locked
How to add in a Security feature to an existing asp.net project? RRS feed

  • Question

  • User2142845853 posted

    Just trying to take an existing simple asp.net vb application that runs fine, and add passwords and email reset features to it.  There are 2 groups of users, one on an Active Domain, which Ive used before and that is simple, sending to them to authenticate and getting back yes/no;  the 2nd just a SQL table with users that an admin has to approve users for initially but they set/reset the password and get an email link.

    Hoped to find an add-in with a wizard tool that I could say the SQL table path and password is: ....  

    And it sets up a user table in the SQL.  Am assuming the methods have to be added to the project and referenced but how?  Is there some package that can work with both AD and a custom table? if not its ok its the setting up of the email password reset and authentication based on a user table.  

    Tried several examples, tried one by Rick Anderson from 2014 but the info had typo(s) and the solution would not compile

    Tuesday, December 4, 2018 7:50 PM

All replies

  • User-943250815 posted

    Seems you looking for ASP.Net Identity
    https://www.asp.net/identity
    or the older version ASP.Net Membership
    https://docs.microsoft.com/en-us/previous-versions/yh26yfzy(v=vs.140)

    Tuesday, December 4, 2018 8:06 PM
  • User-2054057000 posted

    You can use Identity Membership system by Microsoft. This has all the necessary security feature for a website. These features are:

    1. Adding Users and authentication users.
    2. Role management.
    3. Claims and policies.
    4. External authentication integration like Google+ logins, Facebook logins, etc

    Identity will create a new SQL database where users and their authentication managements will be stored. So basically you will have 2 connection strings in your website - one for your website's database and other for identity. 

    Reference - How to Setup and Configure Identity Membership System in ASP.NET Core

    Wednesday, December 5, 2018 1:22 PM
  • User2142845853 posted

    Thanks, Ive been watching the videos on asp.net authentication. not what I wanted but its something

    Friday, December 7, 2018 4:30 PM
  • User2142845853 posted

    I created an app with security, there is a method to create a user but cant find where this is ever called from  boilerplate code,

     Public Sub ConfigureAuth(app As IAppBuilder)

    Where/how do I add the web interface to call the method to let me configure users?  also need to set it so that if a user registers, it alerts the admin so they check and enable them in the project, probably by assigning a role?  so if person x registers, they still cant use the app until an admin edits their profile and says theyre an admin1 or admin2 or?

    it has to have reset password, which appears to be in a method but not in any page?

    You can use Identity Membership system by Microsoft. This has all the necessary security feature for a website. These features are:

    1. Adding Users and authentication users.
    2. Role management.
    3. Claims and policies.
    4. External authentication integration like Google+ logins, Facebook logins, etc

    Identity will create a new SQL database where users and their authentication managements will be stored. So basically you will have 2 connection strings in your website - one for your website's database and other for identity. 

    Reference - How to Setup and Configure Identity Membership System in ASP.NET Core

    Friday, December 7, 2018 5:30 PM
  • User475983607 posted

    rogersbr

    I created an app with security, there is a method to create a user but cant find where this is ever called from  boilerplate code,

     Public Sub ConfigureAuth(app As IAppBuilder)

    I'm guessing you've created a project using the "Individual Account" option in Visual Studio?  The code snippet is standard OWIN construct which runs when the application starts up to configure the OWIN Identity API.

    rogersbr

    Where/how do I add the web interface to call the method to let me configure users? 

    Identity has several APIs for managing data stores.  Once is the UserManager which has methods to manage users.  The demo projects has several places where the UserManage is implemented just take a look at the code.  There's also the docs which shows all the methods available.  Plus there's tons of blogs on the web.

    https://docs.microsoft.com/en-us/previous-versions/aspnet/dn613290(v%3Dvs.108)

    rogersbr

    also need to set it so that if a user registers, it alerts the admin so they check and enable them in the project, probably by assigning a role?

    Write code to meet this requirement.

    rogersbr

    so if person x registers, they still cant use the app until an admin edits their profile and says theyre an admin1 or admin2 or?

    Again, this is a requirement.  As developers we get paid to take requirements and turn them into a feature which requires coding. 

    The Identity API and data stores have fields to enable/disable accounts.  I recommend that you set aside time to learn Identity and perhaps look through the tables.  Once you understand the tool, you'll be able to design a solution.

    https://www.asp.net/identity

    Friday, December 7, 2018 6:17 PM
  • User2142845853 posted

    Ive been studying aspnet authentication. nice, what it doesnt seem to have is an actual UserManager or IdentityManager.  An app needs to be created that will query, find and display users and allow the parameters to be updated.  As users register, the table theyre connected to has to be queried and putinto a list, later that feature will only be available from the admin users.  Other users login by the Active Directory, but they must also have an entry into the user list that can be put in manually.

