I've created my own role provider in a SL4/RIA Services application, and I have had success using the [RequiresRole] attribute on a Domain Service call. I can set a breakpoint in GetRolesForUser and see that it works.
This leads me to some other questions:
How and/or where do I use the other overridden methods in the custom provider? Is it possible to use them within domain service calls? If so is it simply a matter of creating a new instance of the RoleProvider, calling the methods on it, etc.?
Within the custom role provider, is it possible to make domain service calls? If so, same thing, do I simply create/use a new instance of the entities ObjectContext?
Can the AuthenticatedUser instance be hooked into the role provider somehow? I see it has a .Roles property and an .IsInRole method, but can that class be extended somehow to hook into the custom provider?
Any direction on these questions is greatly appreciated.
Related
I hope the following question makes sense:
I manage my users in ActiveDirectory.
I authenticate them via IdentityServer3.
I authorize the APIs via the AD groups that the user is in (acting as security roles).
How should I set up IdentityServer3:
Must I use my own custom UserService to access ActiveDirectory?
and does that replace the MembershipReboot / AspNetIdentity support (or am I misunderstanding what the UserService is)?
Or should I use one of the MembershipReboot / AspNetIdentity packages from IdentityServer3, and somehow customize them to map to ActiveDirectory (and if so, how)?
Seems there is no "mapping" and should not be a mapping from AD to a membership-reboot or an aspidentity or the newer identity-reboot user stores. The reason seems to be simple: mr and aspid or ir are all ways to store the user information in a persistent way (some sort of database or repository), which is already done in AD.
The userservice is enough. It causes the ASP Identity objects to be populated, and the middleware to work as expected, calling user authentication, and user or resource authorization correctly and automatically, after the client calls are "decorated" with "Authorize" attributes or after returning from the OP (the OpenID-Connect Provider) or from separate authorization or resource providers, in security calls.
Answer update: Now in IdentityServer4 the UserService has been deprecated and instead you use IResourceOwnerPasswordValidator.
See here for working code and a detailed explanation, in the answer after the accepted one (vote it up please)
IdentityServer4 register UserService and get users from database in asp.net core
I have an issue in which I wonder if Restangular has support for. I have a UserModel which is part of my model layer. It may have custom attributes that the server doesn't have in it's model and also behavior. I'm not clear if I'm able to use my custom User model, send it to the backend and when it returns transform it back to the UserModel object of my model layer so I still have the custom attribute and methods.
Here's the plunker: http://plnkr.co/edit/IlYcSRuX3GPWmewxniuq?p=preview
Where do I handle the transformation? Do I add the methods in the config block or should I add it via adding a response interceptor? What about custom attributes that the server might not send back to me? I haven't run across any good examples of this.
The UserInfoCntrl controller sends the UserModel object into the contactInformationService in my example.
Some of this might be design choices, i.e. use what you think is best. However, a common pattern [citation needed ;)] would be to integrate the synchronization logic between client and server in the "model" service.
The UserModel service would then be responsible for providing the User object to the rest of the application, keeping it in sync with the server (perhaps via methods like save(), or perhaps automatically?). The service would then be the only module responsible for communicating with the server, at least when it comes to user objects. It can also automatically pull the user data from the server when instantiated.
The architecture feels very clean, at least to me.
I don't have any concrete examples that exactly suits your needs, but this authentication service by Fnakstad springs to mind. It maintains a object (actually a user object!) using $http and $cookieStore. Restangular is a bit more high-level than $http, but the self-contained service concept providing methods for manipulation and storing stands.
I don't want to set the same username and password 100 times for ClientCredentials. I want a pattern where I can set this once in code then have it automatically set.
How do people typically do this? Do they inherit from the wcf class? Do they use partial classes?
Delegate the responsibility of creating the proxy instance to a separate class. This class can have method to create proxy, assign credentials and return the proxy instance back.This is something similar to creating factory classes for construction of an object.
I've started out with the Silverlight 4 Navigation Application template (RIA Services enabled). (As I really don't like the bloated Business Application Template)
I've added an Authentication Service and I'm able to authenticate users,
but want to override the User.IsInRole method.
WebContext.Current.User.IsInRole("Guest");
But I cannot find any place to override the behaviour.
What are you trying to do? User.IsInRole is an implementation of IPrincipal.IsInRole and really shouldn't be overridden.
If you want to set the user roles, you can do it on the server in your AuthenticationService by overridding the GetAuthenticatedUser or GetAnonymousUser methods.
If you want a method similar to IsInRole, you can extend the User type with a partial class on the client and add whatever methods make sense.
I have a project requirement where I need to authenticate against ActiveDirectory in a remote/disconnected WPF application.
There is probably several ways to attempt to do this, but what would be the best approach using ActiveDirectory's MembershipProvider?
I need to:
Authenticate that the user exists.
obtain the AD user's groups and roles.
This needs to happen from a remote location, outside of the network Active Directory resides on.
From within a WinForms or WPF application you can now take advantage of "Client Application Services" (thanks MS for a very generic name, searching for help is now very painful!).
This allows you to connect to a WCF service that can validate the logins. The link above has a walkthrough that shows how easy it is to get it all working, once you have a working app you can modify your config to point to a different MembershipProvider and/or RoleProvider.
It's worth noting that the out-of-the-box solution includes a MembershipProvider named ActiveDirectoryMembershipProvider, but there's no RoleProvider for Active Directory.
If you do require the ability to get Roles (or Groups) and you are working with .NET 4.0 then you can take advantage of the new Active Directory API added that makes everything much easier, namely System.DirectoryServices.AccountManagement. For the most basic of Membership and Role services you'll want to have the following to create your own basic MembershipProvider and RoleProvider:
MembershipProvider.ValidateUser() - should use PrincipalContext.ValidateCredentials()
RoleProvider.GetAllRoles() - use a new GroupPrincipal() as a source to a new PrincipalSearcher()
RoleProvider.IsUserInrole() - use UserPrincipal.FindByIdentity() method to get a user, use GroupPrincipal.FindByIdentity() to get the group, then use the IsMemberOf() method on the user to see if they're a member of the group.
You can implement as little or as much of the API as needed, you should find everything you need in the new AccountManagement namespace to do this.