authorization which lets you define user and resource claims and define authorization constraints based on them. Have a look here: Using Claim-Based Authorization
Alternatively, you could look into XACML, the eXtensible Access Control Markup Language. That will require additional libraries outside the .NET framework though. XACML gives you policy-based, fine-grained authorization.
HTH
Related
I created my database in Entity Framework, and I also created a Web Api that uses Entity Framework. When I perform a GET or a POST (ADD) everything works great, but When I do a PUT (Update) my record is not updated, it is added as if I performed a Post. I think that the following does not recognize that the Entity has been modified:
db.Entry(contact).State = EntityState.Modified;
So, here is my entire Entity Contact.cs created by Entity Framework:
public partial class Contact
{
public int Contact_ID { get; set; }
public int Dataset_ID { get; set; }
public string Booth_UCID { get; set; }
public string First_Name { get; set; }
public string Last_Name { get; set; }
public string Title_Role { get; set; }
public int Contact_Type_ID { get; set; }
public string Email { get; set; }
public string Phone_Number { get; set; }
public string Email_2 { get; set; }
public string Phone_Number_2 { get; set; }
public virtual Contact_Type Contact_Type { get; set; }
public virtual Dataset Dataset { get; set; }
}
Here is the Contact model from my application that is being sent to the Web Api:
public class Contact
{
public int Contact_ID { get; set; }
public int Dataset_ID { get; set; }
public string Booth_UCID { get; set; }
public string First_Name { get; set; }
public string Last_Name { get; set; }
public string Title_Role { get; set; }
public int Contact_Type_ID { get; set; }
public string Email { get; set; }
public string Phone_Number { get; set; }
public string Email_2 { get; set; }
public string Phone_Number_2 { get; set; }
}
And here is my MVC Application to Edit Contact
[HttpPost]
public ActionResult EditContact(Contact contact)
{
using (var client = new HttpClient())
{
client.BaseAddress = new Uri("http://localhost:4251/");
//HTTP POST
// var postTask = client.PostAsJsonAsync<Dataset>("api/datasets/1", dataset);
var postTask = client.PostAsJsonAsync("api/contacts/2", contact);
postTask.Wait();
var result = postTask.Result;
if (result.IsSuccessStatusCode)
{
return RedirectToAction("Index");
}
}
ModelState.AddModelError(string.Empty, "Server Error. Please contact administrator.");
return View(contact);
}
and lastly, here is my Web Api with the Entity Framework scafolding: this is straight out of the box, when I created my Web Api
// PUT: api/Contacts/5
[ResponseType(typeof(void))]
public async Task<IHttpActionResult> PutContact(int id, Contact contact)
{
if (!ModelState.IsValid)
{
return BadRequest(ModelState);
}
if (id != contact.Contact_ID)
{
return BadRequest();
}
db.Entry(contact).State = EntityState.Modified;
try
{
await db.SaveChangesAsync();
}
catch (DbUpdateConcurrencyException)
{
if (!ContactExists(id))
{
return NotFound();
}
else
{
throw;
}
}
return StatusCode(HttpStatusCode.NoContent);
}
I am at a loss as to what I could possible do. I feel like I should just abandon the Web Api with Entity Framework and just go ahead build an Empty Web Api where I control the update. And if so, how will this be different?
*** Update ***
I fixed this problem and I hope this helps others.
My issue was not within the Web Api or Entity Framework. My issue was in the Request that I was sending to the Web Api.
I wanted to do an Update (PUT), but when I ran this in debug I noticed the PUT method in my Web Api was not being triggered. I put a breakpoint on my POST method and that one was. So, I did a little research and I realized that I need to change the request below:
this line does a POST ADD, which is why I was duplicating my records in the database
var postTask = client.PostAsJsonAsync("api/datasets/2", dataset);
I changed it to the follow to do the Update:
var postTask = client.PutAsJsonAsync<Dataset>("api/datasets/2", dataset);
I thought that the uri I was sending would dictate which method put or post.
I have a model class Dispute with one-to-many relationships.
I would navigate and perform CRUD operation on its related objects within a specific disputeId.
