Im developing a desktop application in WPF that relies on a webservice to log in and get license information. This means that the user logs in and i build a client side (in my desktop application) object with the licensing and the login date etc.
Im using StructureMap and want to pass my IMyUser implementation into my ViewModels constructor (constructor DI). My question is this, where should i put my initialization of my structure map if im to pass my IMyUser implementation into the constructor?
Im thinking after i login and have created the IMyUserObject i can configure StructureMap and pass it the instance of my user object. This would be somewhat "late" in my application (normally i put it in my app class, so its run as the first thing within my application).
If this is not the proper way to utilize the IMyUser and DI please advice, also alternative solitions would be greatly appreciated.
As this is a question about authorization I think it would be much better handled by a custom IPrincipal implementation.
When the application starts up, assign an implementation to Thread.CurrentPrincipal. This initial instance should not authorize the user.
When the user has logged in and received the license information, replace or update Thread.CurrentPrincipal to authorize the user to use the application.
This is an example of the Ambient Context pattern. You don't need to involve StructureMap in this interaction.
Related
I feel like I might be going down the wrong route here, and was hoping someone would be able to do a little course correcting!
I'm creating a web app which uses Windows Authentication. However, I wish to assign custom claims/roles to specific windows users, which I'm planning on storing in a SQL database.
I thought a way to do this would be to enable Windows Authentication in the web.config of my app, but to add an AuthenticationManager from WIF which can add custom claims (which come directly from the database) to the principal/identity. Then an AuthorizationManager would handle authorization to specific controller actions.
The problems I'm having right now is that my Authentication and AuthorizationManagers aren't being called. I'm not sure what I'm missing (they're registered in the web.config), but I suspect maybe it's because I'm using Windows Authentication...? Additionally, my Authorize attributes aren't calling the AuthorizationManager, possibly because I need to create a new attribute.
Is this a viable route to go down, or should I be looking at creating a custom RoleProvider instead?
The ClaimsAuthenticationManager is not called automatically - the FAM calls it.
That said - you can call it yourself, e.g. in Post_AuthenticateRequest and then set a cookie using the SAM. Thats totally doable.
I have a Solution divided into 3 projects.
Two of them are MVC 5 web apps which use ASP.Net Identity provider.
One is a class library which is referenced by the other projects. All the CRUD actions take place in here.
All the projects point to same DB and operate via EF.
All the business logic happens in the class library but is user agnostic. User validation happens in web apps only. Problems here are user validation code is repeated across all web projects and the class library has no idea of the user invoking an API.
This kind of architecture will bring maintenance nightmares very soon so I would like only the class library to talk to db for business logic or user validation.
Now, since ASP.Net Identity provider doesn't work in class libraries, anybody found a way around it?
I am not sure what "maintenance nightmare" you are referring to by having security in the web application. It is a good thing to decouple your application domain from your security model. Your domain model and business logic may remain the same across certain web applications but the security model may vary. I would not bundle these together. And if it is in your class libraries how will you let the OWIN security framework handle forms authentication for you. Are you going to manage all of this in your class libraries as well.
When you refer to "user validation" I assume you are talking about authorization. If you must perform authorization in your class libraries I would implement a custom ClaimsAuthorizationManager. You would override the CheckAccess method to perform your authorization. The ClaimsAuthorizationManager is configured in your web.config so you could have different ClaimsAuthorizationManager's for different web applications. But the logic in your class libraries would remain the same. Anywhere that you want to authorize the user before performing an action you would insert:
ClaimsPrincipalPermission.CheckAccess("MyResource", "MyAction");
The resource and action passed is used in the custom ClaimsAuthorizationManager you created to know the context in which the authorization is taking place. I talk about this method for decoupling your security model from your application domain in this article. If the authorization fails a SecurityException is thrown. You would let this percolate up to your web application where you handle it appropriately (redirect in a controller or an HTTP unauthorized error for Web APi's). Note that this architecture will work if you use your class libraries in non-web applications as well. I have used this with ASP.NET Identity and it works well.
I am trying to implement the WebMatrix.WebData.WebSecurity() method in a .Net desktop application, the application will connect to a database on the server together with a MVC4 project so I would like to use the current provider on both applications to authenticate a user.
I was wondering if this is possible as I am getting the exception:
{System.InvalidOperationException: To call this method, the
"Membership.Provider" property must be an instance of
"ExtendedMembershipProvider".
at WebMatrix.WebData.WebSecurity.VerifyProvider()
I have copied the Web.Config of my MVC4 application into my app.config file but I still cannot seem to get it to work. Any direction would be appreciated
Edit
It is something to do with the [InitializeSimpleMembership] attribute that sits on an MVC4 Controller. This performs some Initialisation for WebSecurity. Can anyone see how to initialise this code without it being an attribute?
Thanks again
Thanks
I am trying to implement the WebMatrix.WebData.WebSecurity() method in
a .Net desktop application
Forget about it. The Membership provider is tightly coupled with the ASP.NET context and not intended to be used in desktop applications. It depends on things like HttpContext, cookies, ... which do not exist in a desktop application.
What you could do instead is to define a reusable service layer that you could use in your desktop application directly and then have an implementation of an ASP.NET membership provider calling the methods of this service layer, thus reusing the same functionality between the two.