    So some users login from the intranet, onsite. But while all of the intranet users have the AD credentials, some are visitors, others are registered users, a few may be admins; then others from the web can log in but since local AD isnt possible they all have to authenticate by this built in aspnet system, some of them are users, others superusers.

    the great channel9 video set customizing asp.net authentication with identity does not have any materials available I could find. no project info, no code notes. 

    Seems like someone would have such a package with a primitive way to access/display and edit the userStore and userRoles tables? Nothing like that exists?

    Monday, December 10, 2018 6:50 PM
  • User475983607 posted

    ASP Identity has a user manager as well as role manager and several other managers.  I think the issue with using ASP Identity is you already have user data stores.  Moving to ASP Identity requires migrating data or customizing Identity.

    I assume the easiest approach is having a very solid understanding of the current custom security implementation.   Then coming up with a plan to add the new features.  Get with your team and come up with a plan.

    Monday, December 10, 2018 7:16 PM
  • User2142845853 posted

    Sure it has managers, I meant to say there doesnt appear to be any mechanism to manage them. I can see the SQL to produce the table, I can add a role definition manually, admin, superuser, user, guest.

    But as for looking at the table of users, the grid of these users has to be manually written? Display them/CRUD?  because right now with authentication and the table creation, the only one thing I dont have is view/modify the table of users and rights. Im wondering if there is already some tool or it has to be done manually? which is fine, just trying to get it done. I have to assemble the car and mount the tires just to drive to the hardware store? 

    Noticed others complained this package is incomplete.  If the built in register and login features work? and forgot the password method? all thats left is the grid to view/modify users. So just to be clear this has to be built from scratch, there are no templates built in for that, and its asking too much?

    ASP Identity has a user manager as well as role manager and several other managers.  I think the issue with using ASP Identity is you already have user data stores.  Moving to ASP Identity requires migrating data or customizing Identity.

    I assume the easiest approach is having a very solid understanding of the current custom security implementation.   Then coming up with a plan to add the new features.  Get with your team and come up with a plan.

    Monday, December 10, 2018 7:31 PM
  • User-943250815 posted

    As I know Identity or Membership never had a User Management UI for Production, in past there was "ASP.NET Website Administration tool" it was useful only during development. So we all had to create our own UI Management. I think these links might help you.
    https://www.hanselman.com/blog/ThinktectureIdentityManagerAsAReplacementForTheASPNETWebSiteAdministrationTool.aspx
    https://www.scottbrady91.com/ASPNET-Identity/Identity-Manager-using-ASPNET-Identity

    Monday, December 10, 2018 7:54 PM
  • User475983607 posted

    Sure it has managers, I meant to say there doesnt appear to be any mechanism to manage them. I can see the SQL to produce the table, I can add a role definition manually, admin, superuser, user, guest.

    Identity has everything needed to work with users, roles, and claims.   The default templates does not wire up the role manager but it's super easy to do.  I have examples of how to do this on these forums.

    https://forums.asp.net/t/2144407.aspx?Getting+started+with+roles+in+ASP+NET+Identity+and+MVC

    Usually roles do not change much and a simple SQL script is all you need to populate the roles.  

    But as for looking at the table of users, the grid of these users has to be manually written? Display them/CRUD?  because right now with authentication and the table creation, the only one thing I dont have is view/modify the table of users and rights. Im wondering if there is already some tool or it has to be done manually? which is fine, just trying to get it done. I have to assemble the car and mount the tires just to drive to the hardware store? 

    I'm not sure how you are coming to the conclusion that ASP Identity cannot display a table of users.  The user manager reference documentation linked above has methods for fetching and saving users. It is up to the programmer to generate the UI.  If you are using MVC that's just scaffolding a list which takes a few seconds.  I'm sure someone built a user manage UI.  Just Google...

    Noticed others complained this package is incomplete.  If the built in register and login features work? and forgot the password method? all thats left is the grid to view/modify users. So just to be clear this has to be built from scratch, there are no templates built in for that, and its asking too much?

    The ASP Identity template comes with login and register Models, Controllers, and Views.  Most likely you'll modify the Model and View to fit your requirements.  Account confirmation and password recovery are a Getting Started Tutorial away.

    https://docs.microsoft.com/en-us/aspnet/identity/overview/features-api/account-confirmation-and-password-recovery-with-aspnet-identity

    I don't think you'll find a solution that fits your current custom project.  

    Monday, December 10, 2018 7:57 PM
  • User2142845853 posted

    Yes I was referencing that one. started by enabling SSL as it says, but it never gives any other messages. Its WebAPI not MVC. when it starts, goes to the https:// localhost site and says not found. no website at this address. 

