This is my first project in WPF. My goal is to build a template project that can be duplicated and reused again.
The goal is to build a Central Dashboard with permissions for each page/element in the application, with a login form.
For login and access to different elements of the app, I would like to assign each page a permission_id in the code. Then i want those permissions given to roles and the roles given to user_id.
I have attached an image of the database tables.
Here are my questions:
Q1: How can I link the tables in the database together?
Q2: What is the safest method to connect to a MySQL database in WPF?
Q3: What would i need to do, to show online users to everyone logged into the app?
Q1: Not really sure what you mean, the tables are linked already.
Q2: The safest method would be to create an API and have your WPF app consume that. Accessing the database directly from WPF app is not a good idea, since you're giving your connection string away.
Q3: It'd also be in your API logic, but the simplest way I think is simply to track users that make request and store them in-memory. These "tokens" would need to have some expiry date and refreshing mechanism, and you'd have to remove users whose tokens have expired from the list.
Related
I am working with an ASP.NET MVC application. In this application I am wanting to update some data fields on the record just written - including the userID of the person responsible for the change. The problem is that I don't know how to find out who has changed the record.
I have used CURRENT_USER in my script but that always returns the current SQL_SERVER security user - in this case "dbo" as that is the user that ASP.NET MVC connects to the database with. This would mean that all changes were made by the same user. If I can get the AspNetUser record ID then I'll be okay.
Any Ideas? Do I need to find a way to add unique users for all web logins? That is not mentioned anywhere, so I suspect that it's not expected.
Thanks
From a SQL Server perspective the "user" of the database is your MVC application, not a user logged in to your web application. The only way to change this is to create database logins for all web application users, but I wouldn't recommend this approach.
IMHO it is best to move the mentioned functionallity from SQL Server triggers to your data access layer (in .NET, your "repositories" or whatever data access pattern you are using).
The Problem
I'm an ASP.NET newb who has been given the task of creating a multi-user password management system for use within a secure intranet. Essentially the user will be automatically logged in via windows authentication, which will then provide them with an appropriate view depending on their group. For example, a user of group 'admin' would be able to access all password entries, and a user of group developers would be able to access all password entries belonging to users in the 'Developers' active directory group. Users should be able to create, update, and hide (delete) password entries.
What I have so far
So far I have essentially been figuring out what will and will not be impossible, and researching technologies. Windows authentication itself appears to be easy, however it breaks when I enable the role provider, which appears to be necessary for providing different views for users. By 'breaks' I mean specific users are still recognized, but entire groups are not.
The different views must be automatically served, and I have come up with two techniques to do this:
Checking the role (group) on the home controller, and serving the appropriate view. This would require a long list of messy 'if' statements, however.
Serve a common view and allow or disallow viewing certain elements according to group. This would require putting a lot of logic in a view, which is as I understand inappropriate.
There will be a password.cs model class which will hold all information on a password entry including which groups should have access to it. I cant really think of any other necessary models, as the user information would not need to be stored.
Security concerns
I understand that storing such sensitive data in a single location could be a recipe for disaster. Passwords will be appropriately encrypted using pre-exising libraries which I have access too. I will have help with this area. Also, passwords will not be view-able as plain text on the system to avoid shoulder-surfing, but will be displayed as asterisks and will be copy-able to the users clipboard.
My questions
Essentially I would like some advice on how to structure the system and the most simple ways to enable active directory authorization with windows authentication. I would like some advice on how to provide the appropriate view for the user, and how the different areas should fit together. I am not expressly asking for any help with the password security side of things, but any insight or discussion would be warmly welcomed. Essentially, I would very much appreciate any help, links to tutorials, or suggested readings.
My tools
At my disposal I have Visual studio professional 2010, MVC 4.0 and .NET framework 4.0, and standard (non-admin) access to the server.
I will be able to give experimental code which I currently have in place tomorrow (It's 22:30 GMT, I'll be back in the office tomorrow morning). Let me know if you need any more information.
