I am developing an application in ASP.NET and I have a page that depening on user's role displays different parts. If the user is an Admin s/he sees for instance a page part where to input a new user and role that a normal user cannot see. Let's think about this page as a portal.
I already wrapped all the different sections in with Id and I can control their visibility. However this is not the optimal solution concerning security since the user or a malicious robot can still fill and access the parts that are not visible in the browser.
With MVC it is easy since I just create several partial views and render them upon users' credentials but how do you do it in standard Web Forms? Thanks
You can use the ASP.NET LoginView control. The control has an AnnonymousTemplate which you can use to specify which content should be shown to Annonymous users, and a LoggedInTemplate which you would use to specify the content shown to logged in users. But is also has RoleGroups which can be used to specify content that can be shown to users in different roles.
The article in this link will walk you through the use of this control.
http://weblogs.asp.net/sukumarraju/archive/2010/07/28/role-based-authorization-using-loginview-control.aspx
Related
Being in a view and you know the area-name, controller-name and action-name of a destination to which you want the user to provide a link to, how can I figure out if the area/controller/action is authorized for the authenticated user.
Imaginary Use-case:
I have a table with a list of books (the result of bookscontroller.index). To the far right are some icons to edit or delete a specific book. The edit link refers to bookscontroller.edit and the delete link to bookscontroller.delete.
On the actions there are custom authorizationattributes and this works perfect. If a user want to access books/edit/1 and the user is not allowed to edit books, the user gets redirected to the logon page.
It is a bit stupid to have that edit-icon there if the user is not allowed to edit books. So at view level I would like to be able to figure out if the user is allowed to use the edit action of the bookscontroller. If he is, show the icon if not, do not show the action.
Goal: use that knowledge to create a custom tag-helper.
The go-to method is reactive, i.e. you check if a user can do action when the user tries to do. Since you do not want to go that way, here is how. (yet, this is anti-pattern)
Have the authentication token of the user send back to backend. The backend should have an API end point for each button on the page user can click. With the authentication token, the back-end resolve whether to dim or enable the buttons.
Now, what the backend does to resolve this is not very efficient. The backend needs to literally attempt certain actions and aborts the transaction. For create and retrieve, it is trivial (you can pre-resolve them) but for edit and delete, this requires a lot of resources.
The standard way of controlling such actions on UI is to use role based authorization.
For the buttons or other such UI elements, setup role tags, e.g. "admin:edit", "viewer:readonly" etc.
When you are authenticating a user, send the applicable roles from the backend server, store them in a way that is globally accessible to your UI and use them for filtering UI elements across your application.
Can we restrict a user to view and use only one page and hide all other pages in the apex application in oracle apex 5?
The scenario is similar as we assign a particular responsibility to a particular user in Oracle EBS and he has the access to use that particular responsibility and rest are hidden to view.
How to achieve this??
Yes ,You can do it by using authorization schemes.
By using authorization scheme ,you can restrict the user for viewing other pages.
Regards,
Nikita
Easiest way is to create an Access Control page. It will automatically create three authorization schemes for you. Admin, Edit, and View. You can assign users to those. Set application mode to Public read only. Edit and administrative privileges controlled by access control list. This will open the application for all the users, except for the pages that you control using authorization schemes.
I have created 3 api, one with
owner=apicreator
visibility=public
and the others two with
owner=admin
visibility="restricted by role".
Once I opened the store home page the only api visible is the one created with apicreator, then when I logged in as admin I can see the other two apis (final count of 3).
Is it possible to show all the api (doesn't matter by the owner or creator) in the store home page, without login?
Is there any configuration change to apply or any change in the jaggery code(I don't want to change the visibility)?
Thank you in advance
Claudio
Is it possible to show all the api (doesn't matter by the owner or
creator) in the store home page, without login?
If an API's visibility is based on roles, how do you expect API Store to show it to public?
Once a user logged in to the API Store only, we can identify their roles and based on that, API will be visible to him
We have a lot of external users to one of our site. They register themselves, and we store the external users with the SQLMembership provider. Internal users (admins) are handled using WindowsMembership.
A standard part of having an account is to be able to reset or change ones own password. Is there a standard EPiServer way of allowing that? I have not found any so far, but it seems strange that every developer should implement that on their own...
Both out of the box-solutions and third party modules are welcome, as well as home grown solutions.
There is a drop down at the top right of the editor navigation showing the current logged in username, in that, click "My Settings"
The direct url would be %pathtoepiserver%/CMS/edit/mysettings.aspx
e.g
/episerver/CMS/edit/mysettings.aspx
EDIT:
Just realised you said external users, not CMS editors. There's no built in way with EPiServer, but the logins use ASP.Net membership system, which has its own controls and templates for common membership functions.
This article might be of assistance:
http://www.asp.net/web-forms/tutorials/security/admin/recovering-and-changing-passwords-cs
I'm a person with a non-programming background working on a web application that must store user-generated content and always associate that content with the user who created it. I just had the developer tell me since the application must do this, using Facebook as an alternate login method is pointless because Facebook only let's a third-party web application hang on to Facebook profile information for a certain amount of time, and therefore users who login via Facebook cannot actually contribute content that would remain in the web application's databases.
I'm having trouble swallowing this. I just signed up and logged in to stackoverflow using my Facebook account, and it appears to have generated a site-specific user ID that was automatically associated with my Facebook account - thereby allowing me to save/store content on the site without having to actually create a site-specific profile.
My questions:
Where is the misunderstanding here? To what extent do alternative login options affect the ability of my application, which will consist largely of user-generated content, to store user-generated data and consistently associate it with that user? Appreciate the help!
Alternative login allows users to use an existing account to sign in to multiple websites, without needing to create new passwords. Alternate login using facebook, OpenID, gmail or any other provider doesn't affect the ability of your application to store user generated content.
When a user logs in using a login option for e.g. facebook, user enters the facebook login credential(if he isn't already logged in), facebook generates a authenticated token which is utilised by your application for future use.
In case of alternative logins only the login information (User ID/Password) isn't stored in your application, it totally depends on how you are implementing it in your application. But in any case it doesn't affect your application in saving storing and using the user generated content in your website.
Please refer to this link for more info -
http://openid.net/get-an-openid/what-is-openid/
http://oauth.net/
Hope this helps!