Trying to enable the ServiceStack Studio User Management utility to more easily manage the various users that access our APIs. It appears that to populate the roles dropdown, the User Management utility queries the following property:
[API_URL]/metadata/app.json -
{
...
"allRoles":["Admin","Employee","Manager"]
...
}
But I don't see how ServiceStack determines the list of allRoles for a given IAuthRepository.
The only way I've been able to add a role to the allRoles collection is by adding a decoration to one of my database operations:
[ValidateHasRole("ZZZ")]
Are there other ways to inform an IAuthRepository of what roles to expect?
For the purposes of determining the pre-populated list of Roles in ServiceStack Studio, ServiceStack shows all Roles defined within your Application, e.g. via the [ValidateHasRole] Declarative Type Validator or the [RequiredRole*] Authentication attributes.
Related
I am new to ASP.NET MVC 5 and OWIN.
I have upgraded my project to MVC 5 to implement the authentication and authorization of my project. Problem is that my project does not store the user data. When user logins in I ask a different system via a WCF service to tell me if the user is authenticated. So I do not have a database nor tables that the user is stored in.
But I want to add the ability to login via social providers using OWIN. For this I will add a local database table to store the social provider Id/Token
Looking around other have asked similar question but only when they want to change database type store... Whilst I actually don't store the data... Is it still possible to customize this with ASP.NET Identity and how would I do this?
I would recommend creating a custom IUserStore that connects to the wcf service.
http://www.asp.net/identity/overview/extensibility/overview-of-custom-storage-providers-for-aspnet-identity
If you don't want to implement your own IUserStore, you can still use the built in default EF based UserStore and just only use the external login apis. The database schema will have a bunch of columns that will always be null like PasswordHash etc, but the operations you care about would still work fine:
CreateAsync(TUser) - Create a user
AddLoginAsync(userId, UserLoginInfo) - Associate an external login
FindAsync(UserLoginInfo) - Return the user with the associated external login
I looked into the solutions suggested. I found that the method names of the interfaces to implement did not really fit and there where way too many methods as well.
I ended up only using the OWIN Context in AccountController to extract the LoginInfo with all the details I wanted. This way I did not have to implement any custom versions of IUserLoginStore etc...
I wanted the simplest solution to implement and therefore I ended up with:
1. Added StartupAuth class from template mvc project and configured different providers there
1. In AccountController: Extracted the claims from LoginInfo,
2. Stored OpenId in a table for lookup and then continued on as before.
You have to provide a UserStore and pass it to the UserManager, if you are already using entityframework in the default mvc5 project, you can write your CustomUserStore which inherits from Microsoft.AspNet.Identity.EntityFramework.UserStore and override the methods defined in Microsoft.AspNet.Identity.EntityFramework.IUserLoginStore:
public interface IUserLoginStore<TUser, in TKey> : IUserStore<TUser, TKey>, IDisposable where TUser : class, Microsoft.AspNet.Identity.IUser<TKey>
{
Task AddLoginAsync(TUser user, UserLoginInfo login);
Task<TUser> FindAsync(UserLoginInfo login);
Task<Collections.Generic.IList<UserLoginInfo>> GetLoginsAsync(TUser user);
Task RemoveLoginAsync(TUser user, UserLoginInfo login);
}
if you don't use entityframework, you have to provide your own way of accessing your database,by writing a UserStore which implements IUserStore, IUserLoginStore, IUserClaimStore, IUserRoleStore,IUserPasswordStore,IUserSecurityStampStore (depends on your need but at least IUserStore and IUserLoginStore as IUserStore is mandatory and IUserLoginStore is what you want to add)
all these interfaces are in Microsoft.AspNet.Identity namespace.
here how to implement a Custom MySQL ASP.NET Identity Storage Provider and
here how to use Dapper ORM instead of EntityFramwework.
According to my requirement in Liferay, I have created custom fields for roles and assigned it to a user. My goal is to call the JSONWS API and get these custom fields using NodeJS. I am not able to decide which API I should call.
This Url is having APIs: http://www.liferay.com/api/jsonws
I will appreciate for any kind of help.
Regards
AFAIK there is no options to access the expando value via exposed webserveices.
Probably what you can do is that, create a custom portlet, add a dummy entity in the service builder and in that expose a method for web service. In that method call the role API and expando API , and return the result you want.
Custom Fields are called "Expando" in the API and are modeled like virtual tables. The functionality that's exposed through webservices is ExpandoColumn and ExpandoValue. Probably the best way to figure out the parameters to give is to look at the matching database tables. Careful: You should only ever read the database and not be tempted to write to it.
