I am making a WebAPI service. I just used the ASP.NET WebAPI template with authentication. I was wondering how can we restrict DB entity access for those users who are already logged in. With [Authorize] we can restrict unauthorized users, which I have done. After login, they can access anything right now. Eg: I have a table Bill. With BillId, users who are authorized can access any entry in Bill table. How to restrict this? Currently Bill table has no relation with UserIdentity tables!!.
After thinking about the scenario, I have a solution [Not sure the best]. In all my controllers I can get the Userid [Authenticated user's id]. When a user adds data to any entity, I will add userid as a column to that entity and store userid. When any user looks for a resource, he will get only those resources which are of his Userid. I am not giving any relation to any user table but just adding the userid to all entities as a new column.
Related
I have a
back-end application - ASP.NET Web API
front end - React.
We are using a third party for authentication and have role based access for authorization.
We found an issue where in user who is authenticated and authorized was able to change an id say documentid in GET call (/API/Document/{documentid}) and was able to view other user data.
So after researching one way is to check on the call if the owner of the document (userid) matches the userid of the logged in. Since its Web API we cannot store the userid in session, so we had to set the userid in JWT. So when logged in we set the userid in JWT and we can make a check on the calls to see if the owner of the resource matches with userid in JWT. I see some concerns adding/exposing userid in JWT, so the question is what is the best way to handle it? I can make use of username but that might add an overhead of database call to get userid or add the username in every view model.
I have a webforms application which was built with ASP.NET Membership. I migrated to Identities successfully.
I now want to use Claims authorization instead of Roles authorization, but the Role information for the old users has been migrated to the AspNetUserRoles table in the database but the AspNetUserClaims table is empty. New users registered after migration, I can add to AspNetUserClaims with the following code:
IdentityResult result1 = manager.AddClaim(user.Id, new Claim(ClaimTypes.Role, "role"));
But the old users are only registered in the AspNetUserRoles table not in the AspNetUserClaims table.
On login will the claim created include Role information from the AspNetUserRoles table also or only from the AspNetUserClaims table?
Will the User.IsInRole() check both the AspNetUserRoles table and the AspNetUserClaims table?
How can I migrate information from the AspNetUserRoles table to the AspNetUserClaims table?
Don't get hooked on "claims" term. Here this is a convenient way to add information into the cookie.
Here actually are 2 types of "claims" - one that is added into the cookie and one that is preserved in AspNetUserClaims table.
When user is logging in, a cookie with identity is created. Identity contains all the claims user has. Claim here is a key-value pair that is added in the cookie as a payload. Cookie claims contains things like User.Id, SecurityStamp, Username some other framework related stuff and... list of roles from AspNetUserRoles. Along with additional claims from AspNetUserClaims.
So what you are trying to add roles into claims - makes no sense. Roles will be in the cookie as claims anyway - added by the framework.
Probably I'm not explaining well - when you debug your application, analyse User property of a controller and look into ClaimsIdentity and see list of all the claims. All my jibbering will make more sense.
To answer your second question - User.IsInRole() does not go into the database. This method only checks information in the cookie, see the source code for yourself: it only checks if cookie contains claims of type ClaimTypes.Role with the name of the role you are trying to check.
Third question... do you still want to do that? You can do a SQL statement, something like insert into aspnetuserclaims (<columns>) select <columns> from aspnetUserRoles inner join aspnetroles on aspnetUserRoles.roleid = aspnetroles.id.
I wrote about what claims go into the cookie in my blog a while ago - you'll get a better understanding how it all comes together.
I have a custom set of roles that is supposed to be used in a multi-tenant app.
AbpRoles table has a column titled "TenantId" (nullable).
Problem is that if I leave this field with a null value, a user per certain tenant cannot be recognized as being related to a certain role. But if an AbpRole record has tenant id value - all works pretty well.
The bottomline is:
my code has to be creating the same set of roles for each tenant, so I'm just wondering if it's possible to have common set of roles for all tenants.
If the TenantId value is null for AbpRole record and I wrap the code that checks if user belongs to a role
User.IsInRole("Employee")
into this block
using (_unitOfWorkManager.Current.DisableFilter(AbpDataFilters.MayHaveTenant))
the problem is still not solved.
Sorry for late answer. For the guys looking an answer for this question;
Roles should be created per tenant. If you are using single tenant then you have use the Default tenant's id. As a result you can not share a role. If you insist on sharing roles btw tenants you have to disable MayHaveTenant everytime you make operation on role.
I'm using an ASP.Net Membership provider to handle user accounts on my website and I've set the DeleteUser() function to only delete data from the aspnet_Membership table as I'd like to keep the user ID and details in aspnet_Users for auditing.
I've encountered a problem whereby if I delete a user "bob", when someone creates a new user with the same username, then instead of creating a new aspnet_Users record with a new UserId (it's a GUID by default) it will instead link the new aspnet_Membership table record to the previously created "bob" account.
This means rather than creating a new user that happens to have the same username, it's re-activating the old user and linking their activity history together.
Is there a way to force ASP.Net membership to create a new aspnet_users record instead of hijacking the old one?
Thanks!
Unfortunately it seems that the ASP.Net Membership SQL Provider generates the User ID GUID using the username as a seed. This means that without deleting the user (which you wouldn't want to do if you were keeping an audit history) there is no clean way of creating another user with the same User ID.
To resolve my issue I have done the following:
Allowed ASP.Net Membership to assign a membership record to the asp_user record as it does by default
Added an audit record to my audit table explicitly specifying that a user has been re-created
This will allow me to check when writing audit queries whether the user performing an action was once removed, and hence whether they're likely to be the same person or not.
Hi all i'm completely new to ASP.Net and C# so will explain as best as I can what I am after. I am using Visual Studio 2010 Ultimate (MSDNAA)
Basically I have setup up user registration and login using the wizard with the user data stored in aspnet_users table in the database ASPNETDB.MDF. I have also created in the data base a table called UserProfile with the fields, UserID, Address, Telephone, etc.
I have then created a relationship between the aspnet_users table and the UserProfile table by linking UserID.
What I am trying to do is create a profile page where users can insert and update their profile information. I have therefore created a page called userinfo.aspx and after following several tutorials, which often seem to be revolving around asp2, I have dragged in the FormView Option, and created a link to the database.
What I am stuck on is how I can get the current UserID that is logged on and display their information. My problem is under the WHERE option I cannot get it to use a current user as the source or is this totally wrong?
If you could advise me I would be grateful.
Matt
Session["USER_NAME"] = txt_uname.Text;
You have two forms userregistration and login form.
In user Registration you are inserting the details into database.
In Login Form, from textbox u will get the username and password. Check the username and password matching the Database. If it match then you have to maintain the username into session variable.