I have the requirement to setup authentication and authorization on a WCF Service, right now the service is created and working but no authentication.
There is also the need to authenticate existing users and passwords that are being stored in a SQL database and are already used by another web application, but since I do not have the source code for it, and being still adjusting do .NET I am having some dificulties.
I can read the database and found several aspnet_ tables in the database such as aspnet_Users, aspnet_Roles etc that so far seem to match with the ones used in the web application.
My question is how can I easily implement authentication and method authorization using the existing database.
Please note that I do not have access to the web-application source code.
Thanks.
MVC uses the standard ASP.Net membership provider. If you click the Log On button/register link - you can add a user. ASP.Net will create App_Data\ASPNETDB.MDF containing the membership information. You can move ASPNETDB.MDF to a remote DB server, but you must use the Membership provider schema/DB (unless you write your own provider).
A few MVC links to get you started.
http://www.asp.net/mvc/tutorials/older-versions/security/authenticating-users-with-forms-authentication-vb
http://weblogs.asp.net/fredriknormen/archive/2007/11/25/asp-net-mvc-framework-security.aspx
http://blog.wekeroad.com/blog/aspnet-mvc-securing-your-controller-actions/
The default authentication/authorization configuration added use ASP.NET standard membership and role manager service provider( the local SQL Express one). If your existing database(for user login) is also ASP.NET standard sql membership database, you can simply change the connection string of the membership section. Otherwise, you might need to create a custom membership provider which uses your own database tables for user authentication.
Implementing a Membership Provider
http://msdn.microsoft.com/en-us/library/f1kyba5e.aspx
Building Custom Providers for ASP.NET 2.0 Membership
http://msdn.microsoft.com/en-us/library/aa479048.aspx
Really no easy way to achieve your requirements. Here is the library you can use and follow stricktly steps described in this blog to setup authentication with SQL Membership provider for WCF services.
In my case I did small update to the library. I've commented out line of code
//if (!IsAnonymousAllowed)
Related
-> I want to use Identity server 4 as a central token generator for some clients.
-> Here my problem is I have implemented Identity server 4 with the help of docs, in the docs the IS4 is using its own database for users to login.
-> Can someone explain the way to connect to my own users database for login and token generation. (I'm using the latest version of IS4 and .net core).
Thanks in advance :)
Note:
I have tried all the things from docs
-> http://docs.identityserver.io/en/latest/quickstarts/8_aspnet_identity.html
The AccountController is a starting point for you to adapt to suit your own requirements.
This template uses ASP.NET Core Identity for user management.
Your choices are
Migrate your users to use the Identity's table structure
Provide a custom storage provider to ASP.Net Identity that uses your existing user tables (Custom Storage Provider)
Implement your own user management\storage service and change AccountController to use it
If you have a custom database you want to connect to, you can implement the IProfileService. IdentityServer4 uses an instance of that interface to collect user details. Docs: click
Just like "Log in with StackExchange", I expect that StackExchange have a custom membership provider to be used for many applications.
I have many web applications, subjected to extend and i would like to have one database and a shared membership application to handle Login, Registration, profile and Role-based membership management.
After some research, I also found that using a WCF Service to handle this implementation would be a good idea.
I am just trying to get a feel of it before I go ahead with any application, and if there is any open source projects or even resources, I would prefer not to reinvent the wheel.
Could anyone tell me how could it be implemented?
There are several options available to you - the ASP.NET Membership Provider connected to a shared membership database, WCF Authentication Services, or OAuth.
ASP.NET Membership Provider
This doesn't have to be a custom membership provider - the standard SqlMembershipProvider model will cover your requirements, as long as each site can access the shared database. See here : http://msdn.microsoft.com/en-us/library/ms731049%28v=vs.110%29.aspx
WCF Authentication Services
If connecting to a shared database is not an option, then yes, WCF Authentication Services are available to you. WCF already gives you lots of pre-built code, so you wouldn't be reinventing the wheel. See here for specific code examples:
Walkthrough: Using ASP.NET Application Services
How to: Enable the WCF Authentication Service
How to: Customize User Login When Using the WCF Authentication Service
How to: Use Non-default Membership Provider for WCF Authentication Service
How to: Customize the Authentication Cookie from the WCF Authentication Service
OAuth
OAuth is a big topic, and a big opinion splitter. Have a read of this introductory article on MSDN. You may also want to consider a pre-built .NET OAuth library - see this one : http://oauth.net/code/
I have created a WCF service that is used for authentication. It uses an asp.net SQL membership provider for the accounts.I need a way for the client application to be able to register an account, change password ETC. The way I had originally planned and have started doing was basically interfacing the code within the service by creating matching methods that I could call from the client.
