I have an ASP.NET 3.5 Site where, in some places, I am checking if the currently logged on Active Directory user is in a certain AD Security Group. In the Page_Load I'm doing something like this:
if (isInADGroup(UserGUID))
{
//proceed
}
Now I was wondering, couldn't I just create a Custom Attribute, like some of MVC's security attributes, which runs this check and cancels the execution or displays an error message?
Not sure about an attribute but you could always create a custom page that handles this inheriting from System.Web.UI.Page and use this as the base class for your web forms.
Related
I am using C# Razor in order to make a social network. There are wepages that contain sensible data and I don't want someone to go to that url and see it. Not even by going to the Inspect Element and open it through there. So is there a way to warn the user that "This web page is not allowed"?
You have to implement authentication and authorization in order to control who can actually access any given route in an mvc application. I can only recommend that you start by reading the official site www.asp.net/mvc/overview/security about authorization and authentication.
With the proper authentication/authorization the server will simply not send any data, or you could redirect to a specific "not allowed page"
I agree with Louis, you should get this book here which helped me a ton. http://www.apress.com/9781430257523
The literal answer you are looking for concerns the use of authorization attributes you place above controller actions or controllers themselves. So an action might look like this
[Authorize]
public ActionResult UserAccount(Guid id){...}
By setting up authentication using ASP.Net Identity you will be able to automatically redirect visitors who are not logged in to another page etc.
Also if you need to make sure that the current logged in user is not going to (for example) another user's personal page (account settings?) you would do a simple check on the server side to prevent this. Something like so (Pseudo code)
if(User.Identity.GetUserId() != account.OwningUserId)
return RedirectToAction("404", "Shared");
I have a web application using Enterprise Web Library and I've found the need to have a custom log-in page. I see that EWL provides one for me, but I want to be able to have some custom elements on the page and control how the user is logged in. How can I achieve this in EWL?
First, create your custom log-in page. Let's call it MyLogIn.aspx.
The next step is to designate MyLogIn as the log-in page for some/all of the pages and shortcut URLs in your app. To do that for pages, override PageInfo.LogInPage and/or EntitySetupInfo.LogInPage and return a MyLogIn.Info reference. This setting is inherited from parent pages and entity setups. If you want all pages in your app to use MyLogIn, you only need to override the LogInPage property at the root of your page tree.
To use MyLogIn for your shortcut URLs, use the logInPageGetter optional parameter in the ShortcutUrlResolver constructor. Pass a function that returns a MyLogIn.Info reference.
The final step is to implement MyLogIn. You can design the page however you want and collect whatever credentials you want, but there are a few things you need, which depend on whether you still want to use EWL's UserManagement subsystem. If you do, you need to call UserManagementStatics.SetUpClientSideLogicForLogInPostBack during LoadData and call either UserManagementStatics.LogInUser or UserManagementStatics.LogInSpecifiedUser from a DataModification. If you are not using UserManagement, you're responsible for authenticating the user in your own fashion as part of a DataModification, before redirecting the user into the app.
As I am working on Form Authentication in Asp.Net MVC, I want to know that -
Is there any event available in global.asax OR in base controller class which calls only ONCE when form authentication happens. (I want to add something in session only once and only when form authentication happens)
I tried with OnAuthorization and AuthorizeCore events of AuthorizeAttribute class.
Even I also tried with Application_OnAuthenticateRequest and Application_AuthorizeRequest events of Global.asax file..
BUT the issue is, all these events fires on every request and I want to execute somethings only once when authentication happens.
Could you please suggest me what is the best way to do this !?
Note: The authentication cookie is being set by another Asp.net MVC application which exist in same domain. (And I am accessing this application by submain - so I can access the auth cookie of parent application). BUT, when authentication happens to Application 1, I want to set some session variable in Application 2. (As my application 2 user is now authenticated and I want to add some information in session in application 2)
Thanks in advance!
When authentication occurs in application 1, add an additional cookie that will trigger setting the session variable in application 2. In the AuthorizeCore override of an AuthorizeAttribute in application 2, check for the presence of the cookie. If it exists, set the session variable and remove it.
You might also consider adding the info to the user data portion of the FormsAuthenticationTicket instead of storing it in session.
What you are asking is an application-specific event, and since the requirements and specifics of this can't be defined simply, there's no built-in event to handle this. So, you'll have to create this yourself.
Since you are using Forms Auth, you know exactly they authenticate, but I suspect you are interested in a way to communicate this to other modules or components in an loosely coupled, event-driven manner. I would suggest that you have a service interface defined in your business layer that represents your authentication service. You could then have your various components that need to notify (or be notified) of an authentication event talk to the authentication service directly, rather than try to push this through ASP.NET. My answer is rather vague because the info you've given about what you need to do in that event is not apparent.
For hell of it, we can consider how to push this through ASP.NET anyways. The class that is generated for your application, represented by Global.asax.cs, is like any class. You could conceivably add your own event to that class, and in IHttpModule (for example) that wish to subscribe to it, simply cast HttpApplication context parameter in the Init method to the specific type and attach the event as you normally would.
As you have found out, authentication executes on every request to verify whether or not the given user is allowed to view the given page. However, you will need to define a function somewhere which calls .SetAuthCookie() to authenticate the user (normally) on login. It is in this function where you should call your action.
To my knowledge, there is no OnAuthorized event. Perhaps there are in ASP.NET Forms, but in MVC things are little more manual and far more flexible.
If you are in a default ASP.NET MVC Internet application project, then open the AccountController in the \Controllers\ folder and find the Login method:
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model, string returnUrl)
{
if (ModelState.IsValid && WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
{
// Add session data or trigger an event
return RedirectToLocal(returnUrl);
}
You should find something similar to the above. That is where you would add additional session data or any other one-time code you wish to execute when a user logs in.
The same concept applies even if you are not using the ASP.NET MVC Internet application. At some point, you will need a controller to handle the login POST. On a successful login is where you would execute your code.
I'm creating my first ASP.NET MVC 3 app and I have a problem with creating class instance based on user role.
I have a Class called Account and it contains information about user accounts and few methods which allow me to manipulate(update) user account information. For example ChangeNickName, AddToGroup, RemoveFromGroup, Ban and so on.
As you can see problem with these methods is that I dont want to allow anyone to use AddToGroup or Ban method but only user with specified role (i'm using ASP.NET default role implementation system)
So I wonder is there a way I could add attribute [Authorize(Roles = "Admin")] to my AddTogroupMethod just like I use it on Controller methods
I know that with proper implementation of controllers I dont need something like this but I want to make sure that I dont allow anyone to make instance of class (or use specified methods by accident) if user is not part of specified role.
So for example if I by accident add access to AddToGroup method in user controller I would still be able to prevent them from exploiting bug because of attribute attached to this method
If I can't solve this problem with attributes is there a way to make VS to block me from debugging application if I make a call to AddToGroup method from xy class
If you have any ides how to make this working I'm open to suggestions
Than in advance
You should probably use the AuthorizeAttribute, however you can check the role of a current user in code using Roles.UserIsInRole.
There's a little info on this in MVC here (the assembly seems to have changed between 3.5/4.0):
asp.net mvc -> Roles.IsUserInRole(username,role)
i have an application and a user must log-in before he/she can access pages. now once the user logs in i keep the user details in a session variable (say Session["CurrentUser"]).
now if a user tries to jump to a page directly i will check if the Session["CurrentUser"] has a value or not...if not then the user will be directed to the login page...
my problem is that i have done this or rather say written this "Checking Code" on almost all the pages.
what i want is this code to stay on a particular location and i will just access that method all the time on all the pages...now where should i write this method ??
thank you.
You could create a class that inherits from System.Web.UI.Page and then have all your individual page classes inherit from that. Have you looked at the built in ASP.net forms authentication techniques?
You should take a look at ASP.NET Authentication. This will allow you to secure a section of your website, or individual pages via the web.config file and uses a cookie to handle authentication instead of you checking a session variable.
You could put it in a base class which extends Page, then have all your pages codebehinds extend this.
A better solution would be to use the
Application_AuthenticateRequest
pseudo event in the Global.asax. You really shouldn't be using the session either, have you looked at Forms Authentication?