I have a 3 tier ASP.NET MVC 3 project that has a data layer, service layer then a presentation layer which calls upon the service layer to get data. I'm actually using the doFactory patterns in action solution.
I want to implement a custom membership, roles, profile provider but I'm not sure exactly where to put it. I was thinking of putting it in the service layer then have the provider call on the DAO objects to get the info.
Any other ideas?
You're thinking pretty well. Though the UI layer interacts with the client and takes their password, your service layer should process attempts the enter system.
Your action methods pass along the information to the service objects responsible for authorization.
Your service layer would have no idea whether it is in a web application or not.
The data layers is just the place where that information is stored, not where it is processed.
You might choose to keep the ID of the user in the UI layer, in session. On login the Service layer would take the username/password/whatever and return a UserID. Or, your action methods could pass in a session key into the service layer each time, to get the User information.
Edit due to comment: I'm doing this in my current project (couple $million scope). I have my security decisions in the action methods. (Though of course the tools for making this simple are objects from the Service Layer.) For example, if the current user doesn't have this role or that role, then redirect them to a rejection page, otherwise, do the thing. MyServiceLayerObject.DoThing() has no security inside it.
It's the simplest way for my app and many others. ("Simplest" means it will will be screwed up the least. When it comes to security, simple is good!) Since the Action method is the gateway to the functionality, having security in the service layer would just cause extra work and actually obscure what security was happening. Now, that's my app, where there is usually one place where each action takes place.
Your app may be different. The more different action methods and (especially) different components are using your Services Layer's functionality, the more you'd want your Service Layer functionality locked down with your authorization scheme. Many people feel that security should always be in the service layer, and that any additional security actions in the UI layer would be bonus redundancy. I don't agree with that.
Here is an existing implementation of Membership Providers in 3 tier world that I found when looking for the same thing...
http://elysianonline.com/programming/wcf-wrapper-for-asp-net-membership/
And here ...
http://elysianonline.com/programming/using-the-wcf-membership-provider/
I am doing a rebuild of a website and I'm trying to use an SOA approach. The current website is in .NET 2.0 and uses the out of the box SqlMembershipProvider.
We're trying to eliminate direct connections to the database and push everything through a WCF service layer. The approach we're using for this is to have everything separated - There's a library for models and interfaces, a library for the services, and then a library for the service proxies.
The biggest hurdle so far is figuring out how to manage user authentication and their session. What's the best way to do this with this approach.
Should we scrap the .NET membership model and go with something like OpenId, and just allow users to reconnect their data to the new account?
I've done some searching and can't find a lot on how to manage this, though I know it's been done before.
Here's what I ended up doing, in case anyone is interested. I started off using the WCF Authentication Services, but then realized it didn't give me everything I wanted. I could log on and off, but will still have to create my own methods for registration and getting the MembershipUser.
So I went in my ServiceContracts library and create an interface I called IMembership. At first, I created it as a class and inherited from MembershipProvider so that I could get all the method stubs generated for me. Once they were generated I modified the stubs and made it into an interface.
Then I went into my Services Library and created the implementation for the interface which was simple, because for the implementation I just used Membership.Provider....
Then in my Service Provider Clients library, I did the usual implementing of the IMembership interface, also inheriting from ClientBase<>. Right next to it I created a WCFMembershipProvider, which implemented MembershipProvider, and called the methods from the MembershipClient I just created.
In my WebApp that host the WCF Services I set up my SQL Membership provider in the web.config, and then created my svc file and endpoints for the service.
In the consuming web app, I just added the service client reference to the svc, and then set up the Membership Provider for my WCFMembershipProvider.
And viola - I'm in business.
A lot of repetitive code, but it works nice.
The principal problem you will run into when trying to create a WCF service and maintain the equivalent of session state is that there are no cookies (since there is no browser to maintain them), so the .NET membership providers are not going to be terribly helpful by default. I know how I have handled the equivalent issue is to have a generated token (for instance, a Guid) correspond with the state information I need to maintain.
Your question, however, is more about authentication. I don't know that you would be able to make an OpenId implementation work through WCF (though I understand it works great for plain old ASPX). You could use just a simple username/password authentication scheme (possibly using the MembershipProvider manually, if you need it for dealing with the password encryption in the database), and you can pass the username and password through the service using (most likely) Transport security (SSL).
I hope this helps somewhat. Maybe someone has come up with a more standard session-state replacement for WCF, but I'm not aware of it if so.
Hard to provide a specific answer without knowing a little bit more about your desired setup.
Do you plan to expose your WCF service as a public accessible independent of your website? Will your web pages access your WCF service directly via AJAX?
The easiest scenario is probably a strict layered deployment UI talks only to Website, only website talks to WCF Service.
http://msdn.microsoft.com/en-us/library/ms731049.aspx is a good read on using the ASP.NET membership model with WCF.
I built a site that used AJAX to talk to the WCF service layer. We used the forms authentication provider with WCF. It worked fine except that there wasn't a graceful way to handle the login through a web service. In our case that was fine as we wanted to the user to go to the website and login by entering credentials.
If you have already invested in collecting user's credentials to work with SQLMembership provider, you could surface it via ADFS+claims based model. This would work with all 3 of the above scenarios. There is a bit of learning to do though