User management with ASP.NET MVC 4

Question

I am trying to re-learn ASP.NET and building some application, however tutorial seems to be running shorts.

I understand ASP.NET comes now with built in membership which allows users to created and edit, login to users. However, is there a way for me to create a User Controller. From what I have read, its a big no, because it may conflict with the AccountController. Maybe this is wrong, but I would like to be sure first.

Also I understand that I can use the word [Authorize] in a controller ( action, or class ) to limit access to users. However if I provide [Authorize(Roles="Admin")] How can I define the roles to a users? Is there a field that already exists in the membership providing this or do i need to supply a second nuget packages. If its a field from the user, how does it know Roles is the value in the User tables?

Answer 1

You're confusing multiple things. Asp.net is the basic web technology, and there are three technologies that sit on top of that. Webforms, Web Pages, and MVC.

Membership has been a part of asp.net since Version 2, released in 2005. This is nothing new. There has been much written about it over the years.

If you're using MVC, which it seems you are, and you're using MVC4, then the default internet template uses SimpleMembership, which is not compatible with the built-in membership editor in Visual Studio (known as the Web Site Administration Tool or WSaT). This is only compatible with the old SqlMembership database tables, and SimpleMembership does not use those tables.

You can use SqlMembership with MVC4, but you have to configure it to use SqlMembership. Or, you can just not use WSaT and configure your user yourself.

Oh, and don't listen to people that tell you to create custom membership providers. This is the worst advice possible unless you know what you are doing, because it's non-trivial to create secure password hashing techniques. And 99% of people that try (even people that should know better) get it wrong unless they pay very close attention.

Use a provider from a reputable source unless you have VERY good reason not to. And then, check, double check, triple check your hashing code and then have an expert check it.

Answer 2

For Authentication and Authorization in asp.net, have a look at Forms Authentication and Membership Provider (and Role Provider for roles)

A quick search gives this article: Here

have a look at other searches for "Custom Membership Provider"

This also looks interesting: How do I create a custom membership provider for ASP.NET MVC 2?