In my Application I have three types of users.(1)anonymous user (2) Members and (3) Admin.
I want to create roles for these users: when a user want to visit the site then he/she may see different Menus like an access control list. And when the user want to access the page or perform some sort of operation, then first its role is checked.
Suppose only admin can have the delete Operation access, so other users cannot see the delete operation or if this is not possible then at least he/she cannot allowed to do this operation.
I used WSAT (website administration tool ) for asp.net application ,but later on I came to know that this not a good technique for production server to manage roles and user.
So I want a handsome technique to manage my application users.
Anybody please help .
Is this MVC?
If so, have a look at ASP.NET Identity: http://www.asp.net/identity
Also check out the new Thinktecture Identity Manager, which is meant as a better replacement for the WSAT tool.
http://www.hanselman.com/blog/ThinktectureIdentityManagerAsAReplacementForTheASPNETWebSiteAdministrationTool.aspx
Related
I'm creating a website using ASP.NET core with MVC where a few people will have accounts to manage a database. Since anonymous users will be able to view the website, I don't want them to be allowed to create accounts and mess stuff up. I'm not sure if adding the [Authorize(policy)] attribute to the create account page is possible since the ASP.NET core template hides the page that I need to add it too. Is there a way I could do it? Now that I'm thinking about it, does individual authentication even allow you to do such a thing?
Before you say this is a duplicate question, I've looked through previous answers only to find that they just add [Authorize] to the create account page, which I said I'm fairly certain I can't do. Unless there is something I missed, of course.
Take a step back and think about what you are saying. You want to enforce authorization on anonymous users. Does that make sense to you? How can you authorize someone you don't know?
If you don't want anyone to be able to create accounts, your action simply cannot be exposed to anonymous users. You should remove the code generated by the template or at the very least, hide it behind an authorization scheme like the other answers have suggested.
That leaves you with the problem of how to create a user when the page to create a user cannot be accessed. I've dealt with this in a couple of ways in the past:
Create a user with admin rights programmatically (if it doesn't already exist) on application start. This user is authorized to access a page within the app (usually an admin panel on a separate Area) where he/she can create other users. You use this account to grant access to other accounts and assign proper roles as needed. OR,
Have the application check for initialization on start up and if it hasn't done it before, show a workflow that allows you to create an admin account (kind of like a first time installation step). Once created, you use it the same way as in option 1.
In both cases, you will be applying the Authorize attribute to your controllers and/or actions as desired and will need an "admin" facility where users with proper rights can manage things.
I have a web app and I can login as admin or customer in it. Admin has access to all pages, customer has access to certain pages only.
When customer logs in, the required pages, say 3 pages are shown, after he logs out and the admin loges in, still only those 3 pages are shown. Although, After manual refresh, I'm able to see all the required admin pages.
How do I refresh automatically when user logs out? I'm using Angular 10 framework.
Since you're question is pretty generic, it is hard to get into specifics.
You must have some login code, so presumably you are loading a users permissions from some system and storing those permissions as part of the app--presumably as a cookie?
You can protect routes using auth guards. We primarily use canActivate guards.
You can hide elements on a page--such as screen navigation links--with an *ngIf. We created our own structural directive to accept in a list of allowed user permissions, and the current user's permissions and use that to determine if certain dom elements should be created or not.
I'm not sure about C#, but in Java we created a Spring Annotation to validate user permissions when a user tries to access a REST Endpoint. I suspect something similar must exist in the .NET world.
Conceptually it is not much different than our Angular custom structural directive; comparing allowed permissions to perform the action with user permissions, and then either allowing or denying the action.
It sounds like your users are getting elevated permissions by reloading the app; so I suspect there are some underlying security issues with your full implementation, but without a code review cannot begin to speculate what that is.
My website is mainly divided into 3parts. One for administrator, mostly maintenance pages to update database. One for general users who browse the page with accounts logged in. One is for anonymous to browse and check out our products. How could I restrict the users/anonymous to get to my admin pages and how do I restrict anonymous to purchase?
First, you need to set up 3 folders(Admin, Users, Anonymous), then you put the web forms that you want those people who could have access to in the folder. After that you need to set up your users, roles and access rules in the asp.net configuration(Website->Asp.net Configuration). Now, you should see web site Administration tool, go to security. You could set up your users, roles, and access in there. It would allow you to restrict users to certain web forms.
I am developing an MVC3 application and I have gotten to the point where I need to start securing out different areas of the intranet site to particular users.
The site is being used on the intranet and uses windows authentication for login.
Within the database I have a users table which contains numerous fields that determines the users role. This is maintained in the admin area of the site.
Certain users will have the ability to access the admin area, some users will only have the ability to read certain areas of the site but not contribute, etc etc. There are some complicated business rules.
I am looking for how to secure out different areas. I have read a good few articles around using the authorize attribute on controllers for particular groups, this doesn't seem to be a good fit as I understand it I would have to control what users are in what groups from within the configuration of the application whereas the admin users of the application should be ones controlling this via the application itself.
Any suggestions are welcome.
If you are mainly concerned about managing users, ASP.NET does a great job of this with their built-in Web Application Administration Tool. On the top-right of the Solution Explorer, to the right of the refresh button, is a hammer-and -earth tool that you can click on. It allows you to manage users and roles, and from there you can assign the users to roles. Perhaps your admins can use this.
This tells you how:
http://www.asp.net/mvc/tutorials/mvc-music-store/mvc-music-store-part-7
As far as having to put authorize attributes on the controllers/methods, I don't see any way around that. Let me know if I have misunderstood your question.
Assign users to roles and use AuthorizeAttribute.
I am creating a web application that, simply put, allows for the users to create their own "sites" which have their own set of users. I look at the domain name of the request coming in to determine which "site" to display. I need to have completely different sets of users depending on which "site" you are on. For example: If I visit site1.example.com I am able to register as bob. Trying to login to site2.example.com with my credentials from site1 would fail, because I don't have an account there. Likewise, I should be able to create another, independent bob user on site2. Therefore, not only will I need to store additional information with the user (like what site they registered on), I also need to make the username field non-unique. Any ideas on how to accomplish this? I would like to use the built-in security provider in ASP.NET, so I can use things like [Authorize], but if some 3rd-party security suite would work, I am open to that as well.
With Asp.net membership provider ... one easy way is to change "role" s for each set of users. All users registered for site will get role "site1user" assigned. And so on. You can maintain all users in one database ... differentiated by roles.