I'm building a helpdesk/asset tracking web application using Windows Authentication, ASP.NET MVC5, and C#, with a SQL back-end.
In the database, I'm thinking of linking support tickets and assets to users by way of their Active Directory SID, since this value will not change over time. Their SID, along with some other pieces of information, would go into a table called "Users".
Since I'm new to MVC, what would be the most efficient way of getting the user's SID into the database upon their first visit to the site? I thought about building something into Global.asax, but that seems like it goes against the MVC paradigm.
Alternatively, does anyone have suggestions for a better approach?
The idea is quite common.
For most sites (for example StackOverflow) you have to register. You take a common login service (StackExchange) and upon first login, a 'profile' is created.
Authentication (and maybe authorization) still happens through the original source (in your case AD), while the information you really need is saved in the database.
In the AccountController.Login action, you call ActiveDirectory yourself.
using (PrincipalContext context = new PrincipalContext(ContextType.Domain))
{
using (UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(context, model.UserName))
{
// read back the user from database
// if non-existent: add it using a stored procedure or something like that
}
}
Related
I am building an intranet with ASP.NET core 2.0 MVC. All users are part of an active directory. Additionaly I have a MSSQL database with the following tables:
Users (Id, FirstName, UserNameAd (unique), ...)
Roles (Id, RoleName)
UserRoles (User_Id, Role_Id)
In my web application I now want to retrieve the roles of a user and store them in the Authentication/Identity Classes of Microsoft in order to use [Authenticate(Roles="Admin")] stuff. I am not sure where I shall put this role-request and what is the best practice. It is possible that a user gets a new role during the day or that a role is removed during the day and I actually do not want the user to click something specific or need him to restart the browser in order to get the new roles applied - thats why I think that the roles need to be requested with each server-action (POST, GET) from the server.
Any idea or link to a good tutorial would be highly appreciated.
Also if you think my approach is not good practice and you have a better idea I would be happy to know.
After a lot of discussions and researches in the internet i came to the conclusion to chose pure windows authentication.
It works out of the box and you can already use the active directory groups as roles with [Authorize(Roles = "ADGroupName")] which is really straightforward and nice.
I have three levels of users in my website, Managers,employees and normal users. Each of them in different table in my database.
I created a log in form using login tool. Then I created connection and sessions.They work fine.
now my question is what is the best way to check the session in all pages (if it is manger, employee or user). it would be more useful if there is example :)
Thank you for your time.
Pretty traditional and simple, you could use this tried and true method.
Essentially you would use the UserData property of the authentication ticket to store the current users' roles. You can then obtain the data at any time from the current thread's principal.
I have been trying to get my head around OWIN and Identity to get it play well with my Existing app. The application was coded in Plain ASP.Net and I want to port it to MVC to organize it better. The app have established database including Users table so using Identity table is not option. The wall I hit with Identity is that it requires Email and my system is NOT supposed to demand user email. After trying almost everything (days reading almost every answer on the subject) I have come to conclusion that it will take more time to get it done, and that brings me to my question.
Being PHP guy (jumped to ASP.Net not long ago) I could easily make a working login in 10minutes and now I need a thing like it, something like
$user = User::findByUserName($username); //somehow here I find user from database
if($user!=null)
{
$_SESSION['isLoggedIn'] = true;
$_SESSION['fullname'] = $user->fullName;
}
else
{
//redirect to login with error
}
I cannot find a session class in MVC5. Is that even possible? If no, is there a simple route to solve my issue?
The most common way to cache is to either place it in the 'Global' server cache or place it in the session. There are other ways to save state and I would recommend looking into alternatives as the techniques below use the System.Web namespace. System.Web will not be included in MVC6.
Global Cache
//Save User
System.Web.HttpContext.Current.Cache.Insert(
"CurrentUser",
User,
null,
System.Web.Caching.Cache.NoAbsoluteExpiration,
new TimeSpan(0,20,0),
System.Web.Caching.CacheItemPriority.Normal,
null);
//Get User
User user=(User)System.Web.HttpContext.Current.Cache["CurrentUser"];
Session Cache
//Save User
HttpContext.Current.Session.Add("CurrentUser",User);
//Get User
User=(User)HttpContext.Current.Session["CurrentUser"];
you could basically tell owin manuelly to authenticate the user without using the identity-stuff (i dont like it either, at least for small projects). Then you could easily use the default authorize anotation
Heres a tutorial: OWIN AUTH
I am developing an application in asp.net using vs2010.
In application, Admin can create different user accounts using Microsoft member registration wizard.
Users can Login with created credential using Microsoft login control.
Now,I have to access this Logedin user's UserID and UserName in entire application's different forms.
Currently I am accessing this details by writing code in all forms by
MembershipUser newUser = Membership.GetUser();
Guid newUserId = (Guid)newUser.ProviderUserKey;
So, where can i store this login user's UserID and UserName in a common place. So I can access this details from common place?