I hate giving the advice to go to the database, but this is probably the quickest - at least for my explanation :)
Finally, I got a genuine solution without hitting database directly. JSONWS is having api :
/portal.expandovalue/get-data
Which helped me to get attributes assigned to a particular role.
The above API needs 5 parameters to be passed.
companyId: whaterver the companyId assigned for your liferay.
className: It depends upon, we created attribute for role or user
com.liferay.portal.model.Role or com.liferay.portal.model.User
tableName: CUSTOM_FIELDS
columnName: It is the same name you given for attribute
classPK: It is nothing but your role or user ID for which you have created Attribute.
In case you are getting "java.lang.NullPointerException" when using #user3771220 solution, try com.liferay.portal.kernel.model.User
I am developing a web application consisting of different domains. I have tried to implement hierarchical RBAC for authorization. Each domain has some predefined operations in their bo implementations. The following is my bo package hierarchy.
com.mycompany.bo
...domain1
...domain2
.
...domainN
...rbac
I predefine the following role hierachy at first deployment, i don't want to maintain the rbac operations after the first deployment, i mean the domain rbac operations should be self maintainable by the domain admins.
Root
Domain1Admin Domain2Admin .. DomainNAdmin
The root role can authorize on all operations under bo implementations and also each domain admin can authorize on its all own operations and some rbac operations like create user, edit user, create role etc also.
Finally, I have developed the ui part of the project abiding by the facelet facilities, like include tag so that i can distinguish the ui fragments of a page. As a result, I can render a ui fragment with respect to whether the the user authorized to view the fragment or not. Any suggestion for the authorization design of the system will greatly be helpful.
Now, I came to authentication part of the project. In this system a user does not only authenticate over internally but also should authenticate over an external system via a web service or ldap, since the user may have been already created in there.
Spring framework provides some facilities authentication via ldap(statically configurable in xml). In my case, I want to add remove edit new LDAP definitions in runtime and can change a user authentication method(may be selecting the new LDAP from a combobox). How can I dynamically add new LDAP definitions in Spring, shall I continue with spring security or implement this feature own my own?
I'm developing a liferay portlet. I use Service Builder. The question is that do I have to use companyID and groupID in my entity fields? What should I do if I don't want to have these fields? If I don't use them how can I use resourceLocalService.addResources() method?
They are not required but they are convenient to have.
Liferay has many additional services available to you to use like permissions, users, document library. These services are almost always scoped to a portal instance, for example, Users are scoped to an instance which is tracked by companyId. Some are scoped to a group like document library.
So depending on what Liferay services you are planning to use and at what scope those services operate, it is convenient to have those values stored as well for easy lookup when you're calling those services you are using.
Notice that the DBA team didn’t specify these two foreign key fields in the tables, but you add them anyway. You do this because the DBAs didn’t know the internal workings of Liferay when they designed the table.
These fields are internal to Liferay and are used for context purposes in non-instanceable portlets.
CompanyId corresponds to the portal instance to which the user has navigated, and groupId corresponds to the community or organization to which the user has navigated.
Because you’ll use these field values as parameters in all your queries, the portlet will have different data in different portals, communities, and organizations.
Background
We have a WinForms application with Entity Framework 4.2 code-first / FluentAPI using SQL Server 2008 R2.
The security is a custom implementation of IPrincipal and IIdentity with the roles for the user. These roles are checked when a Form/menu/button is displayed and it will be disabled/removed based on the user role.
Users are authenticated against the database so there is no "master" user for the connection: it's created using the username/password provided on the login screen.
So, access to data (general) is working.
The problem
But some cases might require me to disable access to a specific table or to a column inside the table.
Some tests have shown here that IGenericRepository.Find<MyCustomType>(_idToFind) (which returns the complete entity) will fail because there is no access to a single column and SQL server will prevent the whole select statement.
I've found, however, that create a query like
IGenericRepository.All<MyCustomType>().Select(_c => _c.JustASingleField)
will work because the generated query will look only for a specific field for which I have access.
Question
Is there a way for me to create queries that will be role-aware to the database?
For instance: Find<MyCustomType>(id) will return the object as usual but with the field that the user does not have access set to NULL or with no value?
Or I'll just have to write "generic" queries for every single item that does not require protection and rely on the security system to completely block access to a resource?
Another example would be to fill a grid but the column for which the user does not have access will be blank.
Is it possible at all using Entity Framework?
Is it possible at all using EntityFramework?
No. EF is not aware of security configuration on SQL server and it is not able to react to any security demands expected by SQL server except providing credentials for connection string.
If you require this type of security you should use database views providing only accessible items to specific role and let EF to use model mapping only views the user role has access to - it can result in quite big set of different "models" due to many roles.