Professional Documents
Culture Documents
Session 10 PDF
Session 10 PDF
y
nl
O
se
Authentication and
U
tre
Authorization
en
C
h
ec
pt
rA
Fo
Objectives
y
Define and describe authentication
nl
Explain and describe how to implement authentication
O
Define and describe ASP.NET Identity
se
Define and describe the process of authorization
U
tre
en
C
h
ec
pt
rA
Fo
y
Authentication is the process of validating the identity of a user
nl
before granting access to a restricted resource in an application.
O
When the application receives a request from users, it tries to
se
authenticate the user.
U
Typically, authentication allows identifying an individual based on
the user name and password provided by the user.
tre
en
C
h
ec
pt
rA
Fo
y
The ASP.NET MVC Framework enables you to use the following
nl
three types of authentication modes:
O
Forms authentication
se
Windows authentication
U
OpenID/OAuth
tre
While using the Form authentication:
The application itself is responsible for collecting user’s credentials and
en
When a user successfully logs into the application and gets authenticated
to view a Web page, it generates a cookie that is served as an
pt
The cookie is then, used by the browser for the future requests made by
the user, and thus allows the application to validate the requests.
Fo
y
When you create an ASP.NET MVC application in Visual Studio
nl
2013, the application does not automatically uses any type of
O
authentication.
se
To authenticate users by using Forms authentication you need to
U
manually configure the <authentication> element under the
<system.web> element present in the Web.config file.
tre
Following code snippet shows the default <authentication>
en
element in the Web.config file:
<system.web> C Snippet
h
<authentication mode="None" />
ec
</system.web>
pt
y
Now to use Forms authentication mode, you need to change the
nl
mode attribute of the <authentication> element to Forms.
O
Following code snippet shows specifying the authentication
se
mode as Forms:
Snippet
U
<system.web>
tre
<authentication mode="Forms" />
</system.web>
en
In this code, the mode attribute of the <authentication> element
C
is set to Forms, which indicates that application should use the
h
Forms authentication.
ec
pt
rA
Fo
y
Windows authentication is best suited to an intranet
nl
environment where a set of known users are already logged on
O
to a network.
se
When you use the Windows authentication mode in your
U
application, it is the firewall that takes care of the authentication
process.
tre
In this mode, the application uses the users credential
en
authenticated by the company’s firewall for security checks.
C
To configure your application to use the Windows authentication
mode, you need to change the mode attribute of the
h
ec
y
The OAuth and OpenID are authorization protocols that enable a
nl
user to logon to an application by using the credentials for third
O
party authentication providers, such as Google, Twitter,
se
Facebook, and Microsoft.
U
When you create an ASP.NET MVC Web application using Visual
Studio 2013, the third party authentication providers need to be
tre
configured.
en
You can do this in the Startup.Auth.cs file present in the
C
App_Start folder in the application directory.
By default, the Startup.Auth.cs file contains the commented code
h
ec
y
Following code snippet shows the content of the Startup.Auth.cs
nl
file: Snippet
O
using Microsoft.AspNet.Identity;
se
using Microsoft.Owin;
using Microsoft.Owin.Security.Cookies;
U
using Owin;
namespace SecureApp
tre
{
public partial class Startup
en
{
// For more information on configuring authentication, please visit
C
http://go.microsoft.com/fwlink/?LinkId=301864
public void ConfigureAuth(IAppBuilder app)
h
{
ec
// Enable the application to use a cookie to store information for
the signed in user
app.UseCookieAuthentication(new CookieAuthenticationOptions
pt
{
rA
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login")
Fo
});
y
Following code snippet shows the content of the Startup.Auth.cs
nl
file:
O
Snippet
se
// Use a cookie to temporarily store information about a user logging in
with a third party login provider
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
U
// Uncomment the following lines to enable logging in with third
party login providers
tre
//app.UseMicrosoftAccountAuthentication(
// clientId: "",
en
// clientSecret: "");
//app.UseTwitterAuthentication(
//
//
consumerKey: "",
C
consumerSecret: "");
h
//app.UseFacebookAuthentication(
ec
// appId: "",
// appSecret: "");
pt
//app.UseGoogleAuthentication();
rA
}
}
}
Fo
y
The preceding code shows content of the Startup.Auth.cs file
nl
where the third party login provider’s code is commented.
O
As you have seen that the third party login provider’s code is
se
commented, because before you can use the services provided
U
by an external login providers, you have to register the
application with them.
tre
To use the services of Google, you are not required to register
en
with the ASP.NET MVC application if you are already registered
with Google.
C
To use the services of Google, you only need to uncomment the
h
ec
y
When a proper security mechanism is implemented on an
nl
application, a user must be enforced to login to the application to
O
access some specific resources.
se
This type of mechanism is implemented in an application by
U
using the Authorize action filter.
You can use these attributes to add behavior that can be
tre
en
action method is executed.
