I'm prototyping a web application using ASP.NET 5. The template project Visual Studio 2015 creates is useful, but it uses Entity Framework which I don't want to use. I already have my own logic for verifying passwords to login, create new users etc. using ADO.NET.
For example, the template project uses functions like SignInManager.PasswordSignInAsync(email, password, rememberMe, false);, but I want to implement my own code for doing this, I'm not sure where I can override this behaviour.
I suspect the config code in the Startup class needs to be changed, this code for example:
services.AddIdentity<ApplicationUser, IdentityRole>().AddEntityFrameworkStores<ApplicationDbContext>().AddDefaultTokenProviders();
Looks like it is setting up the identity logic to use the EF, I imagine I need to implement my own versions of IUserStore and other interfaces, but I'm not sure where to start and I can't find any examples of how to do this.
thanks
First rule of security DO NOT CREATE YOUR OWN SECURITY.
Do NOT write your own PASSWORD VERIFICATION.
Now that's out of the way.
You are allowed to write your own Identity Store.
Check out the official tutorial.
The basic premise is that you Implement your own IUser<T> and a IUserStore<IUser<T>> that allows the .net identity provider to access your storage. However at the end of the day...there should be a ADO.Net Identity Store.
Related
I am trying to create an application that has the ability to create user accounts that have a wide range of permissions. I am currently using the built in ASP.NET Core identity system, but I run into some problems that I haven't find any or haven't find any clean solutions and that will get explained later on the post. This had made me thinking of creating my own custom identity mechanism that will fit my needs.
The problems that I am facing are:
I am using MySQL as my db provider and upon creating the db tables I
was thrown the following exception "Specified key was too long: max
key length is 3072 bytes". I managed to fix this issue by
overriding the OnModelCreating method and manually changing the
HasMaxLength value using the following code
modelBuilder.Entity<IdentityUserLogin>().Property(ul => ul.LoginProvider).HasMaxLength(36);
It's not beautiful but it gets the job done.
I want my users to be able to add multiple emails and multiple
phone numbers to their accounts. The built in ASP.NET Core identity
creates an email and a phone number column in the users table. I know
I can prevent it from creating those columns but I really don't
believe that's the right solution. Basically what I need is to have a
table related to the users table that will store the users' emails
and one for the phone numbers following the same pattern.
My application will have the ability to create dynamic fields and
will also have the ability to give its users permissions related to
those fields (ex. CanSee,CanEdit,CanDelete). The built in Role
authorization system doesn't fit my requirements and I have seen a
lot of buzz surrounding the built in Claims authorization system. I
have actually read that the implementation of an authorization system
that is pretty close to what I need is very complicated and very hard
to maintain!
My question is, should I use the built in ASP.Net core identity system to achieve my goals even though I am facing the such problems? Are there any solutions to my problems that I don't know about and would make my life easier while using the ASP.Net core identity system? Should I create my own identity system and if so, how difficult and potentially dangerous such a system will be?
You should use ASP.NET Identity and customize it.
You should treat claims as permissions. Claims are at their base, authorized filters.
when I create an MVC website in VS2015 I can select Individual Identity, so the project will come with all the Account stuff.(like Login, logout, [Authorize] ...)
the question is:
if I just created a new Project with choosing: no Authentication.
and I wanted to add the Account stuff.
is there a way to do it automatically without the need to write everything from scratch? (specially the Authorize Attribute and register it in Principal)
And if not, what ist the easiest way to do a simple login?
thank you.
It can be done, If you're looking for Microsoft Identity it's available as a nuget package: https://www.nuget.org/packages/Microsoft.AspNet.Identity.Owin/
But be aware that installing it this way will not auto generates all the stuff the project template does you'll have to do some manual implementation. I recommend making a new site with Authentication and look at it to see what's missing and need to be added manually.
I am a new to MVC and I need some assistance attaching my account details from my SQL database to the account controller.
When you create a MVC project you have the account setting all set up.
I have attached a database and would like to use my database to add/remove users.
How do I go about modifying the current account code to use my database users?
Thanks
Did you create your MVC project from a template? This is always a good place to start I found. It gives you a nice road map to understand how MVC works. I have started from here on a number of projects and just built out from here.
Open a blank web project in VS and then go to the Package Manager then copy this line in the window: http://www.nuget.org/packages/Microsoft.AspNet.Identity.Samples/2.0.0-beta2
There are other templates like this. But this is a good place to start. It primarily deals with Authentication because of the Identity piece but it has th4e basic MVC bit in there that is quite simple.
One way is that you can add field to the userViewModel. This also need to be done for the applicationUser class and then these will bubble through to the tables.
