5.11. Authentication

The ASP.NET technology has a powerful mechanism for managing authentication in .NET applications called ASP.NET Identity. The infrastructure of OWIN and AspNet Identity make it possible to perform both standard authentication and authentication via external services through accounts in Google, Twitter, Facebook, et al.

The description of the ASP.NET Identity technology is quite comprehensive and goes beyond the scope of this publication but you can read about it at https://www.asp.net/identity.

For our application, we will take a less complicated approach based on form authentication. Enabling form authentication entails some changes in the web.config configuration file. Find the <system.web> section and insert the following subsection inside it:

  1. <authentication mode="Forms">
  2.   <forms name="cookies" timeout="2880" loginUrl="~/Account/Login"
  3.          defaultUrl="~/Invoice/Index"/>
  4. </authentication>

Setting mode="Forms" enables form authentication. Some parameters need to follow it. The following list of parameters is available:

cookieless

specifies whether cookie sets are used and how they are used. It can take the following values:

  • UseCookies

    specifies that the cookie sets will always be used, regardless of the device

    UseUri

    cookies sets are never used

    AutoDetect

    if the device supports cookie sets, they are used, otherwise, they are not used; a test determining their support is run for this setting.

    UseDeviceProfile

    if the device supports cookie sets, they are used, otherwise, they are not used; no detection test is run. Used by default.

defaultUrl

specifies the URL to redirect to after authentication

domain

specifies cookie sets for the entire domain, allowing for the same cookie sets to be used for the main domain and its sub-domains. By default, its value is an empty string.

loginUrl

the URL for user authentication. The default value is "~/Account/Login".

name

specifies the name for the cookie set. The default value is ".ASPXAUTH".

path

specifies the path for the cookie set. The default value is "/".

requireSSL

specifies whether an SSL connection is required for sending cookie sets. The default value is false

timeout

specifies the timeout for cookies in minutes.

In our application, we will store authentication data in the same database that stores all other data to avoid the need for an additional connection string.

5.11.1. Infrastructure for Authentication

Now we need to create all the infrastructure required for authentication — models, controllers and views. The WebUser model describes the user:

  1. [Table("Firebird.WEBUSER")]
  2. public partial class WEBUSER
  3. {
  4.   [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage",
  5.    "CA2214:DoNotCallOverridableMethodsInConstructors")]
  6.   public WEBUSER()
  7.   {
  8.     WEBUSERINROLES = new HashSet<WEBUSERINROLE>();
  9.   }
  11.   [Key]
  12.   [DatabaseGenerated(DatabaseGeneratedOption.None)]
  13.   public int WEBUSER_ID { get; set; }
  15.   [Required]
  16.   [StringLength(63)]
  17.   public string EMAIL { get; set; }
  19.   [Required]
  20.   [StringLength(63)]
  21.   public string PASSWD { get; set; }
  23.   [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage",
  24.    "CA2227:CollectionPropertiesShouldBeReadOnly")]
  25.   public virtual ICollection<WEBUSERINROLE> WEBUSERINROLES { get; set; }
  26. }

We’ll add two more models: one for the description of roles (WEBROLE) and another one for binding the roles to users (WEBUSERINROLE).

  1. [Table("Firebird.WEBROLE")]
  2. public partial class WEBROLE
  3. {
  4.   [Key]
  5.   [DatabaseGenerated(DatabaseGeneratedOption.None)]
  6.   public int WEBROLE_ID { get; set; }
  8.   [Required]
  9.   [StringLength(63)]
  10.   public string NAME { get; set; }
  11. }
  1. [Table("Firebird.WEBUSERINROLE")]
  2. public partial class WEBUSERINROLE
  3. {
  4.   [Key]
  5.   [DatabaseGenerated(DatabaseGeneratedOption.None)]
  6.   public int ID { get; set; }
  8.   [Required]
  9.   public int WEBUSER_ID { get; set; }
  11.   [Required]
  12.   public int WEBROLE_ID { get; set; }
  14.   public virtual WEBUSER WEBUSER { get; set; }
  16.   public virtual WEBROLE WEBROLE { get; set; }
  17. }

We will use the Fluent API to specify relations between WEBUSER and WEBUSERINROLE in the DbModel class.

