What is the preferred way of integrating a custom membership provider with Orchard?
I have seen a couple of posts around implementing a new IMembershipService and IUserService (from Orchard.Users) and then there other modules such as OpenAuthentication which seem to do a lot more than that (but still uses the UserPart??).
We already have an ASP.NET Membership provider written, can this be integrated as is?
Custom implementation of IMembershipService is a way to go if you don't want to use the default Orchard.Users module at all. Useful when you still want to do forms authentication, but just store the auth data somewhere else, not in UserPart.
If you would like to create a totally custom authentication scheme, that overrides the form-based default one (username + password), override IAuthenticationService.
So, generally speaking:
IMembershipProvider is about authentication data management (create/retrieve users)
IAuthenticationProvider is about performing the authentication (sign in/out/get current user etc.)
Depending on your needs you can override either one or both.
The common auth modules, like the OpenAuth one, add additional authentication options to the existing default one without actually replacing it, IIRC.
Related
I have been trying to implement an authorisation scenario in my loopback architecture, I am well aware of the default authorisation that is being provided by loopback, but I'm using auth0 as my user management platform.
I am having user type in the auth0 metadata and now I want to allow certain HTTP methods on those particular loopback entities based on the attribute in the user object.
There might also be scenarios where for certain users I will have to hide a few properties of a model while open them up and show in case of others. If there is any other framework that might serve my purpose I am happy to restructure the whole system. Any suggestions would be helpful.
I am trying to implement custom authentication using the new ASP.NET Identity in an MVC 5 project.
I have a single username and password that I want to use to restrict which pages of the website the user can see via [Authorize] tags on controllers and views. (Easy)
I am migrating from a FormsAuthentication model whereby this was as simple as putting the credentials in the web.config.
Because I only have a single username and password I don't want to use a database as the UserStore, instead I want ASP.NET Identity to retrieve the username and password from a custom configurationsection in the web.config (don't worry about that part).
After much search, I can't find a code sample that doesn't rely on a database for ASP.NET Identity authentication.
So i'm looking for a code sample that at the point of authentication, the user can put in custom code to check the username & password against the credentials in the custom ConfigurationSection of the web.config.
Can someone please point me in the right direction thanks.
Update : I've tried looking at this code sample but it doesn't even compile out of the box.. poor.
http://code.msdn.microsoft.com/Simple-Aspnet-Identiy-Core-7475a961
Update : The reason that I don't want to use FormsAuthentication is that I am writing a NuGet package that will be installed into a web application. One of the things the NuGet package will do is create a custom ConfigurationSection in the web.config that includes (among other things) a single username and password. I thought this would be safer as it wouldn't alter any existing FormsAuthentication settings currently in the target web application.
Update : I think I have got it working. Will post findings soon.
-- Lee
You don't have to migrate to Identity framework, FormsAuthentication still works. And Andrew is correct, using Identity framework makes little sense here, since it is all about managing users.
However, if you insist on using it, you can implement your own UserManager and IUserStore. Some guidance can be found in Scott K. Allen blog post. See the links on the bottom - samples of implementations - you can take some of these and convert to your needs.
I would imagine your IUserStore will be simple, because there is only one user and most of the methods don't have to be implemented. And for the ones required (I think you'll need FindUserById and related) you'll need to reach to web.config via ConfigurationManager
I'm struggling with a custom authentication mechanism for Symfony2.
What I want to do:
I need a modified behaviour of the regular UsernamePasswordForm based authentication. The only modification required is, that the credentials aren't checked against the database, but some custom unix auth deamon. The users themselves are still located in the database.
What I did:
I played around will a full fledged custom authentication provider based on this Symfony cookbook entry and will most parts just extending the different UsernamePassword classes, but it didn't work out yet. I had especially some problems setting up the AuthenticationListener in the service configuration as the UsernamePasswordFormAuthenticationListener has a lot of required parameters. Currently I'm not sure if it will work out at the end, cause I've got some issues with our database setup.
What I need:
Is there a simpler way to modified the default login form without the complete requirement of a full AuthenticationProvider? Imho it's a quite common issue to have some custom modifications in the default behaviour.
Would be happy about any ideas or hints.
I have not tried this myself but you should be able to insert your own AuthenticationProvider by setting a paramter:
security.authentication.provider.dao.class:
..Security\Core\Authentication\Provider\MyDaoAuthenticationProvider
Your provider would extend the Dao and overide checkAuthentication.
Again, I have not actually done this and the security system is very touchy so it may or may not work.
Answering my own question: I finally managed to solve my issue thanks to this blog post showing a solution. The basic idea is to extend the default form login authentication and "steal" its listener. This way you can reuse most of the existing code. The critical parts are the creation and configuration of an AuthenticationProvider and a SecurityFactory. And don't miss to use your own provider key instead of form_login in the security.yml.
In the blog post the author creates his own UserProvider, but it's working with just the default database one, too.
I am working on application using GWT platform, and now i want to add security part. What is the best practice to do this?
My requirements for security are:
having user authorities;
hide some places from users without required authorities;
hide some elements on page from users without required authorities;
secure server side from unauthorized requests;
comfortable managing all of this things (like in spring using annotations or something like this )
having user authorities;
Model your users with permission atribute, like
private int user_type;
hide some places from users without required authorities;
Use the concept of Gate Keeper
A Gate Keeper is Singleton that obligates you to inherit a method called
boolean canReveal()
Using this, you can call server and search for user permission, then reveal or not the presenter called.
If a Presenter need security, just add #UseGateKeeper on it Proxy interface, like:
SomePresenter extends Presenter<V,P>{
#UseGateKeeper(YourGateKeeper.class)
SomePresenterProxy extends ProxyPlace{}
}
This will block users without some permission to access a presenter.
hide some elements on page from users without required authorities;
A good question, I've never seen this type of security in GWTP Projects. But you can always use Widget.setVisible(false) ;D, but I don't know if gwtp has a good practice for this.
secure server side from unauthorized requests;
GWTP GWTP makes it possible to link each of your ActionHandlers with a server-side ActionValidator that determines whether or not the current client can execute the action
You can hide some server calls using ActionValidator's.
read this
comfortable managing all of this things (like in spring using annotations or something like this)
As you can see, many of this security concepts use Annotations and other's stuff to manage easily your Application.
I'm building my first backbone app, and though I'm doing my authentication server side, there are features that non-authenticated users are unable to use, but because they are in my asset path, and part of my backbone files, everything gets loaded.
Is there a way to load only the resources that a user is actually able to use?
I'm using Rails with cancan to manage this server-side.
You need to split the assets out in to separate groups: a group that can be used by anyone, and a group that can be used by authenticated users. Only send the code that the user is allowed to use, basically.
I wrote a post about doing this with asp.net mvc recently. the same idea applies to rails, though the use of the asset pipeline makes the implementation a bit different:
http://lostechies.com/derickbailey/2012/01/26/modularity-and-security-in-composite-javascript-apps/
The best way is to create a Base view with a property named requireLogin: true/false.
All other views should inherit this view and the views which need authentication you should set requireLogin:true, for all others this property should be false.
After this you should handle the authentication base of this property.