Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Role Provider / Membership? How to in asp.net web api?

I am building an asp.net mvc web api application and not sure how to do the membership stuff.

In my current project I have this

My own Users Table and Role Table I am not using asp.net membership as it brings too much baggage and does not fit how I want to design my database(sure I can to it but it just seems like to much work)

A user can have many roles and a role can have many users.

I am using EF to do almost all my calls to the database.

In past projects I made my own Authorize Attribute what did my own call to my database and checked to see if the user was in the correct role as what was allowed on that controller/action method.

By not doing any membership providers I lost out on some of the built in functions such as User.IsInRole. I was still able to use User.Identity.Name but I think that was because of the cookie that I set.

What is the best practice way to do it now in asp.net mvc 4/web api?

While googling I found "SimpleMembership" but have not read much into it yet.

On a side note can I use User.Identity.Name with my webapi if I authenticated a user?

like image 791
chobo2 Avatar asked May 21 '13 20:05

chobo2


People also ask

How can I use ASP net membership provider?

The ASP.NET membership provider is a feature that enables ASP.NET developers to create Web sites that allow users to create unique user name and password combinations. With this facility, any user can establish an account with the site, and sign in for exclusive access to the site and its services.

How can I use ASP Net Membership in C#?

To create a user in our application by using ASP.NET Membership we need the following steps to complete this process. Step 1: Firstly, open visual studio, then go to File Menu and click New -> Web Site. Step 2: After open the new empty website and add a new item Login. aspx in Registration inside Solution Explorer.


1 Answers

Here is an article that describes how to create a custom authorize attribute for Web API's using SimpleMembership. You do not have to use SimpleMembership, although it very flexible and easy to use. You could take the same concepts in this article and use your membership service instead, as long as your service can verify that a specific user is in a role, log a user in and out, and verify that they are authenticated.

If your service does not verify that they are authenticated you can use User.Identity.IsAuthenticated and you can use User.Identity.Name to get the currently logged in usersname; assuming that your service correctly sets Thread.CurrentPrincipal when a user logs in. It is also a recommended practice to set HttpContext.Current.User. Of course you do not have to worry about any of this if you use SimpleMembership.

This custom authorize attribute support both forms authentication and basic authentication in case you expose your API's to the public. It is different from an authorize attribute used on a controller in that it returns an HTTP status code of Forbidden if the are not authorized and Unauthorized if they are not authenticated; instead of redirecting to a log-on page.

like image 117
Kevin Junghans Avatar answered Oct 13 '22 06:10

Kevin Junghans