C
In an ASP.NET MVC application, you can use the Authorize
attribute to secure an action method, a controller, or the entire
h
ec
application.
pt
rA
Fo
y
Consider a scenario of an online shopping store application,
nl
You want to display the list of available items in the home page from
O
se
You want that all users can see the list of item on the home page, but only
the authenticated user can purchase an item using this application.
U
In such situation, you need to create a BuyItem() action method
tre
in a controller class, named Product.
en
While creating the BuyItem() action method, you should ensure
that this method is only accessible for the authenticated users.
C
For this, you need to add the Authorize attribute on the
h
BuyItem() action method.
ec
pt
rA
Fo
y
Following code snippet shows adding the Authorize attribute the
nl
BuyItem() action method:
O
Snippet
se
[Authorize]
U
public ActionResult BuyItem()
{
tre
return View();
}
en
In this code, the Authorize attribute is added on the BuyItem()
action method. C
h
ec
pt
rA
Fo
y
You can also use the Authorize attribute to a controller to secure
nl
the entire controller.
O
For this, you need to add the Authorize attribute on the
se
controller.
U
Following code snippet shows adding the Authorize attribute to a
controller:
tre
Snippet
en
[Authorize]
public class ProductController : Controller
{
C
h
…
ec
}
The code will restricts all the action methods defined in the
pt
y
Sometime, you might not want to secure certain action methods
nl
in a controller.
O
In such case, you can use the AllowAnonymous attribute on
se
those action methods.
U
Following code snippet shows using the AllowAnonymous
attribute:
tre
Snippet
en
[AllowAnonymous]
public ActionResult Index()
{
C
h
return View();
ec
}
authentication.
Fo
y
At times, you may want that all the users to be authenticated for
nl
an entire application.
O
For this, you need to add the Authorize attribute as a global filter,
se
by adding it to the global filters collection in the
U
RegisterGlobalFilters() method in the FilterConfig.cs file.
Following code snippet uses the RegisterGlobalFilters() method
tre
en
public static void RegisterGlobalFilters(GlobalFilterCollection
filters)
{
C
filters.Add(new System.Web.Mvc.AuthorizeAttribute());
h
ec
filters.Add(new HandleErrorAttribute());
}
pt
methods.
© Aptech Ltd. Authentication and Authorization / Session 10 17
ASP.NET Identity 1-7
y
Prior to ASP.NET MVC 5, the MVC Framework used the
nl
Membership API for implementing authentication and
O
authorization.
se
ASP.NET MVC 5 uses ASP.NET Identity, which is a new
U
membership system for ASP.NET MVC applications.
You can use ASP.NET Identity to add login features to your
tre
application.
en
ASP.NET Identity uses the Code First approach to persist user
C
information in a database.
h
When you create an ASP.NET MVC 5 application in Visual Studio
ec
y
Following code snippet shows the IdentityModel.cs file:
nl
Snippet
O
namespace WebApplication1.Models {
se
public class ApplicationUser : IdentityUser {
}
U
public class ApplicationDbContext :
tre
IdentityDbContext<ApplicationUser>
{
public ApplicationDbContext()
en
: base("DefaultConnection")
C
{
}
h
}
ec
}
pt
In this code, the ApplicationUser class that extends from the IdentityUser
rA
application to interact with the database where account data of users are
stored.
© Aptech Ltd. Authentication and Authorization / Session 10 19
ASP.NET Identity 3-7
y
You will now learn how ASP.NET Identity is used in a default
nl
ASP.NET MVC application created using Visual Studio 2013.
O
When you execute the default application, the Home page
se
appears.
U
Following figure shows the Home page:
tre
en
C
h
ec
pt
rA
Fo
y
In the Home page, you need to perform the following tasks:
nl
Click the Register link. The Register page is displayed.
O
Add the registration details.
se
Click the Register button. The application logs you on and the home page is
displayed with a welcome message based on the specified user name and a
U
Log off option.
tre
Following figure shows the welcome message:
en
C
h
ec
pt
rA
Fo
y
Internally, the application uses ASP.NET Identity to create database tables for
nl
the application to hold account data.
O
You can view the generated tables by performing the following tasks:
Select View Server Explorer. The Server Explorer window is displayed.
se
Select DefaultConnection (WebApplication1) under the Data Connections
U
node and click the Add SQL Server icon.
tre
Following figure shows the Server Explorer window:
en
C
h
ec
pt
rA
Fo
y
In the Connect to SQL Server dialog box that appears, type (LocalDb)\v11.0
nl
in the Server name text field.
O
Following figure shows the Connect to Server dialog box:
se
U
tre
en
C
h
ec
pt
Click Connect.
rA
the tables that are automatically generated by Visual Studio 2013 based on
ASP.NET Identity.
© Aptech Ltd. Authentication and Authorization / Session 10 23
ASP.NET Identity 7-7
y
Following figure shows the tables that are automatically generated
nl
by Visual Studio 2013:
O
se
U
tre
en
C
h
ec
pt
rA
Fo
y
Authorization is the process of verifying whether an authenticated
nl
user has the privilege to access a requested resource.
