Im new to Umbraco development, but im plenty familiar with ASP.Net & MVC etc. So Im getting to grips with the object model and terminology used, but Im not sure where to start. I need to use windows authentication on my Umbraco site, which will be for internal use only.
What I envision:
- When a domain user hits any area of the website, grab the user identity
- Lookup to see if matching user(or member) exists and if not create it
- Login this user to Umbraco
- By default all new visitors, if their user identity doesnt match a current member, then create that member and log them in.
Sounds like I need to create my own controller that overrides the base controller (RenderMvcController ?) and check the user identity on each and every request? Maybe do this by overriding the Index action method? Or could I do this with a macro - or as ive seen mentioned, are macros loosing favor with the new version of Umbraco?
Also, Im not sure how to deal with members vs users? As I understand it, members are who have access to the front part of the website, whereas users are those that have access to the back office area and can create/manage content.
Are all users also members?
There will be some that I want to give access to create/manage content, so when Im auto-creating users, its actually members that I need to create, not users?
[ update ]
Actually, I think I will need to create my own membership provider if I want every request routed through the check for a valid domain user? In my research, I keep coming across this example http://thegrayzone.co.uk/blog/2012/07/combined-authentication-with-umbraco/
I have overridden the default RenderMvcController in numerous projects with success, you could of course use the built in Umbraco auth to redirect to an authentication page for users that do not have a valid Umbraco Auth token and set it only only on that page based on their windows identity.
RE: Are users also members?
No. Users & Members are entirely independent of one another; users being back office users & members being front end users. You will need to create 2 accounts.
Related
I'm in throws of moving our security architecture from ASP.NET Core Identity to Azure AD V2 with MSAL.js. We used a lot of Roles with the ASP.NET Core Identity implementation and the information was managed in the database using the web application. The pattern I'm abandoning is similar to this one.
https://www.dotnetcurry.com/aspnet-core/role-based-security
Azure AD with MSAL is working. The tokens are being created and passed and the local Web API Endpoints decorated with the generic [Authorize] attribute are being honored as you would expect. Web API Endpoints decorated with [Authorize(Roles= "Fee, Foo, Fi, Fum")] are throwing a 401 unauthorized error.
I'm not sure where to go from here. Do I write a CustomAuthorize attribute override for Web API and go back to the database and grab the roles. (probably match the DB defined roles to the user based on email address)
OR
Is there a way to implement roles natively with Azure AD V2?
I'm not sure whats the best course of action from here. Documentation and Code samples seem limited. It would sure be nice to just throw a AD User in a Group and have the Group be respected as a Role in the Web API. On the other hand, It's nice to have Role delegation handled within the confines of the Web Application.
Any advice, experience or interest would be greatly appreciated.
Answer
Follow up to my question. #Marc , You're correct, after looking at the token the Roles are not present. Adding Roles to the token seems pretty straight forward. You need to Patch the graph schema to include them, Configure the roles and assign them to users as needed thru AAD.
Or that's how it looks at first glance. After digging a deeper, it requires a P1 or P2 Enterprise license which only costs an additional 6$ per month per user. This will literally double the cost of hosting email in the cloud for us.
Alternatively I wrote a CustomAuthAttribute for WebAPI and tied User & Roles together on the server backend. Roles can still be managed via the web application and users can still login using Active Directory Credentials.
I recall that the id token returned in implicit flow (the one you use with JS) does not include app roles (or groups). I cannot find any docs confirming that but see others who got around the issue (so the issue must be there) by using Graph to get the roles (or groups).
You can capture the token you receive from AAD and view it using https://jwt.ms to see whether roles are included in it.
I've got a project made of two websites:
The front : A Laravel website without database and logic (just showing static pages and my javascript)
The API : A project using Lumen/Dingo API with my endpoints, my database, my logic and my models
I want to allow my front to ask data to my API depending the user.
Ex. I want to log the user, retrieve his friends, add some post to his
account, etc. (from the Javascript)
What is the best solution?
Using an identification per user (using o-auth or JWT)
Allow my front project to ask to my API then each javascript call needs to use my front without knowing my API) (In this solution I need to create routes similars to my API's routes)
Identification per user is always a better solution as the claims can be decided per user, also in future when it is required to provide permissions to access API based on claims or roles, it becomes easy to give information using the claims and amount of access you can give to a specific user.
So the way it will work is:
There will be identity server which will be containing the list of users in the system, and also the clams and scopes per user.
The API project will trust the identity server, that means any token provided by the identity server can get verified.
Based on the token per user your API app can decide how much information you want to give to the user.
That way in future you can have methods based on roles, claims and users will be provided with only the information that they have access to.
I am using vaadin 7, and jboss 7.1.1. There is a business requirement for very granular ui access. There will be parent windows per business function, and in that window functions relative to it. Business requires enabling and disabling those functions within, per user, so as an example, a parent window that represents employees, and when you click that you enter the child window which has functions like editing, deleting, viewing, adding,etc etc but that access must be customized to the user using it, so user x can update but not delete, as an example.
