I am building a website with asp.net mvc 4. I using basic role management . The thing i want to do is that i want to give access to any url based on users's role. I was thinking that can we do this via Custom Filter . Because i don't want to write Role attribute on each action .
So What i think is i am going to define role based urls in database and then on OnActionExecuted event i want to check that the requested url is allowed to current user or not . Is this possible ?
While it is possible I will not do it for following reasons:
OnActionExecuting event is pretty early in application execution pipeline. Doing heavy operations that involves going to database should be avoided.
As your application grows, it could create maintenance problem. Hundreds of users, hundreds of links, # roles, etc.
Related
I have made a new project using the ASP.NET Web Application template in Visual Studio 2015. Then I selected MVC and Individual User Accounts to specify the template further. The solution I got is complete in that it offers me all the web pages you need for account management such as registering and logging in.
However, now I want to hook in a Xamarin.Forms mobile client to this account management scheme. I am making a native UI to register users, instead of redirecting them to a webpage or webview. I want to send user registration data, such as username and password, from this UI to the server so it will create an account. This means that I don't want to use the webpages offered by my MVC app, but rather send the registration data to the server and have it create an account, notfifying me of succes or failure.
I am anticipating that I would need to either use HTTP POSTs to login and registration endpoints in the AccountController or implement a public API. However, doing a post will return a webpage, and my client is not interested in a webpage.
I think one of the above should be possible to implement quite easily, but I am having a hard time searching for answers or methods, since I don't know how to phrase my problem properly, and with the abundance of guides on MVC, all my results are muddied.
Is my idea of this being possible flawed or have I missed a fundamental concept of MVC? What are the steps I should take in order to make this possible?
One misconception is that doing a POST will return a webpage. You can return any type of content from an MVC controller. But your account registration endpoints should be Web API controllers that return JSON. That JSON can be as simple as containing a boolean that indicates if the action was successful or not.
You do not need to use MVC at all. You can completely do away with the account controllers and views that the template created for you. Just copy the code that you need from the MVC controllers into your Web API methods.
You're right, this is quite easy to do.
I think, You can use ASP.NET Web API for doing this task. On server, you host your API for registering the users as well as logging into some client application.
Now, You need to consume this API in a client application. The client application could be a Console application, Windows application or a Web application. There are lots of tutorials about making an Web API on official ASP.NET site.
I have a project which uses both Web Api and MVC. The authentication is handled by FormsAuthentication, which creates a cookie containing some data regarding the user.
I have extended System.Web.Mvc.AuthorizeAttribute and added it to every MVC controller. What it does is extend AuthorizeCore and check to content of the cookie, which is my own extension of IPrinciple, for wether the user currently has limited access.
I would like to do a similar check for calls to my Web Api, so i have made an extension for System.Web.Http.AuthorizeAttribute which overrides the IsAuthorized method.
In this method i would like to make the same check as for the controller, but i don't know how to get the information from the cookie or if this is even the proper way to do this.
In general using cookie authentication in web api is not recommended.
The reason is that cookies are handled well only in browsers The whole concept of web api is to allow other clients (native clients, java script ...) to use it as well.
If you sure that your server is going to be accessed from browser only maybe you should move your api actions to MVC project (it could return json / xml as well). This way you will not have to deal with those kind of issues.
For web api I would recommend using token based authentication
I'm building a quite complex web application for data visualization and messaging that is going to be installed on many servers. The SQL database it depends on gets partially filled by another application that runs on the server, but some tables which are needed by the web application itself are not generated automatically, so I build a check-up into the constructor of my EF DbContext. It verifies that the needed tables exist in the database and creates them in case they are not present.
That works quite well. Now I want to check these tables for the existence of some entries that are needed for correct operation. If these values do not exist, I want the user (any user) to be redirected to some kind of setup page, where the fundamental settings of the web app can be configured. You can think of it to be quite similar to these typical installation procedures you get when you browse to a freshly installed TYPO3 or Wordpress on a webserver, where you can set the basic settings.
Now I was wondering what would be the best practice to do it: should I create a "flag", some static bool in global.asax.cs (maybe something like needsSetup), that I check in the default controller and then conditionally redirect to the setup view? Or can/should this be done with some kind of filter? Or are there better ways to do it?
Thanks in advance for your help on that!
You can create a base controller and override OnActionExecuting method, where you will check if system is ready, if not redirect to your setup action here is similar post How to redirect from OnActionExecuting in Base Controller?. Inherit all controllers (except Setup one) from that base class and you will get what you want
I want to control access to certain pages of my app by cookie. But I want to coordinate this from only one place. I thought put a check in a Layout.cshtml I.E. That way all pages use this Layout will do automatically. Is that good?
Edit: Security for this app its not a concern.
You're violating one of the core principles of MVC – never put real logic in a view.
Instead, you should create an ActionFilter.
You should also figure out how to secure the cookie; you should probably use ASP.Net's existing membership system
No, it's not good because cookies can be manipulated easily by anyone.
Why don't you want to use the normal Authentication and Authorization techniques that are already available?
Using cookies for controlling access to pages does NOT sound like a good idea. You will have to create a way to secure the cookie, which isn't easy. Without that, your authentication will be easy to spoof.
I would recommend that you use the built in authentication and authorization mechanisms for MVC 4, which is well tested and built for this purpose. Here is one article to get you started.
Using the [Authorize] and [AllowAnonymous] attributes of MVC4, you can be quite flexible when restricting parts of your site to authorized users.
I've posted a more lengthy example using above mentioned attributes as an answer to another SO question.
you should use the Authorize attribute on your controllers/pages instead of cookies
and restrict the pages to certain roles and assign users to roles.
I'm trying to make an application that can host multiple ecommerce front ends, so I need to figure out how to route all requests to one class which then parses templates and handles all output.
So my question is then how do I route all requests to one class?
In PHP I would use mod_rewrite and have all requests go to index.php and add "main = new MainClass();", but I have no idea on how to achieve this with ASP.NET
The MVC framework isn't what I'm looking for, since I will host several domains with one system.
It sounds like what you want is an HttpModule. (Sorry for the Google link, but there's a lot about this out there and I'm not sure which is the best resource for you.)
Essentially, what an HttpModule does is intercept requests between the web server (IIS) and the application (ASP.NET).
You can use the Route class to register route handlers for all of the routes you define. Basically, you would create one instance of an implementation of IRouteHandler (or different instances of the same type) for all the permutations of the urls on your site.
Also, it should be said that following statement that you made is misguided:
The MVC framework isn't what I'm
looking for, since I will host several
domains with one system.
Any problems or limitations you would run into hosting several domains in one system with MVC will be apparent in ASP.NET as well; MVC sits on top of ASP.NET, not separate from it.