I am developing a web application with ASP.NET MVC.
I need to authorize users in two different ways now, so I had to adjust some thing in my Controllers.
One of the things was to change the annotation of the Controller from
[Authorize] to [AllowAnonymous].
The reason why I need two different ways to authorize my users, is because some of the users will use a different kind of authorization.
What is the best solution for this?
I would like to have some kind of config file that I will lookup, before the start.
Create a action filter and try to implement your authorization logic(two different kind of authorization).
Related
I have to build a Web-Application using ASP .NET MVC. It has to serve different customers, each customer accesses the Page via another domain. With this domain the Application is supposed to load the customer specific data. It also has to provide a login mechanism.
I'm fimiliar with JSF, there I would solve this problem via webfilters.
Does ASP.NET MVC provide something similar to webfilters or is there an even better solution so solve this problem?
I really wish there was a tutorial or an example that adresses this problem, but after hours of googeling I could not find anything. I'm probably searching with the wrong keywords, but I don't know how mechanisms like this are called.
There are several ways of doing this, for example you could use routing (Is it possible to make an ASP.NET MVC route based on a subdomain?) but I would simply go with getting the username from the URL.
var user = Request.Url.Host.Split('.')[0];
I am building a website with asp.net mvc 4. I using basic role management . The thing i want to do is that i want to give access to any url based on users's role. I was thinking that can we do this via Custom Filter . Because i don't want to write Role attribute on each action .
So What i think is i am going to define role based urls in database and then on OnActionExecuted event i want to check that the requested url is allowed to current user or not . Is this possible ?
While it is possible I will not do it for following reasons:
OnActionExecuting event is pretty early in application execution pipeline. Doing heavy operations that involves going to database should be avoided.
As your application grows, it could create maintenance problem. Hundreds of users, hundreds of links, # roles, etc.
I feel like I might be going down the wrong route here, and was hoping someone would be able to do a little course correcting!
I'm creating a web app which uses Windows Authentication. However, I wish to assign custom claims/roles to specific windows users, which I'm planning on storing in a SQL database.
I thought a way to do this would be to enable Windows Authentication in the web.config of my app, but to add an AuthenticationManager from WIF which can add custom claims (which come directly from the database) to the principal/identity. Then an AuthorizationManager would handle authorization to specific controller actions.
The problems I'm having right now is that my Authentication and AuthorizationManagers aren't being called. I'm not sure what I'm missing (they're registered in the web.config), but I suspect maybe it's because I'm using Windows Authentication...? Additionally, my Authorize attributes aren't calling the AuthorizationManager, possibly because I need to create a new attribute.
Is this a viable route to go down, or should I be looking at creating a custom RoleProvider instead?
The ClaimsAuthenticationManager is not called automatically - the FAM calls it.
That said - you can call it yourself, e.g. in Post_AuthenticateRequest and then set a cookie using the SAM. Thats totally doable.
I want to control access to certain pages of my app by cookie. But I want to coordinate this from only one place. I thought put a check in a Layout.cshtml I.E. That way all pages use this Layout will do automatically. Is that good?
Edit: Security for this app its not a concern.
You're violating one of the core principles of MVC – never put real logic in a view.
Instead, you should create an ActionFilter.
You should also figure out how to secure the cookie; you should probably use ASP.Net's existing membership system
No, it's not good because cookies can be manipulated easily by anyone.
Why don't you want to use the normal Authentication and Authorization techniques that are already available?
Using cookies for controlling access to pages does NOT sound like a good idea. You will have to create a way to secure the cookie, which isn't easy. Without that, your authentication will be easy to spoof.
I would recommend that you use the built in authentication and authorization mechanisms for MVC 4, which is well tested and built for this purpose. Here is one article to get you started.
Using the [Authorize] and [AllowAnonymous] attributes of MVC4, you can be quite flexible when restricting parts of your site to authorized users.
I've posted a more lengthy example using above mentioned attributes as an answer to another SO question.
you should use the Authorize attribute on your controllers/pages instead of cookies
and restrict the pages to certain roles and assign users to roles.
I'm trying to make an application that can host multiple ecommerce front ends, so I need to figure out how to route all requests to one class which then parses templates and handles all output.
So my question is then how do I route all requests to one class?
In PHP I would use mod_rewrite and have all requests go to index.php and add "main = new MainClass();", but I have no idea on how to achieve this with ASP.NET
The MVC framework isn't what I'm looking for, since I will host several domains with one system.
It sounds like what you want is an HttpModule. (Sorry for the Google link, but there's a lot about this out there and I'm not sure which is the best resource for you.)
Essentially, what an HttpModule does is intercept requests between the web server (IIS) and the application (ASP.NET).
You can use the Route class to register route handlers for all of the routes you define. Basically, you would create one instance of an implementation of IRouteHandler (or different instances of the same type) for all the permutations of the urls on your site.
Also, it should be said that following statement that you made is misguided:
The MVC framework isn't what I'm
looking for, since I will host several
domains with one system.
Any problems or limitations you would run into hosting several domains in one system with MVC will be apparent in ASP.NET as well; MVC sits on top of ASP.NET, not separate from it.