In a web application, is there any way to check the requested user has got admin privileges.
Is it possible? Can you suggest one method?
For example: a front-end user requests a page in my application. I want to know whether the user that made the request has admin privileges in his client machine. I have to check whether he is logged in with an admin privileged account in the system.
I need the privileges of logged in user to the system not to my application , my application doesn't have a login. One user just request my home page or any other page and i just want to know that user is logged into his PC with an admin account or not?
I'd suggest the membership provider for you.
Read this article for more information.
EDIT:
After reading some given answers and other questions, read this article (provided by Abbas).
Especially look at the chapter "Role Management, User Identity, and Membership".
This explains the difference between windows authentication (login with your windows account when on an intranet) and forms authentication (login with username and password)
First read the article that #Rick Hoving provided. Once you understand the whole Membership-story you should read this article, also from MSDN: Understanding Role Management. Roles & Access rules are explained, as well as the management and so on. Hope this helps!
you can create role and store role information in session
Related
I am working for the DOD. The application they have requested is web based, and will be on their internal network. The request is for CAC authentication, which is easy enough... The remaining problem is authenticating a user. The CAC authentication is happening at the IIS level, so by the time the user gets to the application, all I am doing (or had planned on doing) is checking the ID on the CAC, and comparing it to a user table in the database. If the user exists (and has been approved), then they are off and running in the system. If they do not exist, then they are pushed to the registration screen.
Given my lack of experience with web development, I am unsure if I need to actually authenticate the user in some way beyond the CAC authentication, or if I can just manually assign roles to the user and let the roles dictate what can or cannot be done in the application. Windows authentication is not an option; while this application is internal for the military, it is accessible from different mil networks.
If I do indeed need to authenticate a user... this is where I run into trouble. I have not found anything that says there is a way to manually authenticate a user. I could use the standard ASP tables in the database, but it seems... messy... to include things that won't be used (meaning the password field would always be an empty string - why include it in the db if it isn't being used?).
Thanks in advance for any help... If there's links to where I can read more about the authentication process, those would be very much appreciated as will.
I'm working on several DOE projects that use the same idea. What we normally do for web applications is to enable Windows authentication on the app. This will allow pass-through of user credentials and keep out anyone without credentials.
I also like to add role based authorization into the mix and then use AD groups to allow/deny users on specific apps.
We have a web application where LDAP/Active Directory authentication is in place.
Now the requirement is if user, which exists in Active Directory, is logged in to his machine and accesses the web application, then it doesn't require authentication. It will directly authenticated and landed to website's landing page.
Could you please guide if you have any idea/hint/ref/solution?
Thank you so much.
First you need to change the authentication to "Windows" , this will force your website users to enter their windows credential and then you can validate those on page load
1) Enable Windows authentication in IIS and disable Anonymous authentication for more information see this article : Windows Authenticaition for ASP.NET
2) On Page load identify the identity of user using Page.User.Identity
3) Query LDAP through using System.DirectoryServices and using System.DirectoryServices.ActiveDirectory to check if user exist or not
For more detailed info on AD this is a very useful article Almost Everything about AD
With respect to above answer by Bhavin.
Also set
Internet Options--> Security --> Custom -->
User Authentication --> Automatic logon only in intranetzone
This is browser specific setting can be done via group policy also.
In my application users can login using the social networks such as facebook, twitter, linkedin so can any one tell me how to check whether user is already logged in with the facebook/twitter/linkedin in Phone with browser or other internal Apps, My application should also be able to know that the user has logged in so that it should not ask again for the login screen, Even if the user logged in using web browser/Facebook internal App my application should be able to access those credentials and it should allow users to login with out asking for the credentials again.
How to do this.
Thank you for all hints and your help in advance!
Have you ever gone any authentication methods? This link helps you to undergo Facebook login authentication, where it asks for the permission for the first time and if user accepts, it stores all those credentials about the particular user.
Next time the person logs in, they don't want to login again. You just call the login method in startup and it automatically makes the login successful. You can also get the user informations, such as email address and basic informations and store it in your application(Isolated Storage) if the user gives access to your application and you can use it next time when the user enter into the application.