    Was trying to get the email client working, if I can just make the email part work so it validates the user Im 90% there will just manually create the grid view to manage users and roles.

    Rick Anderson may be great, but every time I follow his projects he posts to explain a concept, they never work. Go back, oh maybe I missed something, start again. nope. start again. nope start again. by the 4th time? I can see the steps are exactly as shown and they dont work. Add this project to that list (altho I have to manually build the grid view to show them)

    Adding HTTPS doesnt work.  Added the email client on Nuget, removed the commented out code for email verification, and... it doesnt work.  Cant get past the HTTPS part

     The ASP Identity template comes with login and register Models, Controllers, and Views.  Most likely you'll modify the Model and View to fit your requirements.  Account confirmation and password recovery are a Getting Started Tutorial away.

    https://docs.microsoft.com/en-us/aspnet/identity/overview/features-api/account-confirmation-and-password-recovery-with-aspnet-identity

    I don't think you'll find a solution that fits your current custom project.  

    Monday, December 10, 2018 8:55 PM
  • User475983607 posted

    Yes I was referencing that one. started by enabling SSL as it says, but it never gives any other messages. Its WebAPI not MVC. when it starts, goes to the https:// localhost site and says not found. no website at this address. 

    By definition Web API does not have a UI.  Can you explain why you are building a Web API project when, it sounds like, you want a browser based application - a UI?   

    Most likely, the default route is Home/Index and you don't have a Home/Index action.  Can you post the default route and explain which route you want as the default?

    Was trying to get the email client working, if I can just make the email part work so it validates the user Im 90% there will just manually create the grid view to manage users and roles.

    The email validation is usually part of the MVC/Identity project because it uses cookies to store a temporary token in a cookie.  Can you explain how the Web API design?

    Adding HTTPS doesnt work.  Added the email client on Nuget, removed the commented out code for email verification, and... it doesnt work.  Cant get past the HTTPS part

    Can you explain what the HTTPS part is?  Are you unable to access a Web API endpoint?  Are you unable to make a TLS connection using the web Client? Or both?

    Monday, December 10, 2018 9:27 PM
  • User2142845853 posted

    omg Im wrong, This is a WebFORMS, not Web API.  sorry.  was running out the door with several things going at once.  its WebForms. Individual User Accounts. 

    The problems may be from using VB instead of c#.  May try to set the project to be webforms c# and later import the active code parts that are vb

    after this part,

    Install-Package SendGrid
    Install-Package -Prerelease Microsoft.AspNet.Identity.Samples

    it went downhill. changed the startup, bundle config and others with c# then cant run because its complaining about

    Parser Error
    Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately. 
    
    Parser Error Message: Could not load type 'IdentitySample.MvcApplication'.
    
    Source Error: 
    
    
    Line 1:  <%@ Application Codebehind="Global.asax.cs" Inherits="IdentitySample.MvcApplication" Language="C#" %>
    
    Source File: /global.asax    Line: 1 

    now there are 2 global.asax files, and 2 of many other kinds of files.  Trying to integrate into just vb seems like a waste.  Will do the project over and try the example yet again.


    rogersbr

    Yes I was referencing that one. started by enabling SSL as it says, but it never gives any other messages. Its WebAPI not MVC. when it starts, goes to the https:// localhost site and says not found. no website at this address. 

    By definition Web API does not have a UI.  Can you explain why you are building a Web API project when, it sounds like, you want a browser based application - a UI?   

    Most likely, the default route is Home/Index and you don't have a Home/Index action.  Can you post the default route and explain which route you want as the default?

    rogersbr

    Was trying to get the email client working, if I can just make the email part work so it validates the user Im 90% there will just manually create the grid view to manage users and roles.

    The email validation is usually part of the MVC/Identity project because it uses cookies to store a temporary token in a cookie.  Can you explain how the Web API design?

    rogersbr

    Adding HTTPS doesnt work.  Added the email client on Nuget, removed the commented out code for email verification, and... it doesnt work.  Cant get past the HTTPS part

    Can you explain what the HTTPS part is?  Are you unable to access a Web API endpoint?  Are you unable to make a TLS connection using the web Client? Or both?

    Tuesday, December 11, 2018 1:54 AM
  • User2142845853 posted

    Switching over to c# webforms individual user accounts, was able to get the email uncommented and activated; but SendGrid wouldnt work, project/solution could not find the reference to the installation. Just used a gmail account for now.

    Next is to make a manual grid to show the users/permissions. but c# instead of vb.net and it is so much easier to make it work.

    Wednesday, December 12, 2018 1:41 AM