ASP.NET MVC5 Identity and Security Best Practices
Learn about implementing secure authentication and identity management in ASP.NET MVC using best practices such as individual user accounts, forms authentication, integration with external providers like Google and Facebook, authorization rules, database storage, and more.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
MVC5 Identity & Security ASP.NET ASP.NET MVC MVC Mait Poska & Andres K ver, IT Kolled 2014
Identity & Security No Authentication All anonymous users Individual User Accounts Forms authentication (SQL) Google, Facebook, Twitter, MS Organizational Accounts Active directory Federation Services (Azure, Office 365) Windows Authentication Intranet no anonymous users 2
Request & User set by framework Request.IsAuthenticated User.Identity.GetUserName() User.IsInRole( xxxxx ) @if (Request.IsAuthenticated) { using (Html.BeginForm("LogOff", "Account", FormMethod.Post, new { id = "logoutForm", @class = "navbar-right" })) { @Html.AntiForgeryToken() <ul class="nav navbar-nav navbar-right"> <li> @Html.ActionLink("Hello " + User.Identity.GetUserName() + "!", "Manage", "Account", routeValues: null, htmlAttributes: new { title = "Manage" }) </li> <li><a href="javascript:document.getElementById('logoutForm').submit()">Log off</a></li> </ul> } } 3
Authorize attribute [Authorize] controller or action method Only logged in users (redirect to login page) [AllowAnonymous] Can override controllers [Authorize] [Authorize(Users= akaver, mposka )] [Authorize(Roles= admin, sales )] 4
Database 5
Core Identity Microsoft.AspNet. Identity.Core 6
Identity Stored In SQL Server Microsoft.AspNet.Identity.EntityFramework 7
var manager = new ApplicationUserManager( new UserStore<ApplicationUser>( context.Get<ApplicationDbContext>() ) ); UserManager public class ApplicationUser : IdentityUser { public async Task<ClaimsIdentity> GenerateUserIdentityAsync( UserManager<ApplicationUser> manager) { var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie); return userIdentity; } // Add custom fields here } public class ApplicationDbContext : IdentityDbContext<ApplicationUser> { public ApplicationDbContext() : base("StudentDBConnection", throwIfV1Schema: false) { } public static ApplicationDbContext Create() { return new ApplicationDbContext(); } } 8
External Logins // Uncomment the following lines to enable logging in with third party login providers //app.UseMicrosoftAccountAuthentication( // clientId: "", // clientSecret: ""); //app.UseTwitterAuthentication( // consumerKey: "", // consumerSecret: ""); //app.UseFacebookAuthentication( // appId: "", // appSecret: ""); app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions() { ClientId = "myapp.apps.googleusercontent.com", ClientSecret = "googlesecret" }); 9
THE END Mait Poska & Andres K ver 10
