I'm wondering how to use the Role Manager feature with the SimpleMembership system included in ASP.NET MVC 4, specifically how to build a controller that manages all data associated with Roles, and using the webpage_Roles table that SimpleMembership creates when a project is created with a Internet Template. Is there a way to automate this within the Login/Register actions in the AccountController?
Well, I am no expert on ASP.NET MVC4 but as a task I have set for myself, I wanted to create Role Based site access.
ASP.NET MVC4 is an excellent resource! I do have complaints about the lack of information and difficulty to implement Roles in MVC4.
To achieve the task one can implement SimpleMembership and SimpleRoles. See the below links:
Using SimpleMembership With ASP.NET WebPages by Matthew M. Osborn
SimpleMembership, Membership Providers, Universal Providers and the new ASP.NET 4.5 Web Forms and ASP.NET MVC 4 templates by Jon Galloway
The above two links explain a lot and have some very basic code examples but unfortunately the solution download is not available in the first URL.
In addition to the above:
Customize the SimpleMembership in ASP.NET MVC 4.0 by thangchung
ASP.NET MVC 4 Sample on MSDN
This last article goes into a much better detail and also gives source code to peruse.
In web.config add the following
<profile defaultProvider="SimpleProfileProvider">
<providers>
<add name="SimpleProfileProvider" type="WebMatrix.WebData.SimpleMembershipProvider, WebMatrix.WebData" connectionStringName="DNMXEntities" applicationName="/" />
</providers>
</profile>
<membership defaultProvider="SimpleMembershipProvider">
<providers>
<add name="SimpleMembershipProvider" type="WebMatrix.WebData.SimpleMembershipProvider, WebMatrix.WebData" />
</providers>
</membership>
<roleManager defaultProvider="SimpleRoleProvider">
<providers>
<add name="SimpleRoleProvider" type="WebMatrix.WebData.SimpleRoleProvider, WebMatrix.WebData" />
</providers>
</roleManager>
Related
I have a centralized membership database that stores roles for different MVC applications. In other MVC applications, I can just put the below snippet in web.config to associate roles to the User object and then I can just use “User.IsInRole(Role.Admin)” to check a user’s role.
<roleManager defaultProvider="SqlProvider"
enabled="true"
cacheRolesInCookie="true"
cookieName=".ASPROLES"
cookieTimeout="30"
cookiePath="/"
cookieRequireSSL="true"
cookieSlidingExpiration="true"
cookieProtection="All" >
<providers>
<add
name="SqlProvider"
type="System.Web.Security.SqlRoleProvider"
connectionStringName="SqlServices"
applicationName="SampleApplication" />
</providers>
</roleManager>
The above method doesn’t seem to work in .NET core. The role provider that I declared is getting ignored. How do I use SqlRoleProvider in .NET core?
Note: this application doesn't actually create any user/role. It just needs to read from that membership database and authorize users based on their roles.
I have an ASP MVC 4 application which uses a 3rd party HTTP module for security. When using Windows authentication it will attempt to automatically log you in, if that fails, then it will redirect you to a custom login page.
This has been working fine for previous ASP Webforms and MVC 2-4 applications, but for this particular application it is failing to automatically log the user in.
The application's virtual directory has all of the authentication modes disabled (anonymous etc) except for Windows authentication which is enabled. I have also checked that the provider is Negotiate and NTLM.
The web.config is a pretty standard one that you get from the MVC template and I have tried various web.config changes to system.web and system.webServer (and changing app pool's pipeline mode) such as:
<system.web>
<authentication mode="Windows"/>
and also adding
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
But in each case the security module cannot get the user name. The module attempts to get the user name via HttpContext.Current.Request.ServerVariables["REMOTE_USER"], but I have also modified it to use HttpContext.Current.User.Identity.Name and in both cases it is blank.
Since this module has been working fine for years and still works for other applications on the same server, I believe it is an IIS or Web.config configuration issue. I have tried creating a new virtual directory and it has the same error.
Is there any additional configuration required or another reason why it is not working for this particular application?
The solution was to add the following to my the appSetting section in my web.config
<add key="autoFormsAuthentication" value="false" />
<add key="enableSimpleMembership" value="false"/>
</appSettings>
This is the first time that I have needed to add such a thing, so I am not sure why it is necessary, but it does work.
I have integrated an ASP.NET MVC 4 app with a legacy ASP.NET 4 Webforms app. The webforms app used SQL Membership Provider to implement the security features with Forms authentication mode , so I've kept that security in the newly integrated app as well. I am using [authorize] attribute on some MVC action methods to protect some MVC views. This all works fine except that the MVC pages (Views) timeout earlier than the timeouts set for forms authentication and the sessionState as shown below in the web.config file
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
<sessionState mode="InProc" customProvider="DefaultSessionProvider" timeout="600">
As you can see that the timeouts are set for several hours. Yet the MVC views timeout after about 30 minutes whereas webforms pages don't timeout in the same app. Why it's happening and how can it be resolved?