I would compose the url as follow:
Disputes/Details/(disputeId)/(related_objects)
where related_objects can be, for example, Persons, God, etc.
What kind of approach i can use?
You could use attribute routing to realize the route. You need to pass navigation properties as your relative_objects.Refer to my demo:
1.Model:
public class Dispute
{
[Key]
public int DisputeId { get; set; }
public List<Person> Persons{ get; set; }
}
2.DbContext:
public DbSet<Dispute> Disputes{ get; set; }
public DbSet<Person> Persons{ get; set; }
3.Controller:
[Route("Disputes")]
public class DisputesController : Controller
{
private readonly ApplicationDbContext _context;
public ProductsController(ApplicationDbContext context)
{
_context = context;
}
// GET: Disputes/Details/5/Persons
[Route("Disputes/{disputeId}/{related_objects}")]
public async Task<IActionResult> Details(int? disputeId, string related_objects)
{
if (disputeId== null)
{
return NotFound();
}
var dispute = await _context.Disputes.Include(related_objects)
.FirstOrDefaultAsync(m => m.DisputeId == disputeId);
//other logic
}
}
I have an API that is used in a multi-site/multi-location environment. At the moment, each user has roles defined but is locked to only one location. I am needing to extend this out to where a user may have admin roles for one location and then may be standard user at another location. They may also have no roles/no access to a bunch of locations.
Here is what I am working with right now (asp.net core 2.2):
public class ApplicationUser : IdentityUser
{
public string FirstName { get; set; }
public string LastName { get; set; }
public int? LocationId { get; set; }
public virtual Locations Locations { get; set; }
public int? ContactPersonId { get; set; }
public virtual ContactPerson ContactPerson { get; set; }
}
public class Locations
{
public int Id { get; set; }
public string Name { get; set; }
public virtual ApplicationUser ApplicationUser { get; set; }
}
public class ContactPerson
{
public int Id { get; set; }
public string FirstName { get; set; }
public string LastName { get; set; }
public string UserId { get; set; }
public virtual ApplicationUser ApplicationUser { get; set; }
public virtual ICollection<ContactOrganizationPerson> ContactOrganizationPeople { get; set; }
public virtual ICollection<ContactAddress> ContactAddresses { get; set; }
public virtual ICollection<ContactPhone> ContactPhones { get; set; }
public virtual ICollection<ContactEmail> ContactEmails { get; set; }
}
I am planning on changing the ApplicationUser to Locations table relationship to a Many to Many which would link the User to the Locations they are allowed to access. I have though about placing a payload in the M2M relationship table that would specify UserId, LocationId and Roles, but I would rather let Identity handle it if possible.
Is there a way to extend AspNetUserRoles so that I can specify a User to Role relationship for each location? Or is there a better way to accomplish this?
I'm not sure if this is going to help you, but I have extended .Net Core with functionality with IAuthorizationRequirement.
public class CustomRequirement : IAuthorizationRequirement
{
public CustomRequirement ()
{
}
}
Create a new class
public class CustomHandler : AuthorizationHandler<CustomRequirement>
Override HandleRequirementAsync
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, CustomRequirement requirement)
Here you can extract info about user from DB, compare, etc. If user is not allowed, return
return Task.CompletedTask;
If user is allowed, then use
context.Succeed(requirement);
Before returning. Then in your startup.cs:
services
.AddAuthorization(options =>
{
options.AddPolicy("CustomPolicy", policy =>
policy.Requirements.Add(new CustomRequirement()));
})
And then in your controllers you can add attribute
[Authorize(Policy = "CustomPolicy", Roles = "Admin")]
If requirement is not meet, user will get 401 unauthorized, which might not be what you want.
