So I am using the built in ASP.NET MVC membership provider for the authorization of users in my web application. I added several fields such as first name, last name and customer number to the default fields that it comes with (email, password). I am able to register and log in users but now I want to get some of the information of the added fields for the user and use it in my AngularJS controller.
I have been working with learning AngularJS and have been successful with using the WebAPI to get and post data to the server but I am stumped on how I can get the information of the current user who is signed in to my application. I am assuming it is stored in a session token of some sort but I do not know how to access it and work with that information from an angular standpoint.
Any help is appreciated, I can provide whatever code is necessary but at this point I only have the basic built in code that asp.net uses to register and login users and my empty angular controller. Thanks.
To get the current user from anywhere on the server side, use
HttpContext.Current.User.Identity.Name;
Related
I have 2 projects, one is the identity server 4 and one is the client AspNetCore MVC.
On client app, how I can get the current user name or current user email ?
More specific, I would like to put it on _Layout.cshtml .
Thank you,
Mihai
You can make a rest call to the server and have it return the authorized user.
Make sure you have the correct claims.
Get current user name in IdentityServer4 & ASP.net Core
For the official docs to getting user info check here:
http://docs.identityserver.io/en/release/endpoints/userinfo.html
If your MVP app requests the scopes email and profile then these 2 properties should be available in the user claims (available through this.User.Claims in the MVC controller).
I am making a hybrid mobile application, using Ionic and Cordova, for which I would like to give the user the possibility to sign up/log in with Facebook, G+, Linkedin and Instagram, and email account. I would indentify everyone by their email (to check if it's the same person, it is not a pk in the database but just an index).
I have been looking around for information about OAuth2 and looking into the documentation for the services APIs. I have understood what I have to do in the front, but I have some questions on the whole process:
[BACK] How do I check the tokens provided by the services APIs? Let's say when a user logs in with Facebook, I get a token which is stored in the user's phone. Then, on every HTTP request, I have to attach the JWT to verify the user indentity. How do I verify it? Against what do I have to test it?
I want to be able to get information from the user's G+ account but also the user's Linkedin account (example). How do I manage this properly?
Do I just store both (or more) tokens (in local storage) and use them to authenticate? I want to do this as my app will have "friends lists", so the user will be able to log into external services and the app will get the user's friends/contact list from those apps.
As of now, I think about including an auth_method field in my database to store available authentication methods (a JSON string or something like that), and just add four fields (one for each service) default null where I would store the token created for the user.
I can show you my code but it do not think it would help as these are more of theory and not specific to a language.
Thank you for all the help!
I'am creating application which can be used by unknown and logged in users. Only difference is that logged in user can use some additional functions like saving its content in database.
All communication is based on ajax calls, so what I need is to deny access to some controller functions (end points) in backend for unknown users and on the client side I need to know that it is in logged in state to set this extra functions active. Only one page, login form should be in dialog. I'm little bit confused, because standard Spring Security aproach doesn't fit this case. I was reading this tutorial but I cant't fully understand it.
First: What Principal object does? They send credentials to this endpoint on submit with login() function but where is handled password check? What if I have my users in database?
Second Is it possible to write this configuration in XML style? I guess that it can be done with <intercept-url/> in spring-security.xml file.
Principal Object
The Principal Object is used to be able to get basic information about a user that is attempting to login when using automatic server authentication (i.e. LDAP). However, you will only be able to get a username from the principal object. With a server JBoss/WildFly, for example, you can link the server to Active Directory to allow Microsoft Windows to authenticate users.
Simple Solution
First, Spring Security will add additional complexity to your application where it doesn't sound like you are trying to do that. Instead, use a simple Servlet Filter. If you are using LDAP on a JBoss/WildFly sever, you can make a POST to j_security_check and the server will send the request to the filter if correct credentials are provided. Inside the filter, you may use the getName() function of the Principal object to get the username so that you may store it in the user's session. However, if you are not using LDAP, you may make a simple POST to a Java Servlet or Spring Controller (with an #RequestMapping) to attempt to login the user and store the user's information in the session.
At this point, you can filter out what URLs you will allow users to see. For example, the URL that contains /administrator/some/other/stuff.jsp could be restricted if the URL contains the word "administrator" in the first directory of the URL.