Please Help me.
Thanks,
Well - that depends fully on where you persist the data for your application.
If you use a database for storage, then logically the data should belong in there, in a user table, with a connectionstring to the database in your application's configuration.
If not using databases, then you properly need some file based storage, for example XML or something you invent yourself and then have a parser which serialize/deserialize the data from files.
In both instances, you'll need to consider security and hashing/salting and make sure the data is kept secure.
I tend to use a static helper class, which stores (and loads) data in HttpContext.Items for the duration of any request. So you would just need to call GetUser once per request. If even that is too much for you, you can use a Session, for example - but don't forget that sessions only live for so long, so be prepared to reload the data if it's lost due to session timeout.
The static class has to be somewhere accessible from the whole application - in a web site project, this means the App_Code folder.
I am new to MVC and actually new to web development all together. I have about 7 years of development experience but in services, database, object models, etc.. basically middle-tier and back-end development. I am trying to learn ASP.NET and decided to build a site using MVC3 for a personal site for myself. I will be hosting this from an account at dotnet-hosts.com. Here is my question... I don't have a domain and I will be using the built in membership provider. I noticed in the auto generated code that was created when I added the project template that in the AccountController in the method ChangePassword (ChangePasswordModel model) there is this line of code...
MembershipUser currentUser = Membership.GetUser(User.Identity.Name, true /* userIsOnline */);
My question is specifically around User.Identity.Name, this looks like it would be returning the Windows user name just like Environment.UserName would. The Visual Studio template I used is the (Mobile Ready HTML5 MVC.NET) as I want to be able to support clients from any device...Windows PC, Apple, Windows Phone, iPhone, etc... If the call to User.Identity.Name is correct then I would like to ask how does this work on devices that are not Windows like an iPhone? If my assumption is correct that this will only work for Windows computers with a domain then how can I achieve this? would I need to perhaps use some caching? If so could I maybe grab the user name and their IP address to be used as the cache key from the Authentication page?
My high level question is... How do I get the current logged in user's userName regardless of the device/platform? I know this question is probably not written well and may be hard to understand... I apologize for that. I am new to web development and trying to get my feet wet and would like to start to the latest technology.
The call is correct. The User.Identity.Name is filled out by whatever authentication provider is in use - Windows authentication, Forms authentication, some custom authentication provider, or whatever. It isn't bound to a specific user "type". The authentication provider has the responsibility of making sure the Identity object corresponds to the current user on every request. Usually that part is taken care of using a combination of cookies and database.
The MVC template (although I haven't had a look at the template since MVC 2) uses ASP.NET's Membership class, which in turn uses a membership provider - for example SqlMembershipProvider or ActiveDirectoryMembershipProvider - the former stores your users' credentials (username and password etc.) in an SQL Server database, the latter uses Active Directory (i.e. primarily Windows logons). SqlMembershipProvider is the default, and MVC is set up to use a local SQLExpress database file as its user store.
The authentication provider that's implemented in the template project uses FormsAuthentication, which does the login procedure through a simple HTML form (the one in the LogOn view) and keeps the user signed in by way of an encrypted cookie. Works on any platform.
The setup for both FormsAuthentication and SqlMembershipProvider can be found in web.config (the one in the root of the site). There you can find the connection strings for the SQLExpress database (and e.g. change them to use a "real" SQL Server if needed), the timeout for logins etc.
(Note that you can do a lot of that configuration easily in a GUI through the "ASP.NET Configuration" button in the toolbar of Solution Explorer in Visual Studio - it also provides an easy way to set up the first users).
In short, it's all ready to go - and doesn't lock out non-Windows users.
Like you said User.Identity.Name is indeed correct. for returning the logged in users name. But the membership section like you said, provides only windows accounts. You can use similar without the user of windows accounts, to work in every scenario, and can still verify against windows if present. If you call it without membership, and follow the default MVC3 template it should work fine.
String Username = User.Identity.Name;
When you log on, using the template MVC3, it creates an authcookie. See account controller code. Here, two parameters are passed into it. The username, and to persist (when browser is closed - login is still cached).
The username is a string field, which is what is called by User.Identity.Name and infact, anything can be put into it, and is not in anyway linked to Windows login.
You could test the login via method you desire, and if yes, set a cookie using the authcookie method. (its encripted). And set the username to what ever you want. And if your verification of the user fails, dont create one, and redrect back to page.
See the example code. This is all from memory, as I dont have code infront of me for reference. But its all in the account controller, Login Action.
When the cookie is set, The users login state is cached for the session. You will need to ensure the user is logged in when visiting a webpage. Otherwise loggin in will be pointless. This is a simple attribute on the controller/action.
Note: dont do this to the Account/logon controller, as you wont be able to visit the logon page, as you are not logged in.
[Authorize]
public ActionResult DoSomething()
{
// ...
}
Hope I have helped.