I used the standard VS 2012 MVC 4 Internet template in a .NET Framework 4 project. I was mainly using External Logins (Google, Microsoft, Facebook, Yahoo, Twitter) to access the parts of my application which are decorated with the [Authorize] attribute.
[One thing I noticed is that the default web.config created by VS does not contain any sections on membership or role providers, unlike those I see in an ASP.NET web form application.]
I deployed the project to an azurewebsites.net site. Things worked fine initially, but after some use, the app will throw an exception because it tried to use the server's machine config file to access SqlMembershipProvider using a connection string called LocalSqlServer.
Q1: How does SqlMembershipProvider relate to the SimpleMembership provider?
Anyway, I created an <membership> section in web.config and added <clear/>. This solved the that problem but created another problem, as now it tried to access SqlRoleProvider in machine.config using the connection string LocalSqlServer, again! I tried to add a <roleManager> section with a <clear/> to my web.config, but I was not as successful. It insists on a defaultProvider to be included. What should I put?
Q2. What is the assembly to use for the SimpleMembership role provider in .NET Framework 4.0 MVC 4 application?
I tried:
System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
but it created another problem, that it Could not find stored procedure 'dbo.aspnet_CheckSchemaVersion'. Before I run aspnet_regsql.exe I would like to ask:
Q3: Why does the standard app work fine for some time and then start looking for SqlMembershipProvider and SqlRoleProvider?
Is there someone playing around with the settings on the server?
Here is what your web.config settings should look like when using SimpleMembership.
<roleManager enabled="true" defaultProvider="SimpleRoleProvider">
<providers>
<clear/>
<add name="SimpleRoleProvider" type="WebMatrix.WebData.SimpleRoleProvider, WebMatrix.WebData"/>
</providers>
</roleManager>
<membership defaultProvider="SimpleMembershipProvider">
<providers>
<clear/>
<add name="SimpleMembershipProvider" type="WebMatrix.WebData.SimpleMembershipProvider, WebMatrix.WebData"/>
</providers>
</membership>
The assembly that contains the SimpleMembership role provider is WebMatrix.WebData.
SqlMembershipProvider is not related to SimpleMembership except that they are both membership providers. My guess is that if SimpleMembership is not configured correctly it is defaulting to a SqlMembershipProvider.
Somewhere in your application you need to initialize the database for SimpleMembership by calling WebSecurity.InitializeDatabaseConnection. The first parameter in this method indicates what connection string to use. If the application was created using the MVC4 Internet template this method is called in the filter InitializeSimpleMembershipAttribute which is decorated on the Account Controller. If you need to add a call to the InitializeDatabaseConnection method yourself I would just put it in the Gloaba.asax Application_Start method.
This VS 2012 extension is meant to allow me to add a local Development STS to my MVC application http://visualstudiogallery.msdn.microsoft.com/e21bf653-dfe1-4d81-b3d3-795cb104066e
I follow the very simple instructions e.g. Right Click the project name and select Identity and Access in the menu. Select your Identity Provider and the OK to apply the settings to your web.config.
I run my MVC 4 application and it redirects immediately to login.aspx
I'm guessing there are special instructions for MVC 4.
What are they?
Where do I find them?
EDIT
To be clear I have created a ASP.MVC 4 Internet application in visual studio 2012. Then I am using the Identity & Access Tool to add a local development STS to Test my application.
I am running the site on a local IIS Express
When I debug the application I am redirected to
localhost:11378/login.aspx?ReturnUrl=%2f
This occurs even if I remove forms authentication as suggested in advice already given.
In my case I added this
<system.web>
...
<httpModules>
...
<remove name="FormsAuthentication" />
</httpModules>
</system.web>
and this
<system.webServer>
...
<modules>
...
<remove name="FormsAuthentication" />
</modules>
</system.webServer>
EDIT
The next problem you might get is this
A claim of type
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'
or
'http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider'
was not present on the provided ClaimsIdentity. To enable anti-forgery
token support with claims-based authentication, please verify that the
configured claims provider is providing both of these claims on the
ClaimsIdentity instances it generates. If the configured claims
provider instead uses a different claim type as a unique identifier,
it can be configured by setting the static property
AntiForgeryConfig.UniqueClaimTypeIdentifier.
add these 2 claims to the Development STS in the Identity and Access Tool
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider
and add this line to your Global.asax
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;
This article helped me
Removing FormsAuthentication module worked for me.
<httpModules>
...
<remove name="FormsAuthentication" />
</httpModules>
I had a similar problem with my MVC4 application on local IIS Express.
It turned out that Windows Authentication was enabled for the project. Disabling Windows Authentication (in project properties pane -- press F4) fixed the problem.