I'm trying to get my head round MVC and want to add admin authorised user administration on the site. (i.e. The user can CRUD users of the ApplicationUser class.)
I'm sure this must be in the framework already somewhere - it seems too vanilla to have to roll my own - but I can't find it.
Have googled to no avail, probably because I'm using the wrong terminology. Can anyone point me in the right direction for decent documentation on how to do this?
(The site will be closed, with no public registration - I need the Admin to be able to create new users, edit them, assign roles etc.)
ASP.NET Boilerplate has Module Zero, which provides user and role management. There is also an article that may interest you here.
Related
I'm creating a website using ASP.NET core with MVC where a few people will have accounts to manage a database. Since anonymous users will be able to view the website, I don't want them to be allowed to create accounts and mess stuff up. I'm not sure if adding the [Authorize(policy)] attribute to the create account page is possible since the ASP.NET core template hides the page that I need to add it too. Is there a way I could do it? Now that I'm thinking about it, does individual authentication even allow you to do such a thing?
Before you say this is a duplicate question, I've looked through previous answers only to find that they just add [Authorize] to the create account page, which I said I'm fairly certain I can't do. Unless there is something I missed, of course.
Take a step back and think about what you are saying. You want to enforce authorization on anonymous users. Does that make sense to you? How can you authorize someone you don't know?
If you don't want anyone to be able to create accounts, your action simply cannot be exposed to anonymous users. You should remove the code generated by the template or at the very least, hide it behind an authorization scheme like the other answers have suggested.
That leaves you with the problem of how to create a user when the page to create a user cannot be accessed. I've dealt with this in a couple of ways in the past:
Create a user with admin rights programmatically (if it doesn't already exist) on application start. This user is authorized to access a page within the app (usually an admin panel on a separate Area) where he/she can create other users. You use this account to grant access to other accounts and assign proper roles as needed. OR,
Have the application check for initialization on start up and if it hasn't done it before, show a workflow that allows you to create an admin account (kind of like a first time installation step). Once created, you use it the same way as in option 1.
In both cases, you will be applying the Authorize attribute to your controllers and/or actions as desired and will need an "admin" facility where users with proper rights can manage things.
I've found a lot of information about this subject; however, not much in the way of how to implement my specific scenario. Unfortunately, my company's AD is half-pregnant, so to speak. The users are there, but that's about it.
I'm creating an intranet and obviously need to authenticate users which I'll use Windows Authentication to do so. However, since my AD does not contain any of the additional information typically used in an intranet (heirarchy of users, meaning managers and departments associated with each employee, etc.), I wanted to use Identity to satisfy that need. And although we do utilize AD Groups, it's painfully difficult to get that setup and want to use Identity for role based authorization instead of AD.
Although fairly new to Identity, it's easy enough to figure out, and Windows Auth is easy to implement.
What I'm missing is the know-how to marry the two together.
So my scenario is - Authenticate the users with Windows Authentication. Once authenticated, switch over to Identity for role-based authorization (claims?) and any other meta-data (such as user information or application specific data)
I've seen this question asked, but not sure if it really is that simple or is there more to it. And I'm not sure if it really fits my scenario. And this question seems to be exactly what I'm asking, but no responses. Finally, this question seems even closer to what I'm asking, albeit using the Membership Provider. I'm guessing this may be the way with Identity as well?
So, in my instance, I'm using Windows Authentication and so I will not have a login form or action (strict requirement to NOT have users enter username/password - it should be seemless). In the case of an employee going to the intranet for the first time, they authenticate with AD, but then how would I save that user to the Identity store? Would it make sense to send new users (employees that have never been to the intranet before) to a Register page after they've been authenticated through AD to ensure there's an associated record in Identity? I could then, as part of the registration process, have them select their department and manager. After they register, a human-based validation process would have to happen to ensure the user selected the correct department and manager, but that's the least of my worries right now.
Recommendations, links, or just some simple guidance would be appreciated. Thank You!
The Problem
I'm an ASP.NET newb who has been given the task of creating a multi-user password management system for use within a secure intranet. Essentially the user will be automatically logged in via windows authentication, which will then provide them with an appropriate view depending on their group. For example, a user of group 'admin' would be able to access all password entries, and a user of group developers would be able to access all password entries belonging to users in the 'Developers' active directory group. Users should be able to create, update, and hide (delete) password entries.
What I have so far
So far I have essentially been figuring out what will and will not be impossible, and researching technologies. Windows authentication itself appears to be easy, however it breaks when I enable the role provider, which appears to be necessary for providing different views for users. By 'breaks' I mean specific users are still recognized, but entire groups are not.
