I want to set my own Password Validation in ASP.NET Boilerplate for the UserManager. I write a custom PasswordValidator class which derived from IPasswordValidator<User> interface and registered that within the Startup.cs: services.AddPasswordValidator<PasswordValidator>()
Now the problem is, that my own Password Validation is active and the default validation of Boilerplate. How can I disable the default password validation?
Create your own PasswordValidator and set it to PasswordValidator property of UserManager in it's constructor. If you create your own PasswordValidator, you can derive from Microsoft.AspNet.Identity.PasswordValidator which already makes many checks. Override ValidateAsync method and add your own logic.
See the issue on github
See aspnet identity custom password policy
Related
What is the purpose of enable attribute of org.springframework.security.core.userdetails.User class? Should I always keep that attribute in my 'user' table and use it to populate User instances when being fetched?
See UserDetails interface for more details and check isEnabled() method.
Indicates whether the user is enabled or disabled. A disabled user cannot be authenticated.
The attribute is used when a user is being authenticated. If the user is disabled, Spring Security throws DisabledException exception.
However, you can implement your own AuthenticationProvider that will ignore this attribute if it is useless for you or you can set it always to true when User instances are being created.
Hence, whether to keep this attribute in a persistent storage depends only on your needs.
I'm going to implement a custom authorization based on ([User<-->Role<-->Right]) model and Rights should be compared to controller and method name (e.g. "controller|method").
I used customizing UserDetails and AuthenticationProvider to adjust granted authority (here), but as checked source codes and docs about how customizing the compare of authority I found there is a filter SecurityContextHolderAwareRequestWrapper) that implements isGranted and isUserInRole to compare authority, while the documents say using AccessDecisionManager voters to customize (As I understood). Which one should be used ? Where I have controller and method(action) name to compare authority with them ?
I got confused about Spring security a little. Is there any other resource than official docs that illustrate how it works, I mean sequence of actions and methods and how customize them.
There are several approaches:
Role based, where you assign each user a role and check the role before proceeding
Using Spring security expressions
There is also a new spring acl components which lets you perform acl control on class level and are stored in a database.
My personal usage so far has been 1 and 2, where you only assign roles to users.
But option 3 allows you to create finer grained security model, without having to rebuild your webapp when chaning the security model
Role Based
A role based security mechanism can be realised implementing the UserDetailsService interface and configuring spring security to use this class.
To learn on how to such a project can be realized, take a look at the following tutorials:
Form based login with in memory user database Link
Form based login with custom userdetails service Link
In short spring security performs the following behind the scenes:
Upon authentication (e.g. submitting a login form) an Authentication Object is created which holds the login credentials. For example the UsernamePasswordAuthenticationFilter creates an UsernamePasswordAuthenticationToken
The authentication object is passed to an AuthenticationManager, which can be thought of as the controller in the authentication process. The default implementation is the ProviderManager
The AuthenticationManager performs authentication via an AuthenticationProvider. The default implementation used is the DaoAuthenticationProvider.
The DaoAuthenticationProvider performs authentication by retrieving the UserDetails from a UserDetailsService. The UserDetails can be thought of as a data Object which contains the user credentials, but also the Authorities/Roles of the user! The DaoAuthenticationProvider retrieves the credentials via its loadUserByUsername method
and then compare it to the supplied UsernamePasswordAuthenticationToken.
UserDetailsService collects the user credentials, the authorities and builds an UserDetails object out of it. For example you can retrieve a password hash and authorities out of a database. When configuring the website url-patterns you can refer to the authorities in the access attribute. Furthermore, you can retrieve the Authentication object in your controller classes via the SecurityContextHolder.getContext().getAuthentication().
Furthemore to get a better understanding of the inner workings of these classes you can read the javadocs:
UserDetails - how the user credentials are stored and accessed
AuthenticationManager.authenticate(..) - contract on how AuthenticationExceptions are handled
UserDetailsService.loadUserByUsername(..)- contact on how username lookup failures are handled, e.g. user does not exist
Spel
Instead of checking authorities, SPEL enables you also to check other properties of a user.
You can use these in the URL patterns, but also annotate methods with #Preauthorize.
This way securing the business layer is less intrusive.
ACL Based
The ACL based model was introduced in spring security 3.0, but hasn't been well documented.
Their suggestion is to look at the Contacts XML example, since this one uses their new acl component.
Last this book contains great examples on how to further customize your security wishes.
I want to do GetPassword() on MembershipUser but the custom membership provider in the application is throwing NotImplemented exception, let me know some workaround to get any users password ?
Thanks
If you are using a custom membership provider, that means you have created a class that inherits MembershipProvider. When you inherit this class, visual studio will typically go ahead and auto generate the abstract methods that you inherit from MembershipProvider. One of those methods is GetPassword(), and it's up to you to program the logic for it. By default, it throws that exception reminding you that you haven't written the logic for it yet.
If you didn't want to do a custom membership provider, you can use a SqlMembershipProvider instead and let visual studio create the necessary tables and stored procedures to handle everything. A custom membership provider is used when you want full control over the programming logic.
I have a custom DataAnnotationsModelValidatorProvider for doing model validation in a more dynamic way then just adding attributes. I tried to add my provide to the global.asax.cs like so:
ModelValidatorProviders.Providers.Clear();
ModelValidatorProviders.Providers.Add(new AttributeValidatorProvider());
But once I load my form, I get an error saying "Validation type names in unobtrusive client validation rules must be unique. The following validation type was seen more than once: required".
According to a comment on this blog, this is because Ninject is overriding custom validator providers.
I'm fairly new to MVC and I can't seem to find a way to tell Ninject to accept my custom providers as well, how would I go about fixing this problem?
For the record: I do not wish to use Fluentvalidation.net, I want to stick with the default MVC validations (for the most part).
There is another way (works in MVC 4 for sure):
Find your class which inherit IdependencyResolver interface and add to constructor _kernel.Unbind<ModelValidatorProvider>(); - you just unbind ninject validator and there should be no colission with default validator.
In my case my constructor looks like this:
public NinjectDependencyResolver()
{
_kernel = new StandardKernel();
_kernel.Unbind<ModelValidatorProvider>();
AddBindings();
}
Change the registration of the provider to
Rebind<ModelValidatorProvider>().To<AttributeValidatorProvider>();
Dear All,
I am using the membership provider of MVC framework, Now i want to implement the Role and Right on My project, All the Role and Right is available on database so how can i implement the Role and Right? is there is any built in function which can i use? also i am using the Ado .net Data Entity Framework..
If I'm understanding what you want to do correctly, you have to annotate your Controller class or ActionResult with the Authorize attribute like this:
[Authorize(Roles="Domain Admins", Users="testuser")]
public class TestController : Controller {
}
Then as long as your membership provider is setup you should be good to go.
It may be worth mentioning that you can always check if a user is in a role with the following code.
User.IsInRole("Domain Admins");
If your using MVC2 then the default project template makes it easy. You should check out the AccountController and AccountModels in a default MVC2 template.
It sounds like you need a custom role provider:
http://davidhayden.com/blog/dave/archive/2007/10/17/CreateCustomRoleProviderASPNETRolePermissionsSecurity.aspx
http://msdn.microsoft.com/en-us/library/8fw7xh74.aspx
http://www.codeproject.com/KB/aspnet/WSSecurityProvider.aspx