I have implemented the below scenario successfully using .NET Framework, Windows Authentication, ASP.NET Impersonation, and SQL Server Row-Level Security. My goal with this question is to determine how to migrate this to .NET 6.
The current flow has the application initiating a query on behalf of the windows user. The application impersonates the windows user and sends the request to SQL Server. SQL Server then filters the data based on an underlying access predicate, and returns only the relative data for that user.
Example as follows:
UserAccess Table
username
name
country
domain\TJones
Tom Jones
Mexico
domain\TJones
Tom Jones
Canada
domain\RMartin
Robert Martin
China
domain\RMartin
Robert Martin
Japan
domain\SBrown
Sue Brown
Canada
Money Table
country
month
total
Mexico
1
220.00
Mexico
2
1500.00
Canada
1
1800.00
Canada
2
920.00
China
1
120.00
China
2
2210.00
Japan
1
4230.00
Japan
2
306.00
The results for a SELECT * FROM Money statement will vary based on the user who is accessing the application:
Tom Jones
country
month
total
Mexico
1
220.00
Mexico
2
1500.00
Canada
1
1800.00
Canada
2
920.00
Robert Martin
country
month
total
China
1
120.00
China
2
2210.00
Japan
1
4230.00
Japan
2
306.00
Sue Brown
country
month
total
Canada
1
1800.00
Canada
2
920.00
At this point we intend to migrate to .NET 6, I am reassessing our methodology for implementing security since ASP.NET does not implement impersonation:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-6.0&tabs=visual-studio#impersonation
ASP.NET Core doesn't implement impersonation. Apps run with the app's identity for all requests, using app pool or process identity.
What is the best way to implement Authorization for a .NET 6 API project where a user is authenticated with Windows Authentication, and then authorized based on what roles (country in this example) their username is assigned to? Now, rather than using RLS, the application would receive all the data but filter based on a user's authorization by matching their Windows Authentication to an authorization table.
A few quick points to highlight:
This is an intranet application only. Iron clad security is not the primary concern.
Windows Authentication is important. Users are not going to want to login each time they enter.
Ease of use for employees is top priority.
Thank you for the suggestions.
Related
How can I capture how many times an authenticated user has viewed a page in Kentico 7?
We are currently using the analytics in Kentico 7.
Example:
User -- Page -- ViewCount
user1 -- News -- 05
user2 -- News -- 19
user4 -- News -- 23
Thank you,
Analytics do not track by user. You can turn on Contact Activities if you have the EMS license and find out how many times a specific contact has performed a an activity you define (view page, download a file, etc.). In v7 though, I'd be very careful about turning on Contacts and activity tracking as they are not optimized at all for performance.
In my application I want Azure search index which has more than 1000 fields. but no any tier supports more than 1000 fields. any solution?
There is currently no way to index more than 1000 fields. That said, you can vote for that feature request here
Luis Cabrera | Cloud AI Platform | Microsoft
Scenario: Each user add funds to his account, for example 100 USD, and he defines that the system (our website) could spend up-to 10 USD per day for showing his ads in the website. each time his ad is shown in or website, it's gonna cost him 1 USD.
P.S: we're not inserting a record into the database every time his ad is shown, we just deduct the amount for showing his ad (1 USD) from his whole budget.
because we're showing too many ads, it's not possible to insert a record for each ad show into the database.
I have 2 columns in users table, whole_budget and daily_budget, so for the above user whole_budget is 100 and daily_budget is 10.
in the above scenario, how can we manage daily budget? so when an ad is shown, how we're gonna deduct 1 USD from his account?
how can we know if he has left daily budget? so we can decide to show his ad for the rest of the day or not.
I would appreciate your help
Is it possible to get user identity from ID4 as an administrator.
For example, Bob logs in and consents to access "My Movie App". When Bob logs in, his clientid and profile are saved independently into the My Movie App DB.
Later, the "My Movie App" needs to contact bob at bobs email or phone because bob forgot to pay and accounting is now catching up. However, Bob has changed his email and phone with the identity provider.
The "My Movie App" has Bobs clientid but would like to ask identity server if there are any changes to Bobs profile before it generates the Past Due contacts list.
Is there a way to get clients new profile without having Bobs user name and password but having only the userid or clientid?
Is there a way to ask Identity Server to see a list of Customers that have consented to using "My Movie App"?
After looking at the source code and poking around I believe the answer is you must extend ID4 itself.
For example, you can extend users to hold information such as ADMIN and when you log into ID4 directly you could use that information to authorize a controller.
Keep in mind that one instance of ID4 is designed be used by multiple companies.
URL Path could like this:
http://myid4:5000/BusinessName/MyMoviePhoneApp/GetCustomers
The Controller could be tagged with [Authorize(Admin)] and return json result of Customers.
I am trying to make a application in springMvc, velocity with html pages and angularJs for ticket booking. This is my first time to use angularJs.
NavBar
Home | Application Setting | Travel | Bulk Booking | Users | Profile | Announcements | Support Mgmt | Support
3 user groups
1. Admin.
2. Normal Users.
3. Agents (with some extra access then Normal).
Access Levels
- Admin - Home, Application Settings , Users, Announcements, Support Mgmt, Profile
- Agent - Home, Bulk Booking, Support, Profile
- Normal Users - Home, Travel, Support,Profile
How to do this with ng-view. Please just point me in right direction. Thanks in advance.
This might be helpful: Authentication in Single Page Applications With Angular.js
directives.js does updateCSS() if user has group (access level is a bitmap of groups) thus showing/hiding menu item.
Menu item would look like
<li data-access-level="accessLevels.admin">
routingConfig.js holds logic "if user has access based on his groups".