I've got a few top-level questions about ASP.NET Membership and Role providers. I've done some searching but am having a hard time finding some layman tutorials. I have been coding in ASP.NET for a while now but the only real experience I have with authentication is the use of FormsAuthentication.SetAuthCookie(usernameFromDatabase, false);
When I use the SetAuthCookie() method above am I using the ASP.NET Membership Provider? Correct me if I'm wrong please but I don't think I am. I am just setting an authentication cookie right? I usually implement my own custom methods in my data repositories like GetUser_ByUsername(string username) which then talks to the ORM and gets the right user.
Do the Membership and Role Providers have their own data storage?
What if I want to use my own data storage?
Do I need to implement my own membership/role provider, and how would one go about doing that?
Or is my way of just setting the auth cookie and then using my own retrieval methods, etc, the best way of doing a custom membership/role provider?
I'm just looking for a brief tutorial/explanation of this system. If you have any good references for me to look at I will happily take a look :)
Implementing a membership provider is not too hard. Note that you only need to implement the methods that you plan to actually use. The membership provider should be viewed as a means to interact with your user information from an authentication perspective. It won't create the auth cookie for you; you do that after a successful call to the ValidateUser method on the provider. It will allow you to develop an application against the provider interface and easily change which provider you want to use via configuration rather than rewriting the application code. I've successfully implemented several different membership providers, using my own schema, which support built-in and hybrid built-in/active directory authentication. More info available via the links below:
Article: http://msdn.microsoft.com/en-us/library/f1kyba5e.aspx
Sample Implementation Description: http://msdn.microsoft.com/en-us/library/44w5aswa.aspx
Sample Code: http://msdn.microsoft.com/en-us/library/6tc47t75.aspx
SetAuthCookie() works with the Forms Authentication framework within ASP.NET which you can then adapt for integration with a membership provider.
Do the Membership and Role Providers have their own data storage?
They can, yes. There is an abstract implementation that you can subclass for your specific data needs. There is a SqlMembershipProvider you can use right out of the box, you just need a database to point to and create the needed tables. There is quite a bit of information on that class, like here or here.
What if I want to use my own data storage?
The SqlMembershipProvider does, but check out this alternative MySQL framework if you're interested in seeing how another DBMS does it.
Do I need to implement my own membership/role provider, and how would one go about doing that?
Using the built-in ones is pretty easy, but a lot of shops roll their own so that they can use existing tables. You'll need to implement this class.
Or is my way of just setting the auth cookie and then using my own retrieval methods, etc, the best way of doing a custom membership/role provider?
In all likelihood you'll need a stronger system, and a custom membership provider is a good idea.
1 - Yes, if you use the built in membership/role providers they use tables created either in a separate database or an existing one. You use the tool aspnet_regsql.exe to create these tables - it walks you through a wizard. Alternatively, it can also be called from the command-line with different arguments in order to skip the wizard. This is some info from MS about creating the necessary DB/tables within your DB.
2 - You can do that, but you have to implement a custom membership provider, which isn't really difficult. Here and here are some tutorials.
3 - You don't necessarily need to unless you either want to use your own data stores or you need functionality from it that isn't present in the built-in providers.
4 - I would say you're better off using the built-in functionality ASP.NET provides for membership and roles.
Related
I'm prototyping a web application using ASP.NET 5. The template project Visual Studio 2015 creates is useful, but it uses Entity Framework which I don't want to use. I already have my own logic for verifying passwords to login, create new users etc. using ADO.NET.
For example, the template project uses functions like SignInManager.PasswordSignInAsync(email, password, rememberMe, false);, but I want to implement my own code for doing this, I'm not sure where I can override this behaviour.
I suspect the config code in the Startup class needs to be changed, this code for example:
services.AddIdentity<ApplicationUser, IdentityRole>().AddEntityFrameworkStores<ApplicationDbContext>().AddDefaultTokenProviders();
Looks like it is setting up the identity logic to use the EF, I imagine I need to implement my own versions of IUserStore and other interfaces, but I'm not sure where to start and I can't find any examples of how to do this.
thanks
First rule of security DO NOT CREATE YOUR OWN SECURITY.
Do NOT write your own PASSWORD VERIFICATION.
Now that's out of the way.
You are allowed to write your own Identity Store.
Check out the official tutorial.
The basic premise is that you Implement your own IUser<T> and a IUserStore<IUser<T>> that allows the .net identity provider to access your storage. However at the end of the day...there should be a ADO.Net Identity Store.
I am exploring the possibilities of ASP.NET MVC in the example webapplication of Visual Studio the WebMatrix.WebData.WebSecurity is used for Membership (creating accounts, and specify that a user is logged in to view a specific page etc.). But after some searching I found that there is also a System.Web.Security.FormsAuthentication class that can be used for Membership.
Does anybody know the differences/pro's and cons between these two classes? And when to use WebSecurity and when to use FormsAuthentication? (and maybe a clear example of FormsAuthentication)
Thanks in advance
WebSecurity was introduced in WebMatrix 2 and ASP.NET MVC 4. It relies on the SimpleMembershipProvider. Under the covers it uses FormsAuthentication to manage cookies. So I guess that if you are starting a new project you would opt for the new model if this model fits your needs. Bare in mind that the SimpleMembershipProvider exposes less functionality than the original provider.
The original membership provider uses the SqlMembershipProvider which in turn uses plain ADO.NET to query the database.
