I am trying to make a simple scalable web system, and after looking around a bit it seems that forms authentication with cookies is what im looking for, as I do not need a session for storing login related data.
I have recently plumbed in that part of the system and noticed that the authorise attribute was not doing anything. After a look around the internet it seems that Ninject is causing the issue as it doesn't handle the attribute correctly.
Now if this is the case and it doesn't allow me to use the built in authentication mechanism how am I meant to get the same functionality that authorize would normally give me, without having to write my own authentication system?
As currently it looks like I would have to make my own CustomAuthorizationAttribute and then make a filter with that, which I am happy to do, but I cannot find how to get this to defer to the FormsAuthentication mechanism. Also this only seems to work on a controller level, not at an action level.
I had the similar issue just now (that's how I found your question).
After some googling, I tried moving my IKernel setup code from Global.asax to App_Start\NInjectMVC3.cs, and it miraculously worked.
I'm not sure what caused the initial issue though.
I use Ninject + MVC3 + Authorize attributes with ASP.NET forms authentication using cookies. Everything works as it should.
What do you mean by "the authorize attribute isn't doing anything?" Do you have your membership providers set up in your web.config file?
Related
I am build an application using Angular2 as front end framework and spring boot as backend framework.
One of the seniors in my team insisted on using JSP as templates for my components in order to avoid rendering any unauthorized views.
Is that really nessecary? I saw many applications which are implemented using angular or other front end frameworks but it did not render the templates in backend, is it a good practice? isn't authenticating the requests is enough?
Also would not that be a problem for performance?
From my point of view I think JSP will prevent us from using the potentials of Angular, any help or documentation on that subject would be much appreciated.
Short: No, JSP is not necessary.
Long: One has to realize where which part runs. JSP on the server, Angular in the browser. I assume your senior colleague is concerned about displaying unauthorized data - but that is not the concern of Angular. Angular is basically just the View, and, perhaps, Controller. But it has to get the data from the server - which is usually done over some REST service. And it is the duty of that service to serve only data the user is allowed to view. So you can implement your View/Controller part in Angular, putting all the views (event the restricted ones) in, and then implement proper security into your server-side data service.
No, it's not necessary to use JSP in Angular 2.
It's correct that JSP allows you to protect the template itself from unauthorized access, but in our case it's not really a bad thing to happen from the security point of view, as access to the template without the data itself is not something dangerous; The data of course must be protected w/ your own security/authentication to prevent unwanted access to it.
I'm currently working as a developer on a website, and it's more or less my first time doing any sort of web development. We're currently at a stage that we need to do user authentication, but I have absolutely no idea how I can accomplish this.
To that end I've tried to do some googling and searching on SO, but my google-fu is currently failing me.
Are there any tutorials that can take me from knowing nothing about authentication, to being to set up some secure authentication on my website?
We're developing this under MVC3 with Razor view engine, if it helps at all.
I would say here is a good starting point. The fact that it's MVC3 isn't really going to change anything (i.e., the Razor view engine doesn't change anything about authentication in MVC)
Take a look at the ASP.NET MVC Music Store example application, specifically Part 7.
what ErOx posted + here is sample implementation of custom MembershipProvider
I was wondering how you could mock that a controller is decorated with the [Authorize] attribute in MVC3? I am using a custom membership provider. I would like to test that a controller been decorated with the attribute and you are authorized and what happens when you are not. I'm using Moq. Any good suggestions on this?!
UPDATE:
I'm currently getting an NullreferenceException saying "object reference not set to an instance of an object". It's the same error as previously mentioned in this post NullReferenceException while using Authorize Attribute
This is related to the Authorize attribute. I'm running under iis and not using cassini. Does anyone know if this is somehow related to applicaton pool and user rights. The tests that I have for the authorize attribute wont work until this is fixed.
Maybe there is some other way of testing the Authorize attribute? Big thanks in advance.
UPDATE2
So after some extensive research and debugging help from a colleague I mentioned to fix the problem with the [Authorize] attribute. It appears as though this line in the web.config was missing:
<modules runAllManagedModulesForAllRequests="true">
Strangely enough this did not cause problem for another colleague that was sharing the trunk or in beta environment. It only caused problems for me locally. This might have been related to something in the GAC. Anyhow all works now.
Thanks.
I wrote a blog post about exactly that a couple of months ago:
http://thomasardal.com/unit-testing-attribute-decorations/
I’m in the process of creating a new C# asp.net mvc 3.0 project.
The web site will hold some public pages (such as: Home, about us, contact us, etc…) and hold some SSL enabled pages (such as: Login, Forgotpassword, Signup, in addition to all the pages in the application that the user will see after a successful authentication).
I’m curious to hear your thoughts (an opinion), before deciding on a particular approach.
I was thinking of using the Global Filter approach provided in MVC 3.0 in order to verify what are the pages being accessed…if the user is accessing public pages them make sure he’s in http:// if the user is accessing an SSL page then make sure it prints out the https://
Would the Global Filter approach be appropriate for what I’m trying to achieve?
Is there a good blog post for MVC 3.0 with such thing? (Currently googling).
Feel free to show me how or even propose an alternative.
Thanks
Sincerely
Vince
I believe this is what you are looking for...
http://weblogs.asp.net/jeffwids/archive/2010/08/19/how-to-switch-between-http-and-https-in-asp-net-mvc2.aspx
I'm working on a little MVC framework and I'm wondering what the "best way" is to structure things so secure pages/controllers always ensure the user is logged in (and thus automatically redirects to a login page--or elsewhere--if not). Obviously, there are a lot of ways to do it, but I'm wondering what solution(s) are the most common or are considered the best practice. Some ideas I had:
Explicitly call user->isLoggedIn() at the beginning of your controller action method? (Seems far too easy to forget and leave an important page unsecure on accident)
Make your controller extend a secureController that always checks for login in the constructor?
Do this check in the model when secure information is requested? (Seems like redundant calls would be made)
Something else entirely?
Note: I'm working in PHP, though the question is not language-dependent.
ASP.Net MVC does this nicely with the [Authorize] attribute on the controller class which needs authorization
It isn't the only way to do it, but...
All client requests go to a FilterManager, which builds a FilterChain based on the details of the request. Within the FilterChain, if the resource is one that requires a logged in state, and the client isn't logged in, the request can be redirected. The original request can be saved and redirected to the log in page, allowing continuation from the original request (this is optional).
It's a J2EE design pattern, but you can implement it in any language once you get the idea. In this case, one of the "filters" is an "authentication filter". See http://java.sun.com/blueprints/corej2eepatterns/Patterns/InterceptingFilter.html for details of the idea (in Java).
The advantages of this is that all pages will centralize their logic in the FilterManager, so a page need only have their call to the FilterManager. Additionally, you can add debugging filters / logging filters / etc which can assist in maintaining / developing your code.