I am using Integrated Windows Authentication in my application so domain users alone can access the application.
After this step, I am doing some additional authentication to check whether that domain user is permitted to access the application (domain user will be added in a database table).
To achieve this, I am doing in the following way. Is this the best practice?? Please advise.
public class CCUKAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var isAuthorized = base.AuthorizeCore(httpContext);
var isUserAddedinDB = true; //Code to check whether user is added in DB
return isUserAddedinDB;
}
}
What you are trying to do is first check authentication and then check for an authorization rule(can he access application). I guess this is a onetime check which happens only during the first time authentication process. In that case you better separate that logic into a different method (Separation of Concerns).
Generally in a MVC application if you need to do a custom Authorization check, I would recommend to do Authorization check by overriding "Authorize" attribute (example).
Related
i am using my own security system (custom authentication, authorization ...)
i just want to send confirmation email after user register how can i do this without membership tables ?
FYI:when i am build my own authorize system i just override AuthorizeCore function like this
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
}
is there any functions like AuthorizeCore to confirm account or change password can override ?
appreciate any help thanks
No attribute can do this; you need to do this within the controller. However, the default security framework does have API methods for this. Since you have your own security, it makes sense to do this in the controller in a custom fashion.
I am writing an MVC 3 application, which doens't use the classic approach of accesing the database using the Entity Framework. Instead I have another application combined of WCF Services, which are used to manage the database access. Now I want to used those services in my MVC application, as the database access. This part is simple. The point where it gets harder is managing authentication and authorization in this scenario.
For authentication and authorization, I have created custom membership and role providers. I have implemented the necessary methods, but here I have ran into the problem. My services require username and password, to get the list of user roles.
I am wondering how can I store the username and password provided by user on logon, somewhere in the backed of my application, to make sure it is save, and to have the possability to use it in my role provider?
Is session the right choice for this? If so, how can I access user's session in my role provider?
You should never use passwords, use password hashes instead (properly salted, of course). So, now you can pass username and password hash to your role provider which in turn will pass that to your wcf which will grant or not grant the necessary roles.
Update
IsUserInRole method should look like so:
public class WcfRoleProvider: RoleProvider
{
public bool IsUserInRole(string username, roleName)
{
bool result = false;
using(WcfRoleService roleService = new WcfRoleService())
{
result = roleService.IsUserInRole(username, roleName);
}
return result;
}
}
I have a ASP.NET MVC site with a CAS server set up as the authentication type. I also have a separate database with a Users table and a Roles table (with a User being related to one or more roles). A User is only able to log into the system if the Username is both in the User table and on the CAS system. I have this solution working.
My problem is i now need some form of trigger on User.IsAuthenticated so i can track the current User (from my database), without the possibility that i am trying to allow tracking of a User that has logged out. What I've been thinking is i need to add the User to the HttpContext but i am not sure how to trigger the clearing of the User if the CAS session times out or if the User Logs out.
I also wish to have some functionality such as User.IsInRole (again using my database, not ASP.NET) but am not sure how to go about implementing this. I suppose if i can successfully add the User to the HttpContext then a IsInRole method would simply be a User.Roles.Contains(string role) method but how can that then be used if i wish, for example, to use a method with the DataAnnotation [Authorize(role = "ExampleRole")].
I have looked at questions such as How do I create a custom membership provider for ASP.NET MVC 2? but this doesn't work for me (possibly to do with me using the CAS authentication?)
Any guidance or background reading would be appreciated as i'm really not sure where i should even start. I have read up on GenericPrinciple, IPrinciple and IIdentity but I'm struggling to see how i can apply them to my current project.
Ended up with a custom Authorise Attribute that uses the CAS logon to check the user exists in my database. It also checks the roles of that user. I also used a static class to save the current user in the session with a logout method that abandons the session when the user logs out.
I have kind of a two parter for you. This link does a really good job of explaining how to replace the HttpContext User with your own object: http://bradygaster.com/custom-authentication-with-mvc-3.0
His approach uses MVC filters, but you can also catch the Authentication event in the Global.asax file. Using the forms system with your own implementation can be trivial or not depending on what you're doing, but it boils down to calling FormsAuthentication.SetAuthCookie and .SignOut, amidst your own logic.
public static void FormsLogin(this User user, bool persist)
{
FormsAuthentication.SetAuthCookie(user.DisplayName, persist);
user.AddHistory("Login event.", HistoryType.Login, "SYSTEM");
Users.OnUserLogin(user);
SetLastActivity(user);
}
public static void FormsLogout(this User user)
{
FormsAuthentication.SignOut();
}
Lastly, once you've got the login stuff working out, you can use your own more complex permission system by making a custom Auth Attribute. I remember piecing this together from some other answers and articles but I can't seem to find the sources at the moment, I will try and edit with sources for credit where it's due, if I find them. For now, all I can offer is this gist which offers up one of the attributes I use: https://gist.github.com/1959509
Keep in mind the only really relevant part there is the override of OnAuthorization, which does the actual work.
Today, I implemented a custom authentication provider for my WCF service. It is able to determine if my user is valid or not, just as expected.
So, now I have this class:
public class MyCustomValidator : UserNamePasswordValidator
{
public override void Validate(string userName, string password)
{
User apiUser = User.Login(userName, password);
// other logic goes here.
}
}
The behaviour of my application depends on what objects the User can access. So, how can I get my User object from here to my service class? There is no immediately obvious way that I can see, as my service class does not inherit from anything by default, unlike the ASP.NET controllers.
My first instinct is to set up a static parameter in MyCustomValidator and then read it from there, but I suspect that a race condition could occur. Can anyone confirm or deny my suspicions?
And most importantly: Is there a better way to do this? This is the first time I have ever used WCF, so I'm not aware of the best practices involved here.
Thank you for your time.
You want to pass some data from validator to service instance. It is bad because you can't do it. UserNamePasswordValidator is only for validating credentials (user name and password). You don't have access to anything from your validator. It even doesn't see current operation context because it runs in different thread. Using static parameter is not a sloution - as you mentioned it is race condition.
I think you need to implement custom authentication and authorization and it is not easy:
WCF Authorizaton, Custom Authorization, Custom credentials and validation
I know it's possible to use this information in a winform, wpf or console application. But I rather to determine which user with what roles are running a sepecific method, so I could decide upon them and run different codes.
In addition in a desktop app. how a user can login? Is there any special winform or wpf login control?
You should be able to use the "principal"; the ASP.NET login sets this up IIRC, and you can do it yourself for winforms, WCF, WPF, etc. You can then use, for example:
public static bool IsInRole(string role)
{
var principal = Thread.CurrentPrincipal;
return principal == null ? false : principal.IsInRole(role);
}
You can also get the system to execute the checks for you:
[PrincipalPermission(SecurityAction.Demand, Role="SuperAdmin")]
public void DropDatabase() {/* ... */}
From 3.5 (SP1?) onwards, you can use the ASP.NET login mechanism to perform your winform/wpf logins, including setting up a principal; in project properties enable "Enable client application services" (or see the "Learn more" link on that tab).
Alternatively, writing your own identity/principal is pretty simple - look at IIdentity and IPrincipal ; you don't have to do a lot.