It's my First question here so i apologize for my english :)
we are building MVC 4 application with authentication made by Jasig CAS SSO.
It works pretty good but i need to do custom action after authentication of user.
Steps should look like:
User goes to our site to HomeController which is decorated by AuthorizeAttribute
Controller redirects user to CAS
User pass his username and password
CAS properly authenticates user and redirects to our site
(here goes custom action) After logon we build up Session (get user parameters from DB and put them in to chache and etc)
action 5. is run only once after successful logon! every next request skips this step.
I have read documentation of CAS and MSDN about forms authentication but i couldn't any information.
I found that i could extend AuthorizeAttribute and override AuthorizeCore method but it is ran every request.
thanks for help
I found answer by myself. Maybe there are better resolutions but this one makes what i wanted.
To make some custom action after logon in Jasig CAS you need to implement
protected void Application_PreRequestHandlerExecute(object sender, EventArgs e)
in Global.asax
sample code:
protected void Application_PreRequestHandlerExecute(object sender, EventArgs e)
{
//must check if user is authenticated (this method can be called before authentication)
if (Context.User.Identity.IsAuthenticated && Context.Session != null && Context.Session["IsLogged"] == null)
{
Context.Session.Add("YourKey", YourData);
Context.Session.Add("IsLogged", true);
}
}
Probably the same approach could be used in standard forms authentication if needed
Related
I have always been programming with ASP.NET Web Forms. Everything was simpler but now for having better performance and modern software, I decided to switch to ASP.NET MVC.
I managed to understand most of the concepts but due to lack of Page Lifecyle in MVC, I am having troubles verifying whether the user has logged in.
Let me give you an example:
In ASP.NET Web Forms, I use to make a login page where if the user exists and has given proper credentials, the program would create a Session variable like this: Session["UserID"] = 3;
And when the user is navigated to his or her account page, the a code like the one below would check if the user is logged in:
protected void Page_Load(object sender, EventArgs e)
{
if(Session["UserID"]==null)
{
Response.Redirect("/login.aspx");
}
}
how to make the same thing in MVC?
Add [Authorize] above your function. You could add it above your controller if you want all the functions to be available to logged-in users.
If you do this, don't forget to add app.UseAuthorization(); in your Program.cs file
Tell me if this helps ^^
I am using Integrated Windows Authentication in my application so domain users alone can access the application.
After this step, I am doing some additional authentication to check whether that domain user is permitted to access the application (domain user will be added in a database table).
To achieve this, I am doing in the following way. Is this the best practice?? Please advise.
public class CCUKAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var isAuthorized = base.AuthorizeCore(httpContext);
var isUserAddedinDB = true; //Code to check whether user is added in DB
return isUserAddedinDB;
}
}
What you are trying to do is first check authentication and then check for an authorization rule(can he access application). I guess this is a onetime check which happens only during the first time authentication process. In that case you better separate that logic into a different method (Separation of Concerns).
Generally in a MVC application if you need to do a custom Authorization check, I would recommend to do Authorization check by overriding "Authorize" attribute (example).
I have a scenario in which I need to create a cookie before user is authenticated by my MVC application. Now, here, login is done using external application. (which lies on different server). For this, I did below code in my local environment. I am overriding built-in Authorize attribute and use my custom attribute.
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
HttpCookie _testCookie = new HttpCookie("myCookie");
_redirectCookie.Value = "someValue";
HttpContext.Current.Response.Cookies.Add(_testCookie);
base.HandleUnauthorizedRequest(filterContext);
}
Above code works if I have local url in tag in my web.config. Can somebody please tell me if the same will work with external login url or not?
Thanks in advance,
Suhani.
Well.. solved it.. I just had to use the same domain name while creating this cookie so that the consuming site can see the cookie created by the original site. Deployed the same code (adding domain name while creating a cookie) and it worked.
thank you anyways!
I am working on ASP.net MVC web Application. Here, in this i am implementing windows authentication. I have made necessary configurations in the web.config file to make it work
By using windows authentication, i was able to get the logged in user name . By using it as parameter, i am querying database to get the role for logged in user.
In my application, i have two roles. Admin and Normal User. I need to display some of the pages content based on the role of user logged in.
Can i use sessions in MVC to carry this information in every page and display the content
For example: in Global.asax
protected void Session_Start(object sender, EventArgs e)
{
Query database....
if( role="Admin")
{
Session["UserType"]="Adimn";
}
else
{
Session["UserType"]="NormalUser";
}
}
like this.. Then in each page, i will check this role and based on that i will hide/show some of the functionalities to the user
Is this the right approach to do this. IF not, what are the alternative ways of doing it.
Please suggest..
You should use HttpContext.User.Identity to get current user. You can get user name and user roles:
var uName = HttpContext.User.Identity.Name;
var isAdmin = HttpContext.User.IsInRole("Admin");
As any caching approach it have positive and negative sides. Your call if you are ok with solution. Some pro/cons below.
Pros:
less requests to DB
faster pages (again you need to just load session state)
Cons:
cache invalidation is complex problem: i.e. you may not know if particular user is no longer admin
leaking session due to bugs in your site allows elevation of privileges (just need to have session ID, not need for admin credentials).
I have implemented a custom IPrincipal that I set in
protected void Application_PostAuthenticateRequest(Object sender, EventArgs args)
by doing
Context.User = GetCustomPrincipal(User.Identity);
Thread.CurrentPrincipal = Context.User;
But my custom principal hits the database and gets custom information about the user. I don't want it hitting the database repeatedly for every request.
What is the best way to cache this? I was thinking of storing it in the Session, is that a good idea?
EDIT: Stupid me. Session is not even available in this method, should have tested before posting the question.
But question still remains..
The standard approach is to store the data in the auth cookie. If you aren't using cookies, you can store the data in session.