I am not sure if this is what you want but it seems that you are using template with authentication selected. If that is the case you will have asp.net identity authentication and authorization as built in feature in your template. If you don't want to use that in-built authentication you can select none for authentication while creating project and then you can implement you custom authentication in project. For custom authentication you can follow below links
http://www.dotnettricks.com/learn/mvc/custom-authentication-and-authorization-in-aspnet-mvc
https://www.codeproject.com/Articles/1111522/Custom-Authentication-and-Authorization-in-MVC
I am exploring the possibilities of ASP.NET MVC in the example webapplication of Visual Studio the WebMatrix.WebData.WebSecurity is used for Membership (creating accounts, and specify that a user is logged in to view a specific page etc.). But after some searching I found that there is also a System.Web.Security.FormsAuthentication class that can be used for Membership.
Does anybody know the differences/pro's and cons between these two classes? And when to use WebSecurity and when to use FormsAuthentication? (and maybe a clear example of FormsAuthentication)
Thanks in advance
WebSecurity was introduced in WebMatrix 2 and ASP.NET MVC 4. It relies on the SimpleMembershipProvider. Under the covers it uses FormsAuthentication to manage cookies. So I guess that if you are starting a new project you would opt for the new model if this model fits your needs. Bare in mind that the SimpleMembershipProvider exposes less functionality than the original provider.
The original membership provider uses the SqlMembershipProvider which in turn uses plain ADO.NET to query the database.
The SimpleMembershipProvider uses the new Database class introduced in WebMatrix to query the SQL database.
The main differences between old ASP.NET Membership provider and SimpleMembershipProvider are explained in this good article - http://weblogs.asp.net/jgalloway/archive/2012/08/29/simplemembership-membership-providers-universal-providers-and-the-new-asp-net-4-5-web-forms-and-asp-net-mvc-4-templates.aspx
It is better to use SimpleMembershipProvider (WebMatrix.WebData.WebSecurity) than old ASP.NET Membership Provider (or Universal Providers)
I've got a few top-level questions about ASP.NET Membership and Role providers. I've done some searching but am having a hard time finding some layman tutorials. I have been coding in ASP.NET for a while now but the only real experience I have with authentication is the use of FormsAuthentication.SetAuthCookie(usernameFromDatabase, false);
When I use the SetAuthCookie() method above am I using the ASP.NET Membership Provider? Correct me if I'm wrong please but I don't think I am. I am just setting an authentication cookie right? I usually implement my own custom methods in my data repositories like GetUser_ByUsername(string username) which then talks to the ORM and gets the right user.
Do the Membership and Role Providers have their own data storage?
What if I want to use my own data storage?
Do I need to implement my own membership/role provider, and how would one go about doing that?
Or is my way of just setting the auth cookie and then using my own retrieval methods, etc, the best way of doing a custom membership/role provider?
I'm just looking for a brief tutorial/explanation of this system. If you have any good references for me to look at I will happily take a look :)
Implementing a membership provider is not too hard. Note that you only need to implement the methods that you plan to actually use. The membership provider should be viewed as a means to interact with your user information from an authentication perspective. It won't create the auth cookie for you; you do that after a successful call to the ValidateUser method on the provider. It will allow you to develop an application against the provider interface and easily change which provider you want to use via configuration rather than rewriting the application code. I've successfully implemented several different membership providers, using my own schema, which support built-in and hybrid built-in/active directory authentication. More info available via the links below:
Article: http://msdn.microsoft.com/en-us/library/f1kyba5e.aspx
Sample Implementation Description: http://msdn.microsoft.com/en-us/library/44w5aswa.aspx
Sample Code: http://msdn.microsoft.com/en-us/library/6tc47t75.aspx
SetAuthCookie() works with the Forms Authentication framework within ASP.NET which you can then adapt for integration with a membership provider.
Do the Membership and Role Providers have their own data storage?
They can, yes. There is an abstract implementation that you can subclass for your specific data needs. There is a SqlMembershipProvider you can use right out of the box, you just need a database to point to and create the needed tables. There is quite a bit of information on that class, like here or here.
What if I want to use my own data storage?
The SqlMembershipProvider does, but check out this alternative MySQL framework if you're interested in seeing how another DBMS does it.
Do I need to implement my own membership/role provider, and how would one go about doing that?
Using the built-in ones is pretty easy, but a lot of shops roll their own so that they can use existing tables. You'll need to implement this class.
Or is my way of just setting the auth cookie and then using my own retrieval methods, etc, the best way of doing a custom membership/role provider?
In all likelihood you'll need a stronger system, and a custom membership provider is a good idea.
1 - Yes, if you use the built in membership/role providers they use tables created either in a separate database or an existing one. You use the tool aspnet_regsql.exe to create these tables - it walks you through a wizard. Alternatively, it can also be called from the command-line with different arguments in order to skip the wizard. This is some info from MS about creating the necessary DB/tables within your DB.
2 - You can do that, but you have to implement a custom membership provider, which isn't really difficult. Here and here are some tutorials.
3 - You don't necessarily need to unless you either want to use your own data stores or you need functionality from it that isn't present in the built-in providers.
4 - I would say you're better off using the built-in functionality ASP.NET provides for membership and roles.