I'm building four websites. They all should have the same login-datas (user can registrate on website 1 and also can use website 2 and 3 by using the same Login-Name).
My idea was to use the MS SQL Membershipprovider (good idea?).
Now I don't know where to place the SQL-Mebershipprovider (in an extra databse? or together with the websites? -> sound like getting chaos^^)
A other idea I've read was to create a webservice to the authentification?
But I think I'm getting problems with the data consitency, because I think there is no way to point from one database to an other (linking for example the usertable in database one to the texttable in databse 2).
I want to use MVC3 and a MS SQL-database.
Any experiences or ideas?
Thanks a lot!
You can use a separate membership database to do this and just point the providers of each site at this database.
If you wanted to use the role provider you would have to have the same roles in all four websites which may not be what you want. You could use a central database to just handle authentication and then create a local user record in each website that links back to your central user database (you will have to do this linking manually i.e. no relationship). This will then let you role your own role provider for each site.
Related
This is my first question, so I hope I don't miss a thing. To be clear from the start: I don't expect an answer which dives deep into detail. This is just about getting a general understanding of how to work with this kind of software.
So I don't know if "Identity Management System" is a suitable term for what I mean but when I talk about Identity Management Systems I think of something like Azure AD, which as far as I know provides e.g. web developers the possibility to integrate a way users can authenticate (including access privilege etc.) on their website.
What I'm quite unsure about is how to work with/ integrate such tools in a project. I will try to make it clear with an example: Assuming I have a website let's say this website is a blog. The blog consist of different posts which are stored in my own database which is connected to the website. The posts are written by different users which authenticate with a tool like Azure AD. The user's data is stored somewhere on a server run by e.g. Microsoft. If I want to display the posts togethere with the name, email.... of the user who wrote them, how would I do this?
Is it possible to query the user's data directly from the Identity Management System and display it? This does not sound ideal to me as the consequence would be that data the website uses is stored in two different locations.
Would you kind of copy the user's data from the Identity Management System to the websites database and query it from there? This does not sound like a good solution either because then data would be duplicated.
So whats the "right workflow"?
I appreciate any hints and further information I can get:-)
AFAIK To get the user's information like name, email etc. you can add these claims while generating the JWT token.
To generate access token, you have multiple authentication flows such as Authorization code flow, ROPC flow, Implicit flow.
To add the claims that you need to return with the token, you can make settings like below:
Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your app -> Token configuration -> Add optional claims
When you decode the token via JSON Web Tokens - jwt.io you can find the user information that you need.
To know how to generate access token, you can refer SO Thread which I solved it before.
Our CakePHP 3 app (a POS System) is going to use subdomain approach where clients will share a common code base but run on individual databases.
2 things from the config (app.php) file will be unique to each instance : database details and security salt. These details will be stored in a table of main site database (wordpress) and I want to load them based on the subdomain opened. (abc.maindomain.com or xyz.maindomain.com)
I am not sure where should I implement this stuff in the code. bootstrap.php seems to be the only viable solution for now. What are experts' thoughts over this? I plan to store those details in a session once loaded so that system doesn't need to call main database everytime.
We now have one site running but we will need to build a branded site for our client soon. The client site will have exactly the same data set as our current site expect for the user data. The client site must have totally separated user info which allows only the client to use the site.
I don't see the need for setting up a new database or creating a new user table for the client. My tentative solution is add a "Company" column for the user table so that I can differ which site the user data row is on.
I do not know if this approach will work or not or if it is the best practice. Could anyone with experience like this shed some light on this question?
Thanks,
Nigong
P.S. I use LAMP with AWS.
Using an extra column to store a company / entity id is a common approach for multitenant system. In general you will want to abstract the part that that verifies you can only retrieve data you're allowed to a piece that all queries go through, like your ORM. This will prevent people new to the project from exposing/using data that shouldn't be exposed/used.
i'm total newbie about security with MVC4. I develop an MVC APP using WebMatrix. Its pretty cool but i didnt like the tables and columns schema.
I'm using REVERSE ENGINE CODE FIRST and i want to know what is the right thing to do. I'm reading a lot about membership providers and webmatrix.
There is a way wich i can use WebSecurity class with my own database? My login method isnt the simple login pattern (string user|username|email, string password). This application requires a long as login user like long userKEY, string password.
I'm totally confused about the terms and any kind of hint can help a lot.
Thanks
The WebSecurity class is a wrapper around the SimpleMembershipProvider which is designed to work with SQL Server and SQL Compact 4.0. The schema that it works with is hard-coded into the SimpleMembershipProvider so you cannot use the WebSecurity class for your own schema.
However, you can build your own provider based off ExtendedMembershipProvider and have it communicate with any backing store you like. Probably the easiest/quickest thing to do is go to the source code for SimpleMembershipProvider and copy that, altering the SQL in the various methods as required.
I am trying to make a web app that uses PlayFramework2 and Neo4j Graph Database.My web app going to include user system.Users can add their visited places as nodes and traverse.My question; is it okay for keeping passwords and other personal information in nodes for authentication or using table based another database is better for login to web app.If all work can be done using Neo4j, what should be the structure of the user system in graph database for security.I am newbie at these jobs so, sorry if it is a absurd question.
Of course you can use neo4j to store user information.
As on all databases, be careful with some data, don't store password without a hash/crypt method !
If your datas are sensible, you should well configure your neo4j instance to not allow remote connection, and why not implement some user role for connection.
See here : http://docs.neo4j.org/chunked/stable/security-server.html
You should either use one of the modern auth mechanisms like OAuth2 or at least strongly hash and salt the passwords with a long salt.