I am building a plugin for multiple .NET based solutions. The application it self will connect to a database that holds user data and user group data, as well as some configuration files that users create for them selves. The configurations may also be shared between users (the owner can share his configurations with another user), and administrators will be able to edit all permissions on all files(my guess is via some web interface).
The applications that will have access to the functionality of this plugin are using the .NET platform but after that the projects diverge. One is using old win forms, the other WPF for desktop and another is web based using a JavaScript library. All the aforementioned applications are just interfaces for a shared lib that contains actual business logic.
My plugin will be implemented within the shared business logic library. The app will support both username and password authentication as well as windows authentication(if win auth fails the all will ask for username and password to try to access data that way).
My options regarding membership and authentication/authorization are plentiful and I'm not sure of my choice. I can use the Membership library or the new Identity library. I am also sure there are 3rd party libs that are quite good at this stuff but I have yet to hear of them.
is there a preferred lib to use or is the choice trivial and i should just start from somewhere?
This is a great place to start: http://brockallen.com/category/membershipreboot/
Related
I'm building several App's or Modules (Each got its own Project or might be a solution) and I need to develop a central core module that acts as a configuration App as well as the main login portal and users management (Using the built-in Identity 2.0)
I need a hint or a road map on how I can allow that functionality so when a user requests a specific module (Might be on a completely another URL, Database or Machine), he'll be redirected to the login page and then return back to the requested url. Of course I need to not include the same login mechanics and controllers in each and every project.
PS: I still need to use the normal Identity User Role check in the Applications/Modules like usual.
I decided to go with IdentityServer4
There is a learning curve here but I decided to go ahead as it will be a better solution in the future.
We have an asp.net webforms application that uses our own custom authentication. I have been tasked with allowing one of our customers to use single signon to our app and they have their own adfs server. The idea is that we would allow more customers to do this going forward.
The examples I see for allowing multiple federated parties to connect to our application involves us setting up our own ADFS server which management does not want to do.
I have not found any examples of setting up multiple federations through web.config. Can it be done?
According to this post, he was able to do something similar:
https://blogs.msdn.microsoft.com/mcsuksoldev/2012/10/18/access-to-an-asp-net-website-via-multiple-authentications/
Personally, I still prefer setting up a federation product in front of the application. It doesn't have to be ADFS. You can use any federation product, either open source or commercial, as a proxy for you application.
I am building an ASP.NET WCF Restful Service for several colleges. The service allows students to authenticate, therefore I will be leveraging some sort of central authentication at each College. For example one college may require authentication via Open LDAP while another may require Active Directory Authentication.
I need the ability to easily drop code into my project to change the authentication type (Open LDAP, Active Directory, etc..).
My solution is to create an interface and implement it in my Custom Authentication class. I would drop the compiled authentication class into my bin folder and add a key value entry into the web.config file which specifies the Assembly name and Class name. When a user Authenticates I would create the class through reflection and use the interface methods to authenticate the user.
Is the above approach a good approach to handle custom authentication? Has anyone solved this using a different approach?
Thank you for your time.
Victor
You could just use the ASP.NET provider model or use MEF to look through your directories and assemblies to discover implementations of an interface. That way you don't have to write the reflection code yourself, and it will be correctly loaded on application initialization, rather than you creating it on every authentication attempt.
I think you can develop a custom service behavior, and in that behavior you can define your customized authentication ways.
This link (http://www.codeproject.com/KB/WCF/Custom_Authorization_WCF.aspx) may help you.
I need to be able to tighten my business layer - access to particular data.
The UI can make a call to the business layer and receive a userdetail. The UI can then call .Save() on a user and the business layer will call the data access layer to save the user.
Although, the problem here is that I don't just want any user to be able to receive a userdetail and call save - only authenticated users with that role of "admin". How would I go about this authentication/authorisation in my business layer/UI so I can achieve this?
I am using ASP.NET for my UI, and I've read into membership/role providers, but this just seems to be for the actual UI. I need to secure it at my business layer because in the future there could be a couple of different UI's. e.g. windows forms and Asp.net.
Thoughts and suggestions are appreciated.
Thanks.
Another approach you might want to research (if developing in .NET 3.5 / 4.0) is using Windows Identity Foundation.
If you are insterested in keeping your authorization logic outside your web site (which I assume you would if you are expecting to use your business layer from more than 1 front-end) I would definitely recommend yaking a look at WIF. You can also integrate with Active Directory using ADFS v2.0 (which is a server role in Windows Server 2008 R2).
Patterns & Practices has released a guide which can be quite useful for digging into the subject.
The ASP.NET Role / Membership providers include storage and code level components you can re-use - they aren't just the UI.
For fine-grained access control (for example to specific functionality on a page) you can use the Enterprise Libraries. You'll be able to re-use code to protect functionality both at the BL layer and in the UI layer.
The link you most want is this one: Determining Whether a User Is Authorized to Perform a Task
Also see:
What Does the Security Application Block Do?
DotNetJohn - Enterprise Library Security Block...
Rule Based Security using Microsoft Enterprise Library and CAS
During earlier releases of the EntLibs, the Authorization Manager was a key component, but in more recent versions it's not a firm requirement, instead you can use an AuthorizationRuleProvider.
see: Developing Applications Using Windows Authorization Manager.
Filtering data is a bit more problematic depending on the complexity of your data, the amount of it and performance needs.
One strategy is to have a simple DAL that returns everything, and prune out data the current user isn't allowed to see in the BL.
Design a DAL that has some knowlegde of the roles your application uses:
DAL.GetCustomersForAdmin() and DAL.GetCustomersForMember() But this is a bit dangerous as you'll be tied to using those roles.
Have a database / DAL that is security aware, and always returns only the data the user is permitted to see, via the same methods: DAL.GetCustomers()
Currently applications are deployed only to my office of 40 employees or so. ClickOnce works great for this as everyone has network access or VPN access which makes updating pretty straightforward. Now, it has been tasked to me to figure out the best way to deploy these applications to res of the company. ClickOnce would work but the files would be made publicly available to any.
What would be the easiest way to implement this feature with some form of authentication?
The actual deploy page can be set up on a site that requires Windows Authentication. As long as the domain controller you are using trusts the other domain controllers, you are golden. You might be able to do this at the folder level, as well. If you go this route, you can still use the click once model.
There are a few more ideas here:
http://tinyurl.com/bn5e76