tags:

views:

458

answers:

5
+9  Q: 

How do I expose built-in security and user management to a MVC application?

I have built a MVC website on IIS6. I used the built-in ASP.NET Security without Membership, just the way it was implemented in the template solution. It is easy to secure a contoller or action, but now I need to expose the user management to an admin logged into the site. I understand that the builtin ASP controls for doing this are not "best practice" and are a dog to get working. So what is the best practice for offering user management through a ASP.NET MVC application?

I considered using the Entity Framework and wireing it up to the myriad of stored procs. but that seems awkward. I see options for AccountMembershipService and FormsAuthenticationService. That is what the existing project account controller uses. But, I am not fimilliar with either.

I can't help but think that this should have already been there from the project template. This is a fundamental part of any website and you were given 15%, why not the rest?

+1  A: 

As far as I can tell, you are using SqlMembershipProvider as your Membership Provider implementation. I would strongly suggest that you have a look at some of the methods of MembershipUser and MembershipProvider classes (such as CreateUser, etc) to achieve what you are trying to do instead of working with the underlying database tables used for the implementation.

You can also have a look at this article for an in depth intro to ASP.NET's Membership, Roles, and Profile providers.

paracycle  2009-07-24 14:42:19
that sounds like the area where I went a little. Thanks for the article. I think the MVC only uses a portion of this functionality though, and I want to avoid using the whole Membership mechanisum. But maybe that is a bad idea, we will see.
DrydenMaker  2009-07-27 14:26:34
I also wanted to note that I have been avoiding tutorials like this because they dont realy fit with the MVC. Good article though, I clarifies some things for me.
DrydenMaker  2009-07-27 19:17:54
I do realize that the tutorial doesn't fit with the MVC mindset but it gives you the basics of handling Membership, Role and Profile objects which you can use to build your MVC project.I do realize that it is a PITA to not have a starter kit for Membership Administration bundled with ASP.NET MVC. However, given the development history, I guess the fact that the [Authorize] filter even exists out-of-the-box was because it was trivial to implement for the MVC team. So, I guess you should rely on the default MVC template more as a demo than a starting point.
paracycle  2009-07-28 15:26:35
+1  A: 

Check out this project at CodePlex: ASP.Net MVC Membership Starter Kit

Eduardo Molteni  2009-07-25 16:43:18
Someone will care to comment why was downvoted? AFAIK this project allows you to edit Membership users and roles within MVC. (If it is really wrong I will delete the answer)
Eduardo Molteni  2009-07-27 11:27:09
I dont know why it was voted down, but is this an offical part of the MVC? It seems like how it should have been done, that is in more of a complete manner.
DrydenMaker  2009-07-27 14:28:22
I do see one reason, I think the ASP.Net MVC Membership Starter Kit is written in C#, whereas I am using VB2k8.
DrydenMaker  2009-07-27 14:41:54
It is not official, just an open source project to tackle a common problem in the current MVC implementation. As for the VB.net part, I'm a VBer also, but almost all open source are in C#, translating it or using it as a separate project or taking it as a reference is not dificult.
Eduardo Molteni  2009-07-27 16:50:39
A: 

I don't know about "best practice" but this is how I would do it (and how it is sort of written in "Professional ASP.NET MVC 1.0"):

You should have a custom (or the default) ProfileProvider and MembershipProvider in place for this to work.

Create a controller which handles all the member management actions eg. MemberAdminController

This controller should have the Authorize[Roles="Administrator"] attribute specified so all actions in this controller will only be handled if the user is in the Administrator role.

Now you can build the CRUD views and actions how you would like using only this controller.

Peter  2009-07-27 10:37:18
That is the direction I am going in. I think the project template is a travisty since it allows for signup and everything BUT exposing the administration. It is a sure fire way to get alot of poor applications out there.
DrydenMaker  2009-07-27 14:31:36
It all depends on how you implement your authentication. I don't think it's a travisty, the asp.net mvc framework gives the developer a lot more responsibility because a lot of things aren't handled in a default way which webforms did. If you don't require authentication for the rest of your site, simply don't give it to them. You always have to expose a public login form to access your admin... this is no different from webforms.
Peter  2009-07-29 09:22:20
A: 

I have user auth working in a somewhat sane manner now. The biggest hurdle to get over is that it IS ok to use the Membership classes, even though I am not using the Profile aspect of membership. It is easy to get the user name and do Membership.GetUser(UserName). Then you can do many things like Unlock, Approve/Disapprove, change the password and change password question/answer... all the basics I need.

Here are the basics:

'get current logged in user
Dim currentUser As MembershipUser = Membership.GetUser()

'get current logged in user name
Dim userName = currentUser.UserName

'get current user email
Dim userEmail = currentUser.Email

'get a user to edit
Dim editingUser = Membership.GetUser(UserName)

'set the user email
editingUser.Email = newEmail
Membership.UpdateUser(editingUser)

‘unlock user
editingUser.UnlockUser() 

‘disapprove user
editingUser.IsApproved = False
Membership.UpdateUser(editingUser) 

‘approve user
editingUser.IsApproved = True
Membership.UpdateUser(editingUser)

‘change pw
editingUser.ChangePassword(oldPw, newPw)

and that is mostly all there is too it

DrydenMaker  2009-08-14 21:03:41
A: 

In MvcCms we used the RoleProvider out of the box but converted the membership provider over to entity.

http://mvccms.codeplex.com/SourceControl/changeset/view/56727#994414

MvcCmsJon  2010-10-10 01:10:20

related questions

What are the most important functional differences between C# and VB.NET?
Setting Group Type for new Active Directory Entry in VB.NET
ASP.Net Datagrid: in Footer calculate Avg or Sum for column
Opening a file in my application from File Explorer
HTML Email Editor in a Windows Forms Application
Datatables, Dataviews and distincts! (ASP.Net/VB)
Naming convention for VB.NET private fields
Visual Studio - new "default" property values for inherited controls
Change the width of a scrollbar
Is String.Format as efficient as StringBuilder
Default Form Button in FireFox
VB.NET - IsNothing versus Is Nothing
'Break' equivalent keyword for VB
What is the best way to wrap time around the work day?
Best SVN Client Ignore Pattern for VB.NET Solutions?
Long-time LAMP Developer moving to VB.NET
What's the best way to find long-running code in a Windows Forms Application
What is the best way to deploy a VB.NET application?
'Best' Diff Algorithm
Setting Objects to Null/Nothing after use in .NET
CSV File Imports in .Net
How do you migrate a large app from VB6 to VB .net ?
Floating Point Number parsing: Is there a Catch All algorithm?
Decoding T-SQL CAST in C#/VB.net
Reliable Timer in a Console Application