I'm a student intern and I've been assigned a project where I have to redesign their customer support webpage. I am new to ASP so they asked me to migrate the code to MVC 4 so I'll learn it for future projects.
The webpage has form authentication using custom classes, extending MembershipProvider and RoleProvider and the data is displayed with asp:SqlDataSource queries, defined directly inside .aspx files.
As I've learned, the point of MVC is to separate the front-end (view), controller and back-end (models, db access). I've done some progress towards that, but I have problems at authentication. I've managed to enable login using explicit MembershipProvider and RoleProvider initialization (which should be done automatically as configured in Web.config). With calling the MembershipProvider.ValidateUser() and FormsAuthentication.RedirectFromLoginPage() I verify user details and store their username to preserve it upon navigation.
This works, but removes all the functionality of WebSecurity methods, also the specific authorization, e.g. [Authorize(Roles = "...")], doesn't work as expected, it doesn't authorize any role. The MVC sample project in Visual studio uses SimpleMembershipProvider for user authentication, but I haven't found any projects or tutorials on how to implement custom authentication same way as I did with extending MembershipProvider class and overriding its methods.
The problem is that there is already a T-SQL database with a lot of users, who are linked to other services, so obviously I can't alter it in any way nor can I create new database / tables. The projects I've looked at create databases from scratch, I haven't found any project using custom authentication / authorization using WebSecurity and existing database.
I'd like to ask you for any advices, examples or links to projects or tutorials where I could see how to implement WebSecurity instead of FormsAuthentication. As I've mentioned, I already have a fully functional MembershipProvider and RoleProvider and I belive that SimpleMembershipProvider and SimpleRoleProvider have similar methods, so it shouldn't be that hard on this part. Also, I don't want to mix Webforms and MVC, I want pure MVC application.
I'm using ASP.NET MVC 4 with C# and Razor engine, T-SQL and LINQ to SQL for database access.
It's been my experience, when migrating old pages from webforms to mvc, that you kind of have to 'forget' that it was ever a webform page to begin with.
to more directly answer your request for help resources, maybe this will be useful: http://kylehodgson.com/2013/01/08/asp-netmvc-web-security-basics-csrf/
Related
I am new to working with Blazor and Authorization. Background is desktop apps in Vb.Net, so I have been reading everything I can on it, but it still is very confusing when I only want a specific subset of the options out there.
I have a very simple intranet Razor Server based app that is getting the windows user name correctly with default authentication. (I use the name in calls to stored procedures for logging, so I know that is working correctly.)
What I need is to implement authorization (role based would be fine) based on information I have already in the database tied to the user name).
Where and how does one add roles to an existing authstatetask or other object instantiated by the default processes?
Everything I have seen deals with the EF version of Identity or wants to override the authorization task.
I have Simple DB calls being made in Dapper which will return an identifier from which I can set roles.
I just need pointers to the proper method and where in the app I should put it. I have just a single .razor page being loaded, Navbar is disabled.
You can either :
Implement Identity stores for Dapper following instruction in this blog : ASP.NET CORE IDENTITY WITHOUT ENTITY FRAMEWORK
Use Policy-based authorization and create authorization handlers meeting your requirements
Forgive me if there's already been a very similar post to this - I searched and did find "related" threads, but none that hit home, or it was targeting a different version of asp.net or asp.net core. I just need some advice and pointing in the right direction.
My healthcare organization already has/uses a few OLTP systems for capturing patient data. I'm developing an Intranet that will consume the data from the various systems and present summaries/aggregations of that data for stakeholders. I'm developing the Intranet with ASP.Net Core MVC 2.0.
Being that the data is patient healthcare information, both Authentication AND Authorization are extremely critical.
For the intranet Auth, there's no point in reinventing the wheel - don't want to create the Auth layer from scratch. The existing OLTP systems already have very robust Auth layers, with detailed User Info, Roles and Profiles. Through Data Integration, I can get that User Auth data form the existing systems, store it in SQL Server tables, and then leverage it in the Intranet.
The question is, what's the best approach to accomplish that in a concrete manner.
Again, I already have all the necessary roles and profiles, I just need to be able to reference them in MVC to be able to:
Accurately authenticate users.
Would this be best accomplished using EF in an AccountController?
Appropriately conduct Authorization (show/hide/prevent menu options, access links, pages, etc.).
Would it be possible, or is it bad practice, to map the existing user roles and profiles to Claims in MVC via a proprietary sql server bridge table?
Again, please know that I'm using ASP.Net Core 2.0... so please don't provide any example code snippets in 1.0. (The Auth architecture drastically changed between 1.x and 2).
Thank you all for your consideration and time.
I'm looking at implementing user management into my .net core api that use cqrs+eventstore.
My thought:
Since i'll be using mongo for most of my domain models i thought why not use to store my users as well.
i.e. have a CreateUser command and query service that subscribe to UserCreated event and store user in mongo.
I was hoping to use ASP.NET Core Identity for my user management but everywhere i see identity, e.g. https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity, it goes with asp.net mvc app. Which makes me think if do i even need Identity. I'll be exposing my api to various clients, mobile, web, etc.
Reading along there is also an IdentityServer4 which i don't quite get how it fits in.
Anyone to point me in the right direction?
You don't need MVC in order to use Identity. I would recommend Identity Server (there is a good tutorial by its creator on Pluralsight).
You can very well have a Web API in .Net Core and use Identity Server to create tokens, etc. which is the recommended authentication mechanism when you want to expose to different clients (platforms).
Does it make sense?
Will anyone tell how we can apply the login Functionality in mvc application with NHibernate.
Please build a controller and a related view for this functionality. In the controller you can have a method to check authentication, create new user and set proper roles. The view can be simple using TextBoxFor() razor control on client side and Viewdata dictionary for client server data transfer. The model can be a class based entity using nhibernate. This a very general implementation of mvc which can be used for any web application.
I am interested if anyone has experience using DotNetNuke authorization in CSLA.
I would like to be able to use my DotNetNuke roles to be able to assign permissions to my CSLA objects and properties. If I just reference the DNN assemblies won't that create an unwanted dependency in my CSLA business objects?
Would it be easier to build CSLA objects that query the DNN database directly to get role membership?
Thanks...
You definately do not want to create that dependency with your DNN assembly. Your second suggestion is the way to go.
CSLA uses standard IPrincipal/IIdentity authentication. You can create an object that inherits from the CSLA.Security.BusinessPrincipalBase which uses a CSLA object (e.g. User) that grabs their roles from the DNN database directly. Once you have that authentication integrated, you can place your roles inside your business objects by overriding the AddAuthorizationRules method.