So what i came up with was to store that information in the database. In the database there will be a users table with username and a user guid. Then a parentview table and and parentchildren table and then lastly a userview table. i will store in the userview table the users guid and either the view they have access to and what type of access as in read,write,update,etc... I will on the ui login authenticate against ldap, get the users information and guid and use the guid to pull the users view access from the userview table in the database and store it in the vaadin session, and then on the ui, read that from the session and show the correct access.
I am not sure if this is the best way which is why i am asking if my solution is ok? I have been reading lots of doc's around security but non seem to achieve what i want. Another point of keeping it in the db, is that i can create a user admin ui which can edit the users access simply by updating the db, i dont want to redeploy or do anything with the webserver, I would prefer a ui user access control module and for someone with rights to it to administer that access. I would really appreciate insight and some ideas into this.
Thanks guys, I would appreciate any input.
What you want to achieve, regardless of the environment you are in and technology you are using, is fine-grained access control / authorization.
The way to do that is to use authorization frameworks. Spring Security has one for instance. I'm not sure whether Vaadin comes with anything.
In our company we use Vaadin to develop a management portal and we then use XACML to apply fine-grained decisions to the portal such as which functions to enable for which users and even which items to display in a Vaadin table.
Generally speaking you want to look at the field of attribute-based access control (NIST ABAC). ABAC lets you define authorization constraints based on different factors/parameters such as user attributes (location, department, role...) and resource attributes (where the resource can be data, widgets, functions... You name it).
I actually delivered a webinar yesterday on the topic of fine-grained authorization for Java MVC apps. I think it could prove useful for you.
If you go down the XACML path, you do not need to create a custom database with the information inside as you have done. All you need to do is write authorization policies e.g. a user in purchasing can use the purchasing functions.
There are several open source XACML implementations as well as vendor solutions such as the one I work for, Axiomatics.
I hope this helps. I've also written a lengthier answer here which covers the broader field of authorization.
I am using the default membership authorization that is created when you start a new project in VS for MVC 3. When a user is registered (either if I do it for them in the Administration page or if they register themselves through the Register page created in the application), there is an email field for instance. But where is this stored? Shouldn't I be able to access that e-mail somehow? I can't find it in the User object...
Also, is it possible to add more fields when they register, and to access those as well? For instance address, phone number, etc?
1. Getting the e-mail
You can access the property from the current user by using the Membership object.
Membership.GetUser().Email
2. Extra Fields
The best way to add more fields to the register process is to make another model called UserDetail or something. And make a relationship between User and UserDetail.
Or you throw away the default membership authorization and make a custom one. Here are some handy links:
http://msdn.microsoft.com/en-us/library/f1kyba5e.aspx
http://www.asp.net/learn/videos/video-189.aspx
http://www.15seconds.com/issue/050216.htm
http://davidhayden.com/blog/dave/archive/2007/10/11/CreateCustomMembershipProviderASPNETWebsiteSecurity.aspx
For the extra user fields you can use the ASP.NET profile provider.
here is a good article about how to implement it:
http://ashuthinks.wordpress.com/2012/01/08/asp-net-mvc-profile-provider/
I came up with an interesting way to solve the following problem and I want to know if there is a better way to achieve my objectives.
Basically, I'm creating a basic cms system users can register for their own microsite and have their own users. I'm using the asp.net membership api.
I wanted a way to isolate users of the various microsites from eachother so that a user authenticated with www.mysite.com/johns-site wouldn't also be authenticated with www.mysite.com/pauls-site.
I also wanted a way to associate a username with a microsite so that if a user is registered as bob on one site, it doesn't stop another user registering as bob for a different microsite.
To achieve this, I noticed that in the asp membership tables a user belongs to an application. Every time I receive a request, I have a method that switches the applicationName in the web.config based on the url.
This does meet my objectives in an easy way but feels a bit hacky. Is there an alternative way to switch applications for the membership provider?
It is possible to get/set the ApplicatioName property at run time however according to the below MSDN post it is not recommended as the property is not thread safe i.e. if multiple users are creating accounts for different applications at the same time it may not correctly allocate the ApplicationName per user.
Syntax:
Membership.ApplicationName = "MyAppName"
OR
Membership.ApplicationName = "MyAppName";
Further reading:
http://msdn.microsoft.com/en-us/library/system.web.security.membership.applicationname.aspx
Note:
You are updating the contents of the web.config file from the application code? If so this is most certainly "hacky". Plus editing the web.config will drop any active sessions (if your app uses session state of course).
I agree, it is a hack that will likely make you pay at some point.
The proper way to accomplish this would involve each virtual directory (or microsite as you say) each defining a <membership> element with the same connection string but different applicationName attribute.