Click here to Skip to main content
15,034,598 members
Please Sign up or sign in to vote.
5.00/5 (1 vote)
See more:
I Need to have a complete idea about Asp.Net MVC 6 Default Account Controller methods. Where Can I get that complete article? I went through this article but it doesn't explain all Customizing ASP.NET Identity System for Authentication and Authorization
I need to understand that decorations like [Autorize] , [AllowAnonymous] and [ValidateAntiForgeryToken]. Please Help me out as I am supposed to handle a website account management operations so I want to handle it gracefully.
Posted
Comments
Nathan Minier 8-Oct-15 8:25am
   
Honestly the controller should be of less interest to you. More important are the Identity and Role Providers, which provide authentication and authorization. If you can tell us what your authentication schema is, then we might be able to point you in the right direction.
Sohaib Javed 8-Oct-15 11:30am
   
Thank you so much Nathan for your response
Actually I'm newbie to MVC. I have created MVC application and registered a user and couldn't understand how it logs me in with that created user whilst I have no database or any persistant storage. Is it making some web service call or what? Also I need to understand those decorations like [AllowAnonymous] how it works? what is going in the background. I know what are these decorations for but I do not understand how they works.

I don't know how what are Identity and Role provider and how they provide authentication and authorization.

I have a database where I need to implement authentication and authorization and also I need to implement SSL with SQL Server. I'm from desktop application development background new to ASP.

I hope you can understand what I need to know.

I appreciate your response.
Thanks once again.
Sohaib Javed 8-Oct-15 11:46am
   
currently I am handling login with Session this way. I believe it is not a proper way of doing this.

UserDAL ud = new UserDAL();
List<dal.datamodel.user> usersList = ud.STP_SELECT_USER_ROW_login(model.UserName, model.Password);
if (usersList.Any())
{
if (usersList.FirstOrDefault().USERROLEID == 1)//1 is admin Id from role table
{
//await SignInAsync(user, model.RememberMe);
Session["signedin"] = "yes";
return RedirectToLocal(returnUrl);
}
}
else
{
Session["signedin"] = "no";
ModelState.AddModelError("", "Invalid username or password.");
}

Moving this to answer, since I have a fair amount to throw at you.

So I've got a couple of resources for you. The first is a more basic "How To" on using forms authentication:
http://www.codeproject.com/Articles/578374/AplusBeginner-27splusTutorialplusonplusCustomplusF

And a more advanced primer, that has many scenarios and a little more of an updated approach:

http://typecastexception.com/post/2014/04/20/ASPNET-MVC-and-Identity-20-Understanding-the-Basics.aspx

Now the attributes that you're looking at are aligned with the Authorization portion of the process, after authentication has been determined and roles established. Any authorization attribute can be added at the controller or action level.

The easiest attribute to touch on is the [ValidateAntiForgeryToken]. This token is used to make sure that your site is not being used as part of a Cross-site scripting attack. Don't worry about the details, just know that any user action that will modify the state of your application or persistent storage should be flagged with this.

The [AllowAnonymous] attribute does exactly what it says: A user does not need to authenticate before using this action. I also suggest it only be used on actions, it's not appropriate for controllers IMO.

The [Authorize(/*Role,User*/)] attribute is used to lock down an action or controller to either specific users (which is mildly silly) or to users that have an assigned role (groups). This is used to separate where permissions can be exercised in your controller.

If you're coming from a desktop development environment, you might not be terribly familiar with some of the access control methodologies that are in use in web applications. The RBAC standard is the one that MVC is wired for, and it is relatively effective. If you're mildly masochistic and working from an architectural point-of-view, NIST has a number of RBAC resources available for research:
http://csrc.nist.gov/groups/SNS/rbac/[^]
   
Comments
Sohaib Javed 9-Oct-15 12:37pm
   
Thank You so much It really worked for me. I appreciate your efforts.
IF you a newbie to MVC, and if you wanna be a fish catcher rather a man who always rely on others help and for the detail knowledge of MVC I recommend you to have a look on https://www.microsoftvirtualacademy.com/search/SearchResults.aspx?q=mvc
or
Implementing Entity Framework with MVC
https://www.microsoftvirtualacademy.com/en-US/training-courses/implementing-entity-framework-with-mvc-8931?l=e2H2lDC3_8304984382
Customizing ASP.NET Authentication with Identity
https://www.microsoftvirtualacademy.com/en-US/training-courses/customizing-asp-net-authentication-with-identity-8647?l=1Yef8hF1_7604984382
Introduction to ASP.NET 5
https://www.microsoftvirtualacademy.com/en-US/training-courses/introduction-to-asp-net-5-13786?l=PvSZtxoXB_5101937557
Package Management and Workflow Automation
https://www.microsoftvirtualacademy.com/en-US/training-courses/package-management-and-workflow-automation-10524?l=Qq4DMN87_004984382
   
Comments
Sohaib Javed 11-Oct-15 15:33pm
   
Thank you so much Ali its worth looking these links. very much helpful for me.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900