The different views must be automatically served, and I have come up with two techniques to do this:
Checking the role (group) on the home controller, and serving the appropriate view. This would require a long list of messy 'if' statements, however.
Serve a common view and allow or disallow viewing certain elements according to group. This would require putting a lot of logic in a view, which is as I understand inappropriate.
There will be a password.cs model class which will hold all information on a password entry including which groups should have access to it. I cant really think of any other necessary models, as the user information would not need to be stored.
Security concerns
I understand that storing such sensitive data in a single location could be a recipe for disaster. Passwords will be appropriately encrypted using pre-exising libraries which I have access too. I will have help with this area. Also, passwords will not be view-able as plain text on the system to avoid shoulder-surfing, but will be displayed as asterisks and will be copy-able to the users clipboard.
My questions
Essentially I would like some advice on how to structure the system and the most simple ways to enable active directory authorization with windows authentication. I would like some advice on how to provide the appropriate view for the user, and how the different areas should fit together. I am not expressly asking for any help with the password security side of things, but any insight or discussion would be warmly welcomed. Essentially, I would very much appreciate any help, links to tutorials, or suggested readings.
My tools
At my disposal I have Visual studio professional 2010, MVC 4.0 and .NET framework 4.0, and standard (non-admin) access to the server.
I will be able to give experimental code which I currently have in place tomorrow (It's 22:30 GMT, I'll be back in the office tomorrow morning). Let me know if you need any more information.
I have implemented two solutions where I had to integrate MVC with Active X Directory. There are multiple solutions (e.g. Security Application Block from Enterprise Library). However, I ended up using AzMan and the RoleManagerAzManProvider. I ended up with this combination because I did not need to deploy any additional libraries.
I started with this article: [http://msdn.microsoft.com/en-us/library/ff649313.aspx][1]
Even though it is written for ASP.NET, I was able to use it for MVC. I placed my XML Local Policy Store underneath app_data and configured the web config
<add name="LocalPolicyStore" connectionString="msxml://~/app_data/MyPolicyStore.xml" />
This worked out nicely for me because the Policy Store allowed me to define Application Roles and, when deployed at my client, map those roles to AD Accounts.
After that, I implemented a custom Authorize Attribute that I registered in the Global filters. This is where I made the decision which page the user would be redirected when they logged into the app. Finally, I used the standard Authorize Attribute on controllers based on group names.
I have thought about writing a set of Custom Editor Templates and Display Templates that would take roles into account so that I can render different UI for controls based on the User's application role (render a span instead of input).
Although your application is probably already written, I hope this helps.
Chuck
I am developing an MVC3 application and I have gotten to the point where I need to start securing out different areas of the intranet site to particular users.
The site is being used on the intranet and uses windows authentication for login.
Within the database I have a users table which contains numerous fields that determines the users role. This is maintained in the admin area of the site.
Certain users will have the ability to access the admin area, some users will only have the ability to read certain areas of the site but not contribute, etc etc. There are some complicated business rules.
I am looking for how to secure out different areas. I have read a good few articles around using the authorize attribute on controllers for particular groups, this doesn't seem to be a good fit as I understand it I would have to control what users are in what groups from within the configuration of the application whereas the admin users of the application should be ones controlling this via the application itself.
Any suggestions are welcome.
If you are mainly concerned about managing users, ASP.NET does a great job of this with their built-in Web Application Administration Tool. On the top-right of the Solution Explorer, to the right of the refresh button, is a hammer-and -earth tool that you can click on. It allows you to manage users and roles, and from there you can assign the users to roles. Perhaps your admins can use this.
This tells you how:
http://www.asp.net/mvc/tutorials/mvc-music-store/mvc-music-store-part-7
As far as having to put authorize attributes on the controllers/methods, I don't see any way around that. Let me know if I have misunderstood your question.
Assign users to roles and use AuthorizeAttribute.
Now that my project is almost finished I am trying to implement the login and security.
I got a table in my database with all the users in it.
Next to the normal login and password columns I also got 7 booleans.
Those booleans represent the categories(folders) which the users may access or not.
After the user logins I put the record (user) in my session.
So depending on those booleans I will display tabs in my masterpage.
But how do I implent the security measures which redirects the user back to the login when they aren't logged in yet or when they don't got the proper rights to be on that page.
Somebody told me to add some code in de global.asax but I have no experience with it. And got no idea on how to start and it seems like i can't find any examples on the internet
ASP.NET Membership sounds like what you need. No point writing something from scratch when your chosen Framework will already handle it for you, right?
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx