Looking For Authentication Advice For .NET MVC 3 Application
Nov 2, 2010
I have a web application that will be used by the public. This application has a login credentials requirement.
I don't want to create yet another site that you have to create a custom username/password combination unless you really want too. I would like to support 3rd party logins like Facebook, Twitter, etc...
In the end this website could run in the Azure cloud as well so I am open to anything special to that.
One thing to note is the Microsoft Membership Provider that is part of ASP.NET is a great way to have custom login/passwords with a nice integration into MVC code. What I would love is that Provider opened up to allow 3rd party logins.
I've been asked to upgrade a few applications and I'm planning on merging all of them into one asp.net application. I'm fine with this decision and have spoken with fellow workers and they also think it's the best option to go with.
The application will be accessed from a small group of users which belong to a larger domain. I'm currently planning on using Windows authentication and only allow this small set of users to access the asp.net application. Also there must be some role management, so that only certain users can view certain functionality.
I really don't want to have many different windows groups; so I want to avoid having to assign different windows groups to different folders and control permissions in the web.config.
What I'd like to do is:
- Assign one windows group to the small group of users who will access the page.
- Create a custom membership provider and control the user who accesses the application. Depending on the user I will then assign his current set of roles.
- Add an application setting to the web.config, with the name of the current administrator, so if he logs in, he will be assigned all roles, and will be able to create and assign roles to other users.
Am building an app in VB.NET | ASP.NET 4 | SQL 2008 R2I am building an site that will potentially have upto 15, 000 pics for now. More added each weekWould it be best to insert those pics (from a few kb to 2.5 Mb per pic) into the database or have them in a directory with links to those pics in the database?The site will have pages of pics which the user can browse or click on taking them to another page with info. Basically like a photo album
Currently, I am exploring options for sending data to the client. What I am hoping for is suggestions, or a pros and cons feedback.
What I am wanting to do is query the database then send this data to a web service ( or maybe wcf ). Once there, jquery ( or another JS library ) will utilize this data to fill a grid/tree/form depending. This all seems very very basic, but what concerns me is the amount of data that can be sent. I have seen some grids that have 16K records...and what worries me is that would be WAY too much data to send.
I was just wondering how these things are handled. My current thoughts are to do a 'onDemand' loading, but my inexperience has me second guessing. Also, I know this isn't directly related to jquery, but I notice there are a lot more examples with wcf rather than webmethod/web services.Is wcf better for these types of things?
I have been investigating the best way that I can secure my MVC application and restrict specific functionality from users. My first approach was using role management. I thought of expanding the membership database by writing an interface that would allow me to create groups of functionality i.e. 'manage customer' and then another table would hold 'activity' information for that group i.e. 'create', 'edit', 'transfer', etc. I would then create another table to link groups of functionality to specific roles and then assign my users to the roles. At first this seemed ok but I soon realised that I was a level of granularity missing. Not every user who is assigned to a specific role should have access to all of the functionality for a given group attached to a role, damn! I then thought that I could create another linking table that would hold 'access exceptions' i.e. this table would contain entries of a userid and activity id that a specific user was excluded from.
Does this approach make any sense? Is the creation of databases tables and an interface the best approach to this?
Within an existing ASP.NET page I've created the following layout, which is a tabbed header and content area. When the tabs are clicked (using JQuery) I show the relevant content, and hide all the other content for that respective tab, like so...
I'd like to expand this functionality to make it into a User Control, so that I could re-use the code more easily. Once the control is created, I'd like to be able to use it like this:[Code]....
where I can start learning how to do this, or offer direct help on the code? I've read many tutorials for creating controls using existing controls (e.g. custom labels etc) but they are all too simple. With the above, do I need to create a ContentArea control first, then work onto the TabbedControl? How do I get ASP.NET to render out the contents of my ContentArea (including ASP.NET controls that are contained within it)?
I have seen some articles about different types of authentication in online. But i have not used any thing particular.I build a web application that user can register and login an after that.In that application when the user comes to loginpage and enter the user name and password and on click of the login button,the validation is done against the data in DataBase. So i am not getting the any idea of form level authentication with the user details in the webconfig file. For what type of applications we use this type of authentication. Can anybody help to get an idea about this authentication.
I am new to ASP.NET development and moreover I am only extending an existing application which i did not create.
I have a working ASP.NET application which uses "Forms authentication" throughout all its pages. I have added a new webservice in a subfolder "webservicesDummy.asmx". This webservice works fine but because it should be called by an external application which can't authenticate through a form, i need to enable "Integrated Windows Authentication (Basic Authentication or Digest Authentication)" ONLY for the subfolder "webservices".
I tried to configure it in IIS but it did not work. So that i can set a different authentication method i have to create the folder "webservices" as an "Application". But if i do so then my function stops working with the error "Could not create type 'Dummy'."
Is it possible to have one web application and to authentication methods ? If yes how is it configured in IIS ?
Or what would be the better way if i need ONLY one page (webservice) to use a different authentication then the rest of my application.
PS: I use Windows 2008 Server and the app runs on .NET Framwork 2.0
It is working fine in my local machine but when I deploy on my server then it is not working.is it any iss setting or something else.. what I need to do for this.below is web.config code and local machine having IIS 6.0 and Server having IIS 7.0
Has Passport authentication been removed from ASP.NET 4? It doesn't appear in the documentation anymore, I can't find the site to download it... It seems like Windows Live ID is replacing it, is it correct?
Here's the situation, I've got a console application that needs to run once a day and make a few requests to pages that require authentication to view. The pages are hosted in a really basic ASP.Net Web Application.
So, I know that in order for the requests to go through successfully I have to authenticate with the server. So I've hooked up the console application to the ASP.Net Membership Provider I'm using for the web app and it successfully determines if a set of a credentials are valid. However, after calling Membership.ValidateUser() any requests I make just get the login screen. After doing some reading it seems that this is because I'm missing the important cookie information that persists my login or what-have-you.
I'm using a basic WebClient to make the requests and then reading/discarding the result.
So the meat of the question is this: Is there a simple way to validate the login information and hold on to it so that I can make the requests successfully, or is this the exact same case as the other two questions I found that require the WebClient to make a "manual" login request to the login.aspx page and try to hold on to the cookie from there?
The questions I'm referencing are:
Authenticating ASP.NET MVC user from a WPF application and Login to website and use cookie to get source for another page
I need to have 2 separate logins for my asp.net web site. Firstly I need to block access to the site entirely and show an unstyled log-in page (so it doesnt show the layout of the site).
This login is only needed whilst the website is in development.
Secondly, I need another login for a "members area" of the site. This is part of the functional site and will be permanent.
I'm at a loss as how to manage these 2 logins. I had first thought of using Windows authentication to allow preview access to the site and then forms authetication for the members part but according to IIS7 I "cant run Challenge based and Log-in redirect based authentication simultaneously".
I have authentication in my web application. I want the application to be logged in with the same credentials as of system logged in. Am able to compare the username easily, but don't know how i can compare the textbox content with logged in windows password. Am using .NET 3.5.
My asp.net mvc application, requires me to login every 20-50 seconds, i contacted the hosting provider, who says its due to recycle of pool. i have added following code to web.config.
I am developing a web application which requires user to login. There will be N number of users using website concurrently. We have a MySQL database which will store user information like Name, User ID, Password etc. I am not able to understand on how to check username and password once they enter data using Login form which will be present in DB.
Is it possible to force authentication on all controllers within my MVC2 application? Currently, I have to use [Authorize] at the start of every controller. My entire application requires authentication (except for the Login screen of course) and I'm looking for a way to make this a default for each new controller I create.
I am building an intranet website. And I am still unsure of how to implement the security of the website. I am using ASP.NET MVC 3.
Anyone in the company can access the website. It is a recognition system where you can nominate an employee for an award. Currently I am not using any type of authentication. I have a roles table that contains roles and an association table that specifies which user contain what roles, these roles are mainly administrator-type roles. If a user does belong in these roles then he/she can still access various parts of the website.
Would I need to use the built-in membership for this? Or would I need to create a custom membership for this? We don't use a login page. If the user does not have roles to access a view then he/she is redirected to another page.
We use IIS to do our authentication. Is this the same as Windows authentication? I have the roles table used for authorisation.
Previously, I have implemented two separate ASP.NET Web Applications, one as a virtual application in a subfolder of the other, which successfully shared forms authentication as described at [URL]
(basically, setting up identical <forms> sections in the Web.config, and keys in the <machineKey> section)
Now, I am trying to do something similar to get BlogEngine.NET (which is a Web Site, not a Web Application) to work sharing forms authentication with a Web Application of mine. I have tried both putting it as a virtual application in a subfolder, and setting it up as a separate IIS site (same domain name, different port number), but I can't get the authentication to work at all: when I go to the blog while logged in to my Web Application, Page.User.Identity.IsAuthenticated is always still "false".
I'm really not sure how to even start debugging this, since the forms authentication is handled before any of my code runs.
I've a project using windows authentication and it will be used in intranet. The client itself already have a web application in their intranet and they built it with Java (they used windows authentication too). The problem occur when they want my web application only appear within their application content section.
What should I do? I did think about using iframe but some people said it's evil. And if I'm going to use iframe, is it save? My web application will use a few pop up window/modal window and ajax.
I need to create an application (ASP.NET or WinForms or Windows Service, not sure) that needs to make a call to a url including username and password for basic authentication and have the url return a csv file. I then need to use the csv file in the application. I don't know how to do this. How do I call the url in my app. There can be no user interaction, it needs to be completely automated in the returning of the csv file.
I am using Windows Integrated Authentication with impersonation for all my web applications (on IIS 7 and 7.5), and everything is perfect.
Now I would like to enhance the authentication procedures bypassing the login prompt from IIS, and supplying a custom page to collect the Username + Password inputs from Users, but still mantaining the Windows Authentication support (I rely on the WindowsPrincipal in my application for many core activities).
I just would like to replace the IIS popup with my custom authentication page.
First of all I have tried to mix the WIA with Forms Authentication, but - even if I succeed in authenticating users against the Active Directory - the result is not what I was looking for, because I want to mantain Windows Authentication and not migrating the mechanism to Forms Authentication (even if implemented with the AD provider).
The first step I am trying is to use the "LogonUser" function to create the correct WindowsPrincipal and then the "Impersonate" method, but after this step I have no idea about how to persist the authentication data andor to pass the User information to the Windows Authentication. As a result, when I execute the first redirection to another page the information about the user manually logged are lost.
I would like to add this feature to my web application, for the end users to chose the type of the authentication either (windows) or (Forms), and add it in the admin setting. This can be done by changing the authentication type programmatically in the code. how can I do this? Note: The user can use one type at time only.
My question is about an approach, and I am looking for tips or links to help me develop a solution. I have an .NET 4.0 web forms application that works with Forms authentication using the aspnetdb SQL database of users and passwords. A new feature for the application is a new authentication mechanism using single sign on to allow access for thousands of new users. Essentially, when the user logs in through the new single-sign-on method, I will be able to identify them as legitimate users with a role I will have something like HttpContext.Current.Session["email_of_authenticated_user"] (their identity) and HttpContext.Current.Session["role_of_authenticated_user"] (their role).
we are developing asp.net web application with form authentication in IIS 6 - Windows server 2003.the application is working fine.but if we call any .html extension we are getting the following errors,
"Internet Explorer cannot display the webpage - Diagnose Connection Problems "