I have implemented two solutions where I had to integrate MVC with Active X Directory. There are multiple solutions (e.g. Security Application Block from Enterprise Library). However, I ended up using AzMan and the RoleManagerAzManProvider. I ended up with this combination because I did not need to deploy any additional libraries.
I started with this article: [http://msdn.microsoft.com/en-us/library/ff649313.aspx][1]
Even though it is written for ASP.NET, I was able to use it for MVC. I placed my XML Local Policy Store underneath app_data and configured the web config
<add name="LocalPolicyStore" connectionString="msxml://~/app_data/MyPolicyStore.xml" />
This worked out nicely for me because the Policy Store allowed me to define Application Roles and, when deployed at my client, map those roles to AD Accounts.
After that, I implemented a custom Authorize Attribute that I registered in the Global filters. This is where I made the decision which page the user would be redirected when they logged into the app. Finally, I used the standard Authorize Attribute on controllers based on group names.
I have thought about writing a set of Custom Editor Templates and Display Templates that would take roles into account so that I can render different UI for controls based on the User's application role (render a span instead of input).
Although your application is probably already written, I hope this helps.
Chuck
I have a WPF application and a SQL Server database with a Users table. Every user has it's own row including hashed password and role in Users table.
I need to let them authenticate in my application and keep some kind of credentials, including role. Based on that role, they will see only what they should see.
Can you give me some clue how to accomplish it? What is the best way to keep those credentials and hide parts of my application based on user's role?
Thanks for any help, JiKra
Ok, I was thinking and how about to use a singleton? User authenticates, I grab his role from database, instantiate a singleton, set his credentials and use them in my app.
Is that correct? It's the easiest way to do that?
JiKra
The "functional model" as you call it can be based on the MembershipProvider/RoleProvider APIs. There's a tutorial video by Todd Miranda:
http://windowsclient.net/learn/video.aspx?v=293710
What the tutorial lacks is where you should store the information so that it's available for the other parts of the application. The answer is simple - since you have the stateful application, you can store the information in a shared (static) resource in a class.
Please also be aware of a potential security risk, I've added a comment under your question.
Now that my project is almost finished I am trying to implement the login and security.
I got a table in my database with all the users in it.
Next to the normal login and password columns I also got 7 booleans.
Those booleans represent the categories(folders) which the users may access or not.
After the user logins I put the record (user) in my session.
So depending on those booleans I will display tabs in my masterpage.
But how do I implent the security measures which redirects the user back to the login when they aren't logged in yet or when they don't got the proper rights to be on that page.
Somebody told me to add some code in de global.asax but I have no experience with it. And got no idea on how to start and it seems like i can't find any examples on the internet
ASP.NET Membership sounds like what you need. No point writing something from scratch when your chosen Framework will already handle it for you, right?
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
I have a simple .NET 3.5 app for changing some database fields using an ODBCDataSet. Now the Feature Creep is asking if I can hide or show tabs and other controls based on the user's database permissions.
Ideally, I would like to control the permissions only on the SQL Server using Windows user groups, and the app would not have any built-in authentication or permission system--it simply uses the logged-in user's Windows account for the database connection. So thus it would have to "test" the permissions to determine whether or not to show the tabs for the user. For example, if they have "write" permissions to a certain table, then the tab for editing it would be visible; if not, the tab never loads for them.
That's really the part I need help with: how can I list or test the user's permissions to the ODBCDataSet?
Are you opposed to having your app aware of the Windows user groups? Generally we use AD groups all the time for security like you speak of on both the database AND in the .NET code. Showing/hiding features is exactly the point. Additionally, even if for some reason they manage to get the feature to show, the database additionally checks their role and can prevent actions.
Personally, I think checking the role membership in .NET code is the easiest solution (you can do this with the IsInRole method).
However, if there are reasons why you cannot or do not want to have the app aware of group names, in case they change, I understand. There's probably not an ODBC method of checking, as any method would most likely be proprietary and/or database dependent (SQL Server, etc.)... other than that, you'd have to write code to attempt an insert/update command on a known test record and see if it comes back with an SqlException I guess.
You could always Try/Catch the call to the DB. This would authenticate the user to the DB, then create a Stored Procedure to return all tables accessible.