Implementing custom login for ASP.NET MVC

Question

I'm new to ASP.NET MVC and need abit of advice on how to implement the following.

The site is a heavily used site with roughly 200 users internally (intranet). We use forms authentication hitting a SQL Server DB (not windows integrated).

Some actions are protected, some are viewable by anyone and some are viewable by both - so if theres a logged in user they see their stuff from the DB, otherwise they see a temporary profile - much like StackOverflow.

How would I go about implementing a security model for this scenario? Can I reuse the existing framework in ASP.NET MVC and use the authorization filters?

Is there any online articles that I can use as a reference?

Why are you not using windows integrated? – RichardOD Oct 29 '09 at 14:21 — RichardOD, Oct 29 '09 at 14:21

score 4 · Answer 1 · edited Sep 18 '12 at 12:27

I had the same problem since I want to implement the asp.net membership with my custom built user database, my solution was to override the default aspnet membership provider for manage users logging and aspnet role provider to manage users role. For example, my custom membership provider will look sth like this

namespace Entities
{
    public class VEMembership : MembershipProvider
    {
        public override bool ValidateUser(string username, string password)
        {
            // your logic to validate user
            // return false if not qualified, other wise true
        }
    }
}

And then in your web config file, you just need to add your default membership provider to :

<membership defaultProvider="VEMembership">
    <providers>
        <clear/>
        <add name="VEMembership"
            type="Entities.VEMembership" 
            enablePasswordReset="true"
            requiresQuestionAndAnswer="false"
            requiresUniqueEmail="false"
            passwordFormat="Hashed"
            maxInvalidPasswordAttempts="5"
            minRequiredPasswordLength="6"
            minRequiredNonalphanumericCharacters="0"
            passwordAttemptWindow="10"
            passwordStrengthRegularExpression=""
            connectionString="VEConnectionString"/>
    </providers>
</membership>

There are plenty article on wrting custom aspnet membership provider on google search, if you need any help on doing this. Hope this helps

Thats an excellent example! Precisely what I'm after! How do I obtain a connection to the underlying Database in ValidateUser? The problem is that I have to maintain some data in the session object (their profiles which is in a List). Can I access a session and place them in there when authorisation suceeds inside a overriden function? — Lisa Auckett, Nov 02 '09 at 03:46
Actually, can I derive from SqlMemberShipProvider and just implement ValidateUser instead? — Lisa Auckett, Nov 02 '09 at 03:48
for each function that you dont want to override anything , just use the base function, for i.e: public override bool UnlockUser(string username) { return base.UnlockUser(username); } — tuanvt, Nov 02 '09 at 10:31
Where do I modify the class as you have listed above? Just in the Accountontroller? — Drewdin, May 14 '15 at 20:04

brad.huffman · Answer 2 · 2009-10-29T14:18:16.977

The page's User object has an IsAutheticated (User.Identity.IsAuthenticated) property that will tell you whether a user has authenticated or not. This coupled with conditional statements to show or hide data/controls (or the ASP .Net LoginView control) should allow you to do what you want. In addition, you can use ASP .Net's role provider (or roll your own custom provider) to further define what your users can access/do based on role(s) that you assign to them.

Implementing custom login for ASP.NET MVC

2 Answers2

Linked