Like you can also perform authentication in Microsoft Account, Facebook, Twitter & Google w/ Mobile Services in the below link
http://code.msdn.microsoft.com/windowsapps/WP-Authenticate-Account-c7e0ef84
I'm trying to implement "Act As" functionality for an ASP.NET application while at the same time using Windows Authentication and a custom role provider. Essentially what I want to be able to do is:
Use Windows Auth to get the current user's domain account to verify they are an approved domain user
Use a custom role provider to get permission information from a SQL Server database.
Implement functionality to allow the admins of the application to be able to "act as" another user, without requiring them to actually log into the application as that user.
The scenario I'm trying to fulfill is that an application admin is attempting to assist a user with a problem and clicks the "act as" button to act as that user and see the application as they would see it. So the Role Provider would need to understand that the current user is acting as someone else and get permissions information for that user instead of the current user.
My plan was to implement an impersonation feature that would delete the roles cookie and add a value to a session variable indicating that the user is currently impersonating another user. As the session is not populated at the time that authorization occurs however, this isn't possible. I don't want to use cookies as I don't want this to cause a potentially persistent state on the admins machine (such that the admin couldn't open another window to the app and either act as another user or view their own data).
I can't find a good way (without cookies) to save the "Acting as user..." information given that the session is unavailable. I'd like to use the role provider, etc., so that I can leverage the built in security trimming in .NET. This all may simply be impossible, but I'm hoping someone out there has either tried this before or has a suggestion for something I can attempt to implement.
Thanks in advance!!
See my answer to a similar question here
The gist of it is:
The way I did this, which is admittedly a little crude, was to have an
impersonation table in my database which contains the logon name of
the user who is doing the impersonating and the logon of the user they
wish to impersonate.
I added some override code so that when the user first goes to the
page (it uses Windows authentication), it will check to see if that
user has an impersonation set in the table and then place this user id
in an object in the session state. If there was no impersonation, it
would place the actual user id in this same object.
To prevent me from doing things to the user's data as them, there are
two properties in this object, one for logon_name, which is what is
used by the system for content-customization, and another called
NameForLog, which is used when logging any actions. All actions I make
will be logged as me.
All areas on the site that display user-customized content look at
this session object, so they will always use the impersonated ID and
therefore always show me what the user is seeing. Beyond the first
page and the logging code, it doesn't even know that it is me it is
dealing with.
For your scenario, you could implement a roles provider and override GetRolesForUser to return the roles for the impersonated user plus some role that will allow the impersonating user to access the impersonation functionality for the purposes of turning it off.
You could even return the impersonated user's roles with the impersonating user's roles in order to give the admin user access to all of their own features as well as the user they are impersonating, it all depends how much this would affect the usefulness of the feature in your particular scenario.
I have implemented something similar...though not exactly like your scenario but pretty close.
Admin Login (Has one role like Admin)
Then admin is redirected to "Select Client" Page. Admin can search Client by ID, Name, etc. From the list Admin selects a Client. I store the client ID in a cookie.
I have custom RolesProvider that calls my custom GetRoles(loggedinUserid);
GetRoles(int loggedinUserId) method then determines the type of the user i.e. if it's Admin or non-admin. If it is admin then, fetch ClientID from cookie. Pass loggedInUserID, typdofuser and ClientId to the stored procedure that will return all roles for the admin + all roles for that ClientId and return to roles provider.
This way I have all my menuitems for Admin available as well as menus needed for ClientID.
Admin can go to "Select Client" page anytime and switch to another client. When they select a client, new ClientId will be stored in the cookie.
Now you have two options after this:
You can let rolesprovider call this upon every request or
Store the fetched roles in HttpCache and update this cache whenever ClientId is changed.
Hope this helps.
If encryption is used via ProtectedData CurrentUser and I have a site using Forms auth (with a custom membership module, don't think that will make a difference), will it work across several different web servers?
My guess would be that it would if the current user that is used is the User.Identity, 'cause that will be the logged in user, and will be the same on any web server.
The docs didn't seem to say anything about it working with ASP.NET.
The "current user" will be the user the asp.net application is running as (not the user accessing the site). Typically this is /ASPNET user account however it can be changed. You can verify this with the WindowsIdentity.GetCurrent() function.
Your other option is to use DataProtectionScope.LocalMachine to store it in the machine store instead (acceisslble from any account on the machine). While this may seem less secure member if you are using an unprivileged account (like ASPNET user) than anyone could write an app to run as that user and gain access to that user store.