O
After creating users that can access your application by using the
se
membership management service, you need to specify
U
authorization rules for the users.
You need to grant different permissions to different users to
tre
en
C
h
ec
pt
rA
Fo
y
In order to maintain a different set of settings for each user is a
nl
complex task.
O
So, you should assemble the users in a group user known as roles
se
and then, define the permissions on these roles.
U
In an ASP.NET MVC application, you can authorize some specific
users and roles by using the Authorize attribute.
tre
Following code snippet uses the Authorize attribute to authorize
en
specific users: Snippet
C
[Authorize(Users="Mathews, Jones")]
h
public class ManagerProduct: Controller
ec
{
pt
In this code, only the users whose name is Mathews and Jones are
Fo
y
In an ASP.NET MVC application, you can also assign roles to
nl
different users.
O
Thereafter, you can use the authorization at the role level.
se
Following code snippet shows specifying role to users:
U
Snippet
tre
[Authorize(Roles="Administrator")]
en
public class ManagerProduct: Controller
{
} C
// Code to perform some operation
h
ec
y
In an ASP.NET MVC application, you can also use a combination of
nl
roles and users.
O
Following code snippet shows how to use a combination of roles
se
and users:
Snippet
U
tre
[Authorize(Roles="Manager", Users="Steve, Mathews")]
public class ManagerProduct: Controller
en
{
// Code to perform some operation
C
} h
ec
This code allows the users whose name is Steve and Mathews, and
users with the Manager role to access the ManageStore controller.
pt
rA
Fo
y
You need to create roles so that you can assign specific rights to
nl
specific users.
O
The ASP.NET MVC Framework provides different role providers
se
that you can use to implement roles.
U
Some of them are as follows:
tre
ActiveDirectoryRoleProvider: This provider class enables you to
manage role information for an application in the Active
en
Directory.
C
SqlRoleProvider: This provider class enables you manage role
h
information for an application in SQL database.
ec
y
You can use the Provider property provided by the Roles class to
nl
access the current role provider.
O
Following code snippet uses the Provider property:
se
Snippet
U
tre
var roles = (TestRoleProvider)Roles.Provider;
en
In this code, the Provider property allows to access the role
C
provider, named, TestRoleProvider. This piece of code will only
h
work when the System.Web.Security namespace is included.
ec
pt
rA
Fo
y
When you create an MVC application using Visual Studio 2013, you need to
nl
create the membership database with a connection string that you need to
O
specify in the Web.config file.
You can add sample data in this database with the required roles by using the
se
Seed() method.
U
Following code snippet shows using the Seed() method:
tre
Snippet
en
var roles = (SimpleRoleProvider)Roles.Provider;
C
if (!roles.RoleExists("Administrator"))
{
h
roles.CreateRole("Administrator");
ec
}
In this code,
pt
Then, you use this reference to check whether the Administrator exists in the
database.
Fo
If it does not exist, the CreateRole() method creates the role named, Administrator.
y
Once you have created an Administrator role in the database, you
nl
can add users to that role.
O
Following code snippet shows assigning a user with the
se
Administrator role: Snippet
U
if (!roles.GetRolesForUser("Mark_Jones").Contains("administrator"))
{
tre
roles.AddUsersToRoles(new[] { "Mark_Jones" }, new[] { "administrator"
});
en
}
C
h
ec
method adds the Administrator role, to the user with the name,
rA
Mark_Jones.
Fo
y
Once you have created a role and users in the database, you can
nl
then, use the Authorize attribute on the action method that needs
O
to be restricted.
se
Following code snippet shows using the Authorize attribute so
U
that the action method can be accessed by users with the
Administrator role:
tre
Snippet
[Authorize(Roles = "administrator")]
en
public ActionResult ManageProduct()
{
}
return View();
C
h
ec
This code will display a login page when a user tries to access the
pt
y
You can also display only those links that a user has rights to
nl
access.
O
For example, the ManageProduct link should be visible only to the
se
users with administrator role.
U
In such situation, you can use the ActionLink() method to hide the
ManageProduct link from other users.
tre
Following code snippet shows using the ActionLink() method:
en
Snippet
C
@if(User.IsInRole("administrator"))
h
{
ec
@Html.ActionLink("ManageProduct","ManageProduct")
}
pt
rA
This code displays the ManageProduct link only when a user logs
Fo
in as an administrator.
© Aptech Ltd. Authentication and Authorization / Session 10 34
Summary
y
Authentication is the process of validating the identity of a user before
nl
granting access to a restricted resource in an application.
O
In an ASP.NET MVC application, you can use the Authorize attribute to secure
an action method, a controller, or the entire application.
se
ASP.NET Identity uses the Code First approach to persist user information in a
U
database.
tre
Authorization is the process of verifying whether an authenticated user has
the privilege to access a requested resource.
en
In an ASP.NET MVC application, you can authorize some specific users and
roles by using the Authorize attribute.
C
The ASP.NET MVC Framework provides different role providers that you can
h
use to implement roles.
ec
When you create an MVC application using Visual Studio 2013, you need to
pt