I'm currently converting our company database application from VB to ASP.NET. This is pretty much my first ASP.NET application, and I had a question about security. I would like some users to have the ability to add or edit data, while other users can only view and print reports. Now, as I understand it, in ASP.NET, I can use form-based authentication to restrict access to certain pages, but what I really would like to do is use the same web page for not only viewing the data, but also editing it (using a grid view). I don't see how I can do that using forms-based authentication without having separate (but similar) web pages in different folders, each with it's own level of security.
I guess I could always use the same web page, then check the users roles to determine if I should enable the 'edit' button or not. Is that a good (and common) programming practice?
Thanks
Checking the role membership is an accepted way of doing it. Do not however just check when you display the button, check during the response to the event it triggers as well, just in case someone tries to bypass event validation.
User.IsInRole() is what you need. As mentioned, check this at each step - users can fake any kind of HTTP response, so every server-side method needs security checks.
Don't just check whether to enable or or not... You must also check it when the edit button is clicked.
I would implement my own custom RoleProvider (MSDN Article). And then have different roles that describe the different access levels on your application, and like blowdart said check when buttons, panels are being diplayed whether the user has access or not to that resource.
Can I recommend using monitoring SQL Profiler (or similar) when you are testing the page if you are using a database? You'll be surprised the amount of calls the db gets for a seemingly trivial page load.
Also, please check security trimmings in ASP.NET. Worth having a look.
Cheers.
Related
I have a simple yet not so easy question. (So, I suppose)
I have a current DurandalJS application in production. I am generating my views using C# Razor syntax. So, I am still using my controller to pass the HTML to the client. Rather complicated to get setup using routes/areas/etc but it has been working.
I am using server side for only one real reason. (other then validation, but we can ignore that for now as I am sure model validation has improved and there are ways to handle this now)
Lets say I have a button. And I only want to show that button on the screen if the user is an admin. Now, of course I can use KnockoutJs (or Auelia/Angular/whatever) to find out the users roles and "hide" the button. But as far as I know, the button is still inside the HTML? (it is in Durandal, not sure if the newer libraries handle this different). So, currently I use server code to do the check then the HTML gets rendered without the button.
Knowing how many people use SPA type libraries, what are most of you doing for simple use cases like this?
Oh, yes, on the server for the return API call, we would have security anyway, so assuming someone activated the button it would not work anyway, I simply do not want my users ever seeing it.
I want to make a application for customers.
It should contain :
1.Login page
2.Page for simple users
3.Page for administrators
I've found on google a lot of examples but 90% of examples have 20+ pages with some a lot of advanced things and I can't handle reading everything from them.
I just want to make a simple login page , and use 'user role' for the page where user is redirected and 'administrator role' for the page where administrator is redirected.
When I'll finish the page I will public it on a webhosting , and the main problem is that I need user roles,pass,name in a database in asp not on a website .
Is there any easy example to follow ?
Thanks
For a long time I had the same problem - most examples have you create the default schema which has a crazy number of tables.
The simplest example I have found is:
How to: Implement Simple Forms Authentication
It doesn't deal with the persistence layer at all, so it is really simple to adapt as you see fit.
I'm building a basic web application in ASP.NET 4.0 with C# in Visual Studio 2010 Pro. I'm still very new to C#, and am used to Delphi coding. My website already has registration/login, and although I use some asp.net controls, a majority of my pages are dynamically loaded from my SQL database and I manually compile the HTML code from C# and insert it into the document.
Now what I would like to do is implement a poll - or a vote box - an 'object' which can be re-used in different pages. My website's master page already has a permanent left panel which has things which show on every page. One of these will be a small box with a vote of a few questions.
All I need to know is how do I begin to build an independent plugin control for a web page like this? I don't necessarily mean a separate DLL or anything, my existing one can handle everything. But I'd like to re-use the same little voting box in different pages too. So I'm assuming this will be considered a separate page, in a way, which is probably about 120 pixels wide by 80 high. Each vote will be limited to either login account or ip address (which I already have access to). So this solution must interact with the existing asp.net application.
So how do I begin the 'backbone' of such a plugin which can be re-used in multiple pages? I do not plan on distributing this plugin, and I don't even know if this is the correct term for what I need. Just a 'box' which can be 're-used' on multiple pages - which must interact with the asp.net app.
To better explain what I mean, imagine how Facebook has the plugin where you can embed some general info about likes and such. I'd like to make my own box like this - and even be able to embed it in other websites.
It sounds like you just need to make the poll into a user control. The documentation should get you started with them. A control can access everything an ASP.NET page can when it comes to the login information. It won't handle embedding into other pages though – embeddable active content that authenticates against your site is a nontrivial problem.
As I said in the comment, if most of your HTML is creates as a blob that's opaque to ASP.NET, it will probably be nontrivial to insert a user control into the middle of it.
I'm in early phase of building a RIA with ExtJS and ASP.NET MVC.
Users in the system will have numerous different user rights that restrict which elements are visible and what actions user can make.
For example in the user managment section, only superuser should be able to promote user to 'admin' status. So the 'add admin status' -button shouldn't be visible to users who are not superusers.
What would be the best way to dynamically create (or parse) the ExtJS components at the server side with the right composition of elements depending on users rights? These components would then be loaded to the viewport via AJAX-requests.
The example was very minimalistic, but I hope you get my drift. The real life situations are (of course) far more compex and I'd like to find a solution that's intuitive and maintainable.
Why not just use standard logic in the page to exclude buttons etc. from the UI? On the server side you already know what the user's entitled to do. Is there really a reason to use AJAX requests to conditionally populate the UI? IMO such population should only occur as a result of user actions (e.g. expand a tree node).
I am doing "forgotpassword functionality" in asp.net
My forgotpassword.aspx page consists of a username, security question, security answer, new password,retype password and a submit button.
When I click on the "forgotpassword" link at the previous page, it should prompt me about the security question and when I enter the answer at the security answer textbox, the control should take those two (security quesion and security answer) to the backend (database) and validate that the security answer is correct. It should reply with a boolean value. Then the next 'new password' and 'retype password' should get activated.
By means the operation of going back to database should occur when the control comes out of the security answer textbox. In windows forms we can use the 'leave' event (ex:textbox1_leave) but in web forms we don't have that.
If the solution is to use javascript, please give me the step by step process to handle the aspx (source page) and also the .cs file coding
you could use microsofts membershipprovider interfaces. you just have to implement it for your own requirements (database structure).
just have a look at http://www.asp.net/learn/security-videos/ there you can watch a lot of helpful videos for understanding and implementing membership and role providers.
it helped me also to implement my first membershipprovider.
this link might be also usefull http://weblogs.asp.net/scottgu/archive/2006/05/07/ASP.NET-2.0-Membership-and-Roles-Tutorial-Series.aspx
as soon as you have finished, you can use all microsoft login controls.
good luck
There is a forgot password component in ASP.NET 2.0 - just use that and configure it.
http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.resetpassword.aspx
http://www.asp.net/web-forms/tutorials/security/admin/recovering-and-changing-passwords-cs