Sorry for newbie questions, i'm brand new to MVC and OOP
I have the following model for my USER db table
namespace MyApp.Models
{
public class User
{
public int user_id { get; set; }
public string username { get; set; }
public string password { get; set; }
public string salt { get; set; }
public string email { get; set; }
public sbyte status { get; set; }
public System.DateTime creation_date { get; set; }
public sbyte type { get; set; }
public virtual Doctor Doctor { get; set; }
public virtual Owner Owner { get; set; }
public virtual UserToken UserToken { get; set; }
public virtual Veterinarian Veterinarian { get; set; }
}
}
Actually in order to recall a particular USER based on the mail or the id i use a specific class called CustomDbFunctions
namespace MyApp.Models.DAL
{
public static class CustomDbFunctions
{
public static User GetUserEntityFromEmail(string email, DbContext db)
{
return db.Users.FirstOrDefault(u => u.email == (string)email);
}
}
}
in that way i use in my code
User user = CustomDbFunctions.GetUserEntityFromEmail(email, db)
and this it 100% OK with me, but i don't know if this kind of approach is correct or not, or if there's a better way like
//select the single user by calling only the class USER
User mySelectedUser = new User(email)
Thank you very much.
Well for understanding how to access your data in your MVC4 application you could read this tutorial from the Asp.Net MVC main page. Read the whole tutorial about MVC4 and you'll get a solid idea on how to work with it.
But I also recommend this tutorial on a good Entityframework design pattern, it's called Repository Pattern, I just a nice way to get all your code ordered (like all other patterns). Let me know.
I'm learning WCF, and tried to make a small service that exposes a Project and its tasks (the standard Entity Framework hello world).
The class structure is the following:
public class Project
{
public int ProjectId { get; set; }
public string Name { get; set; }
public string Description { get; set; }
public DateTime CreationDate { get; set; }
public virtual ICollection<Task> Tasks { get; set; }
}
public class Task
{
public int TaskId { get; set; }
public string Title { get; set; }
public virtual Project RelatedProject { get; set; }
}
The DB context comes after:
public class ProjectContext : DbContext
{
public DbSet<Project> Projects { get; set; }
public DbSet<Task> Tasks { get; set; }
}
Finally, the service endpoint:
public IEnumerable<Project> getProjects()
{
ProjectContext p = new ProjectContext();
return p.Projects.AsEnumerable();
}
The problem is that this model will throw a System.ServiceModel.CommunicationException, but, If I remove the virtual properties from the model, It would work, but I would loose the entity framework links between Project and Task.
Anyone with a similar setup?
I banged my head against the wall several hours with this one. After extensive debugging, google gave the answer and I feel right to post it here since this was the first result I got in google.
Add this class on top of your [ServiceContract] interface declaration (typically IProjectService.cs
public class ApplyDataContractResolverAttribute : Attribute, IOperationBehavior
{
public void AddBindingParameters(OperationDescription description, BindingParameterCollection parameters)
{
}
public void ApplyClientBehavior(OperationDescription description, System.ServiceModel.Dispatcher.ClientOperation proxy)
{
var dataContractSerializerOperationBehavior =
description.Behaviors.Find<DataContractSerializerOperationBehavior>();
dataContractSerializerOperationBehavior.DataContractResolver =
new ProxyDataContractResolver();
}
public void ApplyDispatchBehavior(OperationDescription description, System.ServiceModel.Dispatcher.DispatchOperation dispatch)
{
var dataContractSerializerOperationBehavior =
description.Behaviors.Find<DataContractSerializerOperationBehavior>();
dataContractSerializerOperationBehavior.DataContractResolver =
new ProxyDataContractResolver();
}
public void Validate(OperationDescription description)
{
// Do validation.
}
}
Requirements are
using System.ServiceModel.Description;
using System.Data.Objects;
using System.ServiceModel.Channels;
Then under the [OperationContract] keyword add [ApplyDataContractResolver] keyword and you are set!
Big thanks to http://blog.rsuter.com/?p=286
For sending data trough WCF you should disable lazy loading (dataContext.ContextOptions.LazyLoadingEnabled = false;).
To be sure the data you want is loaded you need to use eager loading ( trough the Include method).
You need to change your function to:
public IEnumerable<Project> getProjects()
{
ProjectContext p = new ProjectContext();
p.ContextOptions.LazyLoadingEnabled = false;
return p.Projects.Include("Tasks").AsEnumerable();
}