We have reasons to believe that the security will be more complex if we build custom forms. Custom forms are opened by ribbon buttons, what about the security? How can we narrow down the acces to such custom forms to authorized personel, groups, users?
Security for me is usually just an:
if(!web.SiteGroups["group name"].ContainsCurrentUser) response.redirect("MyNotAuthorized.aspx");
That just gets thrown in page_load or something along those lines.
Related
I/we at www.dr.dk are working on a Sonos integration with the bare minimum functionality. This means that we wish to apply anonymous access in this first version of our Sonos integration.
In the API documentation
https://musicpartners.sonos.com/node/289#toc0
is says 'Finally, you can decide not to use any authentication, also knows as anonymous access. ...'
Which we read as an option to not to implement authentication endpoints like 'GetAppLink(...)' etc.
So now we have teste our service and it appears to work fine, as far as we know. Therefore we have now started to fill out the application registration form.
In the registration form we find the following required fields regarding authentication as depicted in the image below
Screenshot from the application registration form
As we see it these fields are related to authentication and seems somewhat confusing to us. So with our logic - anonymous authentication means that no test accounts or customer care accounts are needed etc.
So the question is. What are we missing ?
You can just mark those as N/A for each of the fields.
I finally got my MVC 4 application all set up with SimpleMembership, but now have run into a new problem. I have a menu system (in a sidebar) that gives users access to various functionality throughout the app. I recently realized that, in order to be somewhat user-friendly, I need to disable or remove various menu links based on roles. So I set up a role system and a relationship to these menu links, which works perfectly. However, the "basic site access" role should not have access to all of the links in the menu (and their corresponding controllers/actions). Previously, I had given site access by simply applying the Authorize attribute globally, via my filter config:
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new AuthorizeAttribute());
}
Now I've figured out that, in order to control "basic" access to the app, I would need to add individual Authorize attributes at the action level (with the "admin" role having full access). While this is fine, albeit somewhat annoying, it doesn't seem very scalable. What if my client adds a new role through the administration interface and wants to control access to various tasks? I have already coded the menu system to disable links dynamically, based on what roles have access to which tasks. But there's no way (that I know of) to dynamically apply different roles to the Authorize attribute.
Though I've read about why SimpleMembership may not be the bee's knees, I've just finished migrating from ASP.NET Membership (which had serious shortcomings of its own), and I certainly do not want to roll my own user/role management system. Has anyone successfully implemented something to handle this scenario?
You should definitely take a look at Fluent Security if you have a lot of controllers/actions that you don't want to decorate with annotations.
It allows all authorisation to be handled from Global.asax. It's well documented and there's a good tutorial on it here.
I am developing an application in ASP.NET and I have a page that depening on user's role displays different parts. If the user is an Admin s/he sees for instance a page part where to input a new user and role that a normal user cannot see. Let's think about this page as a portal.
I already wrapped all the different sections in with Id and I can control their visibility. However this is not the optimal solution concerning security since the user or a malicious robot can still fill and access the parts that are not visible in the browser.
With MVC it is easy since I just create several partial views and render them upon users' credentials but how do you do it in standard Web Forms? Thanks
You can use the ASP.NET LoginView control. The control has an AnnonymousTemplate which you can use to specify which content should be shown to Annonymous users, and a LoggedInTemplate which you would use to specify the content shown to logged in users. But is also has RoleGroups which can be used to specify content that can be shown to users in different roles.
The article in this link will walk you through the use of this control.
http://weblogs.asp.net/sukumarraju/archive/2010/07/28/role-based-authorization-using-loginview-control.aspx
We're working on a publishing site with sharepoint 2010. It allows anonymous access, and these anonymous users can fill out certain forms. The form submission works fine as the anonymous user has permission to insert to the lists.
There is a simple workflow attached to each form that emails the contents of the form to an internal user. This works fine if you add the list item manually (ie logged in as a certain user), but the workflow can't be initiated by an anonymous user. It hangs in progress, then eventually fails.
I tried this:
http://blog.furuknap.net/enabling-declarative-workflows-for-anonymous-users-in-sp20102007
But it didn't seem to work either. Some comments from users refer to this same issue - and no one stated a resolution.
I'm worried that the only solution is the run with elevated privileges on each form as a custom web part.
Any solutions out there?
thanks.
The steps described in the mentioned post only work for items added to the list by email. So any items added (new form, new document, new event) added using the sharepoint UI will NOT trigger the workflows. (see the related MS KB article).
There are 2 things I can think of you could try:
Use an ItemEventReceiver bound to the list to send the email in the ItemAdded event.
If all the workflow does is send an email to a user, just have that user subscribe to the list using an alert
Our system uses a custom roles, and authentication system to Authenticate users.
I am now looking into the service side validation/security.
I want implement our custom Authentication, Authorization on the wcf too.
I have done some investigation, it looks like I could use the PrinciplePermission attribute on the contracts to allow/deny access. The default just calls the IsInRole method on the IPrinciple and the IsAuthenticated on the IIdentity.
So I have 2 questions:
How do implement my own custom principle which has additional data/methods?
How do I add addition checks to the PrinciplePermissions? e.g (IsExternal which will check if they are accessing the service from the intranet or internet [have a mechanism to monitor this already])
Thanks
After some experimenting I came up with a custom written solution:
I based my solution in Kyle McClellan's Authorisation Sample. I adapted the attributes to look at a custom class to retrieve the user.
To get around the async problem I loaded the user and his relevant data in the App.xaml prior to instantiating the MainPage, I then make use of a global singleton, which I called SecurityContext, to access user data.
The SecurityContext is an in-memory store of the user data that can be accessed clientside.