In LogIn method I have:
FormsAuthentication.SetAuthCookie(model.User, false);
and to get name of this user we use
User.Identity.Name
Is possible to get for example type account from databese?
I mean, during when user is Loging, type account is send (to cookie?).
And use this type in view using something like User.Identity.Name without using controller.
Is possible to do something like that?
If I'm understanding your question right, I think your best bet would be using an ASP.NET Profile Provider. With the Profile Provider, you can do something like:
HttpContext.Current.Profile.AccountType
You'll need to do a few things to make it work in MVC. See here for more info:
Implementing Profile Provider in ASP.NET MVC
Hopefully this helps, and I'm interpreting your question correctly.
Related
I cannot figure out why ASP.NET Identity does not work with my roles. I created a custom UserStore and a custom RoleStore. In my UserStore I implemented the IUserRoleStore interface, and I expected at least one of those methods to be called when ASP.NET determines if the user should be authorized to call a given endpoint, but none of the methods are getting hit.
I registered the services like this:
builder.Services.AddIdentity<User, ProReceptionRole>();
builder.Services.AddTransient<IUserStore<User>, UserStore>();
builder.Services.AddTransient<IRoleStore<ProReceptionRole>, RoleStore>();
I also tried registering the services using this variant (with and without the AddRoles part - and with different ordering of the extension methods):
builder.Services.AddIdentity<User, ProReceptionRole>()
.AddUserStore<UserStore>()
.AddRoleStore<RoleStore>()
.AddRoles<ProReceptionRole>();
When I add the [Authorize(Roles = "MyRole")] attribute to my controller class, then I get 403 Forbidden, even for users that have the given role.
I read through the documentation but I can't spot my problem. The only part that I am unsure about is that it says If you are using Roles, update the RoleManager to use your RoleStore class. - and I am assuming that this is done when I register my RoleStore, but maybe I have to do something extra?
Any pointers are greatly appreciated.
Thanks!
Can anyone save some of my hair? :)
I'm trying to create an asp.net WEB API interface for an older CSLA (1.x/2.x era) project. I am testing by hard coding the login on every request in various ways (once in the startup code, as an authorization request filter, inside the individual route request etc etc). All the ways I tried work exactly once perfectly and then I get the infamous:
'Default principal object cannot be set twice.'
exception in BusinessPrincipal.vb (yeah I know it's very old, but it's released software, I can't upgrade CSLA)
I know that there is an issue where you need to set HttpContext.Current.User = Thread.CurrentPrincipal; due to some internal workings of the web API and I do that already, that has not resolved the issue.
I'd like to know if anyone has implemented a web api front end and how they handled this issue or any pointers as to what could be the solution.
Worst case scenario if I could at least just login once and keep that same principal without losing it I could implement a second layer of security, that woudld be acceptable, barring anything else is there some way to just login once and not lose that principal?
That BusinessPrincipal class would be in your code base, not in CSLA itself. The Csla.Security namespace does include a BusinessPrincipalBase that is probably the base class for your BusinessPrincipal.
Classes in that namespace are here in GitHub
It is true that you can only call AppDomain.SetPrincipalPolicy one time, but you should be able to set the Thread.CurrentPrincipal and HttpContext.Current.User multiple times.
Is there a way to change the scope/permission when using Microsoft.Web.WebPages.OAuth? The most logical place is when registering the client with OAuthWebSecurity.RegisterClient. I thought that the adding scope to the extraData parameter would possibly work, but I didn't have success with that.
Microsoft.Web.WebPages.OAuth does not expose the scope when authorizing with a client. I ended up adding custom DotNetOpenAuth clients to include my necessary scope.
The extradata is something you can pass about the provider and use it in tehe UI layer. For eg. extra data could be the icon to display when listing the provider to use for login.
Following post shows how you can write your own provider and plug it into your site
http://blogs.msdn.com/b/webdev/archive/2012/08/23/plugging-custom-oauth-openid-providers.aspx
I am writing an MVC 3 application and I am trying to implement my own custom membership provider (following the sample in Apress' Pro ASP.NET MVC 3 Framework).
I created my custom class, inherited from MembershipProvider and (using ReSharper) implemented all 27 of the methods with NotImplementedExceptions.
Now, I have overridden the ValidateUser method as the book states and it works fine, but I would like to make my provider more robust and implement the other methods (e.g. set MinRequiredPasswordLength and GetNumberOfUsersOnline).
Is there some sample code that I can use to start populating these methods that I can tweak to fit my own DB/Model schema?
I can certainly use trial and error to figure it out, but a base code sample would greatly help.
EDIT:
This question was just downvoted twice. If you are going to downvote, please post a comment as to why so that I can work on improving my questions.
EDIT 2:
For example, for the following method:
public override int GetNumberOfUsersOnline()
{
throw new System.NotImplementedException();
}
I can try to write code from scratch to look at some web log, determine the users login time and approximate if they are still on, but that will take a large amount of time for me to figure out. Since all this code is from the same interface that Microsoft wrote for the standard SqlMembershipProvider, isn't there code out there (even from MS) that contains this method? If so, I want take it, modify it so it uses my DB schema instead of the aspnetdb default schema. I would prefer to have some sort of base code to work from. I thought this would be a simple and fairly standard request, but perhaps not.
You can't use the default provider's code for your custom provider, that is why you are implementing a custom one, to tweak it according to your requirements, use your own db tables etc.
Take a look at my blog posts about custom membership, custom role providers and custom membership user. There is an example there of how you can use your own database to get/set membership information.
Here's a of sample implementation of custom MembershipProvider on MSDN.
http://msdn.microsoft.com/en-us/library/6tc47t75.aspx
I'm still working on my first Grails application. This time, my problem is to limit access to some actions for particular users.
Assume users add some object, e.g. books. I would like to give access to edit a book only to admin and the user that added the book. I'm currently using Acegi plugin. I know there is newer version of that plugin, but I'm not sure if it changes anything in my problem.
The second thing is some kind similar. I have a sidebar and there is "Hello ${currentUser.username}. currentUser is a method that returns an instance of currently logged user. But the problem is that I don't have any idea where can I put this message to be able to use it everywhere. Should I put it in some service and include it everywhere? I tried to create an ApplicationController that is extended by all other controllers, but that doesn't seem to work. Have you got any ideas?
Thanks!
Grzegorz
You should use the newer Spring Security Core plugin since it has an ACL add-on plugin that does exactly what you're looking for. See http://grails.org/plugin/spring-security-acl for details.
For the second question, there's a taglib for that. In the Acegi plugin use this:
Hello <g:loggedInUserInfo field="username"/>
(see http://www.grails.org/AcegiSecurity+Plugin+-+Artifacts) and in the Spring Security Core plugin use this:
Hello <sec:username/>
(see the "Security Tags" section of http://burtbeckwith.github.com/grails-spring-security-core/docs/manual/)
For ROLE access you'll just need to specify that a particular ROLE for a particular URL has access to that action. That is if you are using the plugin's RequestMap approach. If you're using the annotation approach, just annotate the action in the controller with:
#Secured(['WHATEVER_ROLE'])
As far as only allowing the user who created the book to edit it, you can pull the user domain out of the authentication with authenticateService.userDomain(), then you can compare that user with the user who created the book (assuming you have some sort of createdBy property on your Book domain.
def loggedInUser = authenticateService.userDomain()
if (book.createdBy.equals(loggedInUser)) {
// allow editing
}
Something like that, anyway.