For instance to create the user I would create a method that has all the needed parameters and then within the code body I would access the membership provider so the client could just pass the details into it. So it is all actually done from within the same project/service.
Now that I have started I have began to wonder if I can access the sql membership provider directly from the client so I don't have to waste my time and interface the code.
If so could anyone point me in the right direction on how exactly I create an instance of the sql membership provider in another project so I can access it?
Microsoft has a standard framework that is targeted at what you're trying to do, it's called Client Application Services. There's a walkthrough on the MSDN site
I have built an internal Database for Clients. Its C# with an MS-SQL DB. I have integrated the ASP Website SQL Server and the Internal SQL Server to use the one database. Both the Website and the Internal Database are working.
I want to be able to automatically register a client to use the webpage once they have become a Client in my Internal Database. Using ASP (I am learning still) I see there is a membership provider and it seems to do all the validation and so on. Passwords are all handled and encrypted etc..
What would be the best way to add a user to the SQL Tables but keep the security and so on? Can I create a membership provider in my DB Client when adding a Client and use that to create the Clients Login to the Web Page?
I am using the default ASP .NET Web Application Template in VS 2010. The ASP Site is all standard config from the template.
Thanks!
You should call the methods on the membership provider. Don't get into the specifics of how the membership provider is working, the whole point of the provider model is that you can swap out the default SQL one for any other implementation.
If you look at the MembershipProvider base class (http://msdn.microsoft.com/en-us/library/system.web.security.membershipprovider.aspx) you can see the list of methods that it provides. You will need to call Membership.CreateUser() as part of your custom registration process, it has several overloads to choose between.
Looking at the default SQL Config and stored proceedures, we can use these.
See this.
The sample code by Chris Pels is excellent for helping with this solution. Thanks Chris!
I am designing an N-Layer system in .NET that will consist of
SQL Server 2008
EF 4
Repository Layer
Service Layer(Business Logic)
On top of this I will have:
ASP.NET MVC website
external API to be consumed by other clients(built with WCF or ServceStack.NET)
I would like to implement the typical username/password auth within the MVC app as well as OpenID/twitter/facebook login options
The api will need similar forms of authentication.
Where in the architecture is the best place to implement the authentication and are any samples available of how to implement something like this with a .NET Stack?
Is a custom Membership provider an option for this?
I realize that there are libraries available to implement the openID portion so that is not a concern at the moment but I would like to leave things open to add this in the future.
Suggestions?
Authentication should be done at the user facing point: MVC website and the WCF service.
In each point, use the appropriate authentication/authorization mechanism.
MVC website: forms authentication (or windows authentication etc.)
WCF service: (what method will you be taking, API key, user/name password on every request, secure key, auth cookie etc.)
For each point, call the service layer with the credentials used by the requestor (user) and validate it against your database (in the service layer).
The service layer should return valid/invalid for the credentials given to it.
If it's invalid, have your website or webservice reject any further actions from the user and inform them that it's not valid.
If it's valid, have your MVC website create the auth cookie (FormsAuthentication.SetAuthCookie) and your WCF service do the appropriate action for the authentication mechanism you chose.
Keep your service layer agnostic of the authentication. It should only respond with whether or not a set of credentials is valid and your front-facing layers should take care of setting the authentication tickets.
For Open ID/Twitter/Facebook logins, all the information needed is on the web app (via the login source cookies), so use that to setup your website's auth cookie.
A basic architecture would be to use the asp.net membership api for your service and web apps calling into the same membership database. Then use an impersonated user to connect to SQL Server.
You can then write custom membership providers for the other auth mechanisms or incorporate them all into one membership provider.
Sorry had to write this as another answer as didn't have enough space in the comments.
Configure the membership provider at the IIS level and use the OOTB SQL membership provider to get basic authentication working.
You can then write a custom membership the repository layer will be running in the context of the web application either web service or asp.net site so your authentication information will be in the httpcontext, you can then use that to connect through to your database or use an impersonated account i.e. the app pool user to connect instead.
You can then write a custom membership provider that authenticates against the other providers if you like and just swap out the standard SQL one for your custom one.
As an addition to Omar's answer:
You could also use a Facade Pattern which handles the authorization and is used by both the WCF and MVC code and provides the API to the business layer.
A rule of thumb is: Put authorization at one single point and let the auth-logic be handled by the client(s). Don't spread it over your service layer!