15

I have spent some time searching and found a lot of confusing answers, so I will post here for clarification.

I am using MVC4 VS2012 created an Intranet site using domain authentication. Everything works. However, to manage the users that have access to different areas of this webapp I prefer not to use AD groups that I cannot manage and nor can the users of the webapp.

Is there an alternative? I assume this would involve associating/storing domain names belonging to custom roles and using the Authorize attribute to control access. 

[Authorize(Roles = "Managers")]

Can anyone suggest the best pattern for this or point me in the right direction?

I see a similar solution link, but I am still not sure how to use this against a stored list of roles and validate the user against those roles. Can anyone elaborate if this solution would work?

        protected void Application_AuthenticateRequest(object sender, EventArgs args)
    {
        if (HttpContext.Current != null)
        {
            String[] roles = GetRolesFromSomeDataTable(HttpContext.Current.User.Identity.Name);

            GenericPrincipal principal = new GenericPrincipal(HttpContext.Current.User.Identity, roles);

            Thread.CurrentPrincipal = HttpContext.Current.User = principal;
        }
    }
Community
  • 1
  • 1
SQLGrinder
  • 373
  • 4
  • 6
  • 20

1 Answers1

15

I'm using this configuration with SQL Server and MVC3.

Web.config:

<system.web>
<roleManager enabled="true" defaultProvider="SqlRoleManager">
  <providers>
    <clear />
    <add name="SqlRoleManager" type="System.Web.Security.SqlRoleProvider"   connectionStringName="SqlRoleManagerConnection" applicationName="YourAppName" />
  </providers>
</roleManager>

....

<authentication mode="Windows" />

....

<connectionStrings>

<add name="SqlRoleManagerConnection" connectionString="Data Source=YourDBServer;Initial Catalog=AppServices;Integrated Security=True;" providerName=".NET Framework Data Provider for OLE DB" />
</connectionStrings>

To inicialize roles:

Global.asax.cs

using System.Web.Security;

////
protected void Application_Start()
{

   //You could run this code one time and then manage the rest in your application.
   // For example:

   // Roles.CreateRole("Administrator");    
   // Roles.AddUserToRole("YourDomain\\AdminUser", "Administrator");


   Roles.CreateRole("CustomRole");   

   Roles.AddUserToRole("YourDomain\\DomainUser", "CustomRole");

 }

In your Controller

[Authorize(Roles ="CustomRole")]
public class HomeController : Controller
 {

To manage users

 public class Usuario
{
    public string UserName { get; set; }
    public string RoleName { get; set; }
    public string Name { get; set; }
    public const string Domain = "YourDomain\\";


    public void Delete()
    {
        Roles.RemoveUserFromRole(this.UserName, this.RoleName);
    }

    public void Save()
    {
        if (Roles.IsUserInRole(Usuario.Domain + this.UserName, this.RoleName) == false)
        {
            Roles.AddUserToRole(Usuario.Domain + this.UserName, this.RoleName);
        }
    }
}

Users Class

public class Usuarios : List<Usuario>
{

    public void GetUsuarios() //Get application's users
    {

        if (Roles.RoleExists("CustomRole"))
        {
            foreach (string _usuario in Roles.GetUsersInRole("CustomRole"))
            {
                var usuario = new Usuario();
                usuario.UserName = _usuario;
                usuario.RoleName = "CustomRole";
                this.Add(usuario);
            }
        }
  //

  public void GetUsuariosRed() //Get Network Users (AD)
    {
        var domainContext = new PrincipalContext(ContextType.Domain);
        var groupPrincipal = GroupPrincipal.FindByIdentity(domainContext, IdentityType.SamAccountName, "Domain Users");

        foreach (var item in groupPrincipal.Members)
        {
            var usuario = new Usuario();
            usuario.UserName = item.SamAccountName;
            usuario.Name = item.Name;
            this.Add(usuario);
        }

    }

You can create an "Admin" controller like this, to manage the users:

[Authorize(Roles = "AdminCustomRole")]
public class AdminController : Controller
{

//

public ActionResult Index()
    {

        var Usuarios = new Usuarios();
        Usuarios.GetUsuarios();
        return View(Usuarios);

    }

[HttpGet]
public ActionResult CreateUser()
    {

        var Usuarios = new Usuarios();
        Usuarios.GetUsuariosRed();

       return View(Usuarios);

    }

//

In my application, custom roles are fixed.

Pablo Claus
  • 5,886
  • 3
  • 29
  • 38
  • In this configuration you are seeding the roles and the role-to-user mapping in the application. How would you provide a solution where you want to provide an administrator the ability to manage this information and provide them with a list of the domain users already in the system? And keep it integrated as new users are added to the domain? – Kevin Junghans Jan 22 '13 at 20:42
  • @Pabloker Great! So far I have been able to add the elements above and get the page to use the authorization from the table using a defined role in the controller. Hooray! However, a couple things aren't working. 1) If the current user cannot be found in the users table the page crashes with System.InvalidOperationException: No user found was found that has the name (domainname). 2) if the current user does not map to the role defined in the controller the page crashes: The resource cannot be found. /login.aspx How do I trap and handle these situations? – SQLGrinder Jan 22 '13 at 23:30
  • I'm glad to hear that my solution works. Regarding to your questions, I suggest you something like this: http://stackoverflow.com/questions/5348668/how-to-use-custom-errors-page-in-windows-authentication/6852790#6852790 – Pablo Claus Jan 22 '13 at 23:49
  • @Pabloker I am a little fuzzy on how to manage the users. I am using the webpages_users table with only RoleManager Provider. Do you add a membership provider to add/remove domain users selected from domain list or do this manually? – SQLGrinder Jan 24 '13 at 22:57
  • Maybe you could include it in a new question. I need to see what did you do so far.. – Pablo Claus Jan 25 '13 at 11:17
  • @Pabloker new question and code posted [link](http://stackoverflow.com/questions/14611254/mvc4-simplememberhip-intranet-webapp-with-custom-roles) – SQLGrinder Jan 30 '13 at 18:45
  • 1
    @Pabloker: I tried your answer, but there is a problem about finding some Stored Procedures inside 'AppServices" database. i should mention that i created 'AppServices' database manually and it is empty. error says that: "Could not find stored procedure 'dbo.aspnet_CheckSchemaVersion'." is there something else to do? oh, maybe you should know I'm using MVC 4. – Amir Oveisi Jul 26 '13 at 08:07