I am using ASP.Net Webapi for my back end but would like to use the AngularJS for the frontend. I did manage to get the OAuth and other security working on my ASP.Net side and on the server side I can easily check the user role using attributes like [Authorize("Admin Role")]
My question is now on the AngularJS what is the best way to give a separate start page or the chrome inside which the SPA would run.
say for e.g. i have the following flow.
user types in my site address "www.mysite.com"
I present with the login screen.
user enters the login information and submits.
Based on the user provide different base path
4.1 : for Admin "www.mysite.com/admin"
4.2 : for Operator "www.mysite.com/operator"
4.3 : for supervisor "www.mysite.com/supervisor"
what i an trying to say is, the views and data is completely different for these kind of users so I can't have one default.htm that will work for all these users and will need different shell to display the views.
I know its easy to do in MVC but not sure how to do it in AngularJS. does someone have a suggestion on how this can be done.
I'm looking for information on how to implement secure pages using ExtJS 4. By secure pages I mean the user will log into our website using Siteminder (SSO) and so we will have the user's identity. Then we would determine what roles the user would have by making a database/LDAP call and only render those views/components that the user has access to.
Several questions come to mind:
1.) Of course I would expect we would do the authorization check prior to rendering the pages on the server-side, so how do you do this prior to firing Ext.onReady()? I need to have the ExtJS wait for the response from the server?
2.) What is the best way to organize a page's components where the case may be someone could see a particular component and another person cannot?
3.) How do I deliver the resulting page (i.e., the pieces the user has access to) to the client?
TIA!
If you're working from a Java background and are comfortable using Spring, I wrote up an approach using Spring Security here. This will allow you to plug-in any authentication mechanism you want. The main difference is that instead of using an index.html to bootstrap the application, I have a JSP so that the Spring Servlet Filter will fire for authentication. The Ext JS app blocks until the user is authenticated and the user's roles/permissions are provided.
Use a server side technology to pre-process authorization by putting your JS App launch script into a JSP/GSP. What this does is forces server side components to kick off first and then render the HTML/JS/CSS to the client. For full RIA app use index.gsp(or jsp) and the your URL stays "domain/contextroot" .
You can interrogate access privs to content via ajax request to server or alternatively you could set JS variables via again JSP technology that is processed first before the rest of the client response is returned.
< g:javascript>
//global env var definition
var env = "${System.getProperty(Environment.KEY)}";
< /g:javascript>
Both of these are not 100% safe as client side code can be altered. The real security enforcement must be handled on server side when data is submitted for processing.
'3. Easy way would be to hide/show views etc based on 2. above. There are also some experimentation out there with modularizing the client side MVC application by lazy(manually) initializing controllers that may or may not be needed.
Hope this helps.
DB :)
I am currently experimenting with the following solution. Although it will only work for apps with a rather simple set of users, it could be of some help to you.
To begin with, user authentication is done without extjs, using a simple HTML/CSS page. Once the user logs in, its details (user id, role) are saved into the PHP session. And then the page redirects to one of two extjs apps.
One app for normal users (I'll call them clients), these are people who's client side JS does not include any admin functionality. The other app is for admins.
Both apps have their classes inherit from base classes. So we have, for example, base.mainMenu from which both admin.mainMenu and clients.mainMenu inherit. The only difference in the app.js script is the controllers loaded, and per extJS 4 dynamic loading module, only the related views are loaded (ie, seen on the client side). In my case, all pages load dynamically anyway, so my users can only dynamically load pages in their mainmenu.
The admin app blocks certain features using a global JS variable that includes the user's role. So for example, the hiding of an 'edit' button from moderators (an admin group with less rights) is done once the view is loaded (in practice this is actually done by not loading a plugin that allows editing on the view).
To wrap it all up, any call to the server checks whether the session user has rights for the requested operation, so regardless of client side scripts, server operation can only be performed by people with the appropriate rights.
To summarise, you have 3 different strategies that you can mix-and-match:
Loading different apps for different users. If your classes all inherent from base classes, this is easier than maintaining 2 or more completely different apps.
Using a global JS variable to disable/enable certain features for certain users. This is only good if you don't have a problem with the client side loading features that are then disabled (but still seen by debuggers).
Regardless of anything, all server-side calls are checked against session variable.
check out Role-based access control. I use Yii's database-based RBAC, and have a php script that returns the rbac rules in json format when ext starts up
on the client, the best bet is to simply hide or disable functionality that is not allowed.
on the server, you should throw a 403 http error if the user is not allowed to perform a function. handle ajax exceptions in ext and check for 403s.