The SimpleMembershipProvider uses the new Database class introduced in WebMatrix to query the SQL database.
The main differences between old ASP.NET Membership provider and SimpleMembershipProvider are explained in this good article - http://weblogs.asp.net/jgalloway/archive/2012/08/29/simplemembership-membership-providers-universal-providers-and-the-new-asp-net-4-5-web-forms-and-asp-net-mvc-4-templates.aspx
It is better to use SimpleMembershipProvider (WebMatrix.WebData.WebSecurity) than old ASP.NET Membership Provider (or Universal Providers)
I am doing a rebuild of a website and I'm trying to use an SOA approach. The current website is in .NET 2.0 and uses the out of the box SqlMembershipProvider.
We're trying to eliminate direct connections to the database and push everything through a WCF service layer. The approach we're using for this is to have everything separated - There's a library for models and interfaces, a library for the services, and then a library for the service proxies.
The biggest hurdle so far is figuring out how to manage user authentication and their session. What's the best way to do this with this approach.
Should we scrap the .NET membership model and go with something like OpenId, and just allow users to reconnect their data to the new account?
I've done some searching and can't find a lot on how to manage this, though I know it's been done before.
Here's what I ended up doing, in case anyone is interested. I started off using the WCF Authentication Services, but then realized it didn't give me everything I wanted. I could log on and off, but will still have to create my own methods for registration and getting the MembershipUser.
So I went in my ServiceContracts library and create an interface I called IMembership. At first, I created it as a class and inherited from MembershipProvider so that I could get all the method stubs generated for me. Once they were generated I modified the stubs and made it into an interface.
Then I went into my Services Library and created the implementation for the interface which was simple, because for the implementation I just used Membership.Provider....
Then in my Service Provider Clients library, I did the usual implementing of the IMembership interface, also inheriting from ClientBase<>. Right next to it I created a WCFMembershipProvider, which implemented MembershipProvider, and called the methods from the MembershipClient I just created.
In my WebApp that host the WCF Services I set up my SQL Membership provider in the web.config, and then created my svc file and endpoints for the service.
In the consuming web app, I just added the service client reference to the svc, and then set up the Membership Provider for my WCFMembershipProvider.
And viola - I'm in business.
A lot of repetitive code, but it works nice.
The principal problem you will run into when trying to create a WCF service and maintain the equivalent of session state is that there are no cookies (since there is no browser to maintain them), so the .NET membership providers are not going to be terribly helpful by default. I know how I have handled the equivalent issue is to have a generated token (for instance, a Guid) correspond with the state information I need to maintain.
Your question, however, is more about authentication. I don't know that you would be able to make an OpenId implementation work through WCF (though I understand it works great for plain old ASPX). You could use just a simple username/password authentication scheme (possibly using the MembershipProvider manually, if you need it for dealing with the password encryption in the database), and you can pass the username and password through the service using (most likely) Transport security (SSL).
I hope this helps somewhat. Maybe someone has come up with a more standard session-state replacement for WCF, but I'm not aware of it if so.
Hard to provide a specific answer without knowing a little bit more about your desired setup.
Do you plan to expose your WCF service as a public accessible independent of your website? Will your web pages access your WCF service directly via AJAX?
The easiest scenario is probably a strict layered deployment UI talks only to Website, only website talks to WCF Service.
http://msdn.microsoft.com/en-us/library/ms731049.aspx is a good read on using the ASP.NET membership model with WCF.
I built a site that used AJAX to talk to the WCF service layer. We used the forms authentication provider with WCF. It worked fine except that there wasn't a graceful way to handle the login through a web service. In our case that was fine as we wanted to the user to go to the website and login by entering credentials.
If you have already invested in collecting user's credentials to work with SQLMembership provider, you could surface it via ADFS+claims based model. This would work with all 3 of the above scenarios. There is a bit of learning to do though
I'm creating a website using ASP.NET MVC 2 and I'm thinking of using the default AccountController and Views to take care of the Users.
The only problem is that, for all the rest, I'm using a Postgres database.
Is there a way to link The account controller to a User class defined by me?
I'm using Nhibernate to connect to the database, so I'll have a User class with whatever fields necessary.
Thanks very much.
You might want to look at NHibernate Membership Provider project and use it as a base to build from.
It uses the membership provider defined in your web.config. By default, this is the SQL Server provider. You can change that, though. You could use a Postgres provider, or switch to a different authentication system like OpenID. (Authentication is different than the membership provider.)
Use a custom membership provider for PostgresSQL like this one:
http://blog.woodchop.com/2006/09/postgresql-membership-provider-for.html
Does anyone know of a good framework to allow me design permission and roles against users.
Basically allowing me to automatically check a user can do a certain thing, and then disabling or enabling menu items etc
I am not really looking for asp.net security ... as i need to use it in my own service layer and clients both WEB and WPF will use it.
I was hoping for something that allows me to create new roles and groups against users and then check what type of permissions a user has or a group has
Any help really appreciated..
I am sure some kind of open source framework is available, well i was hoping not having to create my own
Thanks
ASP.NET Membership
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
If the features that ASP.NET membership/role providers (SQL Server providers for instance) give you are sufficient, I suggest you use them. You can create a web service interface for your WPF application that uses the same providers to query the user list and roles. They are in no way limited to "web forms" only.
Even if you decide not to use the built-in providers, I suggest you still access your own stuff through ASP.NET's provider system by creating custom providers. That way, anything in ASP.NET that relies on standard users/roles will "just work".