  2.   public virtual DbSet<WEBUSER> WEBUSERS { get; set; }
  3.   public virtual DbSet<WEBROLE> WEBROLES { get; set; }
  4.   public virtual DbSet<WEBUSERINROLE> WEBUSERINROLES { get; set; }
  6.   protected override void OnModelCreating(DbModelBuilder modelBuilder)
  7.   {
  8.     modelBuilder.Entity<WEBUSER>()
  9.       .HasMany(e => e.WEBUSERINROLES)
  10.       .WithRequired(e => e.WEBUSER)
  11.       .WillCascadeOnDelete(false);
  12.     
  13.   }

Since we use the Database First technology, tables in the database can be created automatically. I prefer to control the process so here is a script for creating the additional tables:

  1. RECREATE TABLE WEBUSER (
  2.   WEBUSER_ID INT NOT NULL,
  3.   EMAIL VARCHAR(63) NOT NULL,
  4.   PASSWD VARCHAR(63) NOT NULL,
  5.   CONSTRAINT PK_WEBUSER PRIMARY KEY(WEBUSER_ID),
  6.   CONSTRAINT UNQ_WEBUSER UNIQUE(EMAIL)
  7. );
  9. RECREATE TABLE WEBROLE (
  10.   WEBROLE_ID INT NOT NULL,
  11.   NAME VARCHAR(63) NOT NULL,
  12.   CONSTRAINT PK_WEBROLE PRIMARY KEY(WEBROLE_ID),
  13.   CONSTRAINT UNQ_WEBROLE UNIQUE(NAME)
  14. );
  16. RECREATE TABLE WEBUSERINROLE (
  17.   ID INT NOT NULL,
  18.   WEBUSER_ID INT NOT NULL,
  19.   WEBROLE_ID INT NOT NULL,
  20.   CONSTRAINT PK_WEBUSERINROLE PRIMARY KEY(ID)
  21. );
  23. ALTER TABLE WEBUSERINROLE
  24. ADD CONSTRAINT FK_WEBUSERINROLE_USER
  25. FOREIGN KEY (WEBUSER_ID) REFERENCES WEBUSER (WEBUSER_ID);
  27. ALTER TABLE WEBUSERINROLE
  28. ADD CONSTRAINT FK_WEBUSERINROLE_ROLE
  29. FOREIGN KEY (WEBROLE_ID) REFERENCES WEBROLE (WEBROLE_ID);
  31. RECREATE SEQUENCE SEQ_WEBUSER;
  32. RECREATE SEQUENCE SEQ_WEBROLE;
  33. RECREATE SEQUENCE SEQ_WEBUSERINROLE;
  35. SET TERM ^;
  37. RECREATE TRIGGER TBI_WEBUSER
  38. FOR WEBUSER
  39. ACTIVE BEFORE INSERT
  40. AS
  41. BEGIN
  42.   IF (NEW.WEBUSER_ID IS NULL) THEN
  43.     NEW.WEBUSER_ID = NEXT VALUE FOR SEQ_WEBUSER;
  44. END^
  46. RECREATE TRIGGER TBI_WEBROLE
  47. FOR WEBROLE
  48. ACTIVE BEFORE INSERT
  49. AS
  50. BEGIN
  51.   IF (NEW.WEBROLE_ID IS NULL) THEN
  52.     NEW.WEBROLE_ID = NEXT VALUE FOR SEQ_WEBROLE;
  53. END^
  55. RECREATE TRIGGER TBI_WEBUSERINROLE
  56. FOR WEBUSERINROLE
  57. ACTIVE BEFORE INSERT
  58. AS
  59. BEGIN
  60.   IF (NEW.ID IS NULL) THEN
  61.     NEW.ID = NEXT VALUE FOR SEQ_WEBUSERINROLE;
  62. END^
  64. SET TERM ;^

To test it, we’ll add two users and two roles:

  1. INSERT INTO WEBUSER (EMAIL, PASSWD) VALUES ('john', '12345');
  2. INSERT INTO WEBUSER (EMAIL, PASSWD) VALUES ('alex', '123');
  3. COMMIT;
  5. INSERT INTO WEBROLE (NAME) VALUES ('admin');
  6. INSERT INTO WEBROLE (NAME) VALUES ('manager');
  7. COMMIT;
  9. -- Link users and roles
  10. INSERT INTO WEBUSERINROLE(WEBUSER_ID, WEBROLE_ID) VALUES(1, 1);
  11. INSERT INTO WEBUSERINROLE(WEBUSER_ID, WEBROLE_ID) VALUES(1, 2);
  12. INSERT INTO WEBUSERINROLE(WEBUSER_ID, WEBROLE_ID) VALUES(2, 2);
  13. COMMIT;
Comment about passwords

Usually, some hash from the password, rather than the actual password, is stored in an open form, using the PBKDF2 algorithm, for example. For our example, we have simplified authentication somewhat.

Our code will not interact directly with the WebUser model during registration and authentication. Instead, we will add some special models to the project:

  1. namespace FBMVCExample.Models
  2. {
  3.   using System;
  4.   using System.Collections.Generic;
  5.   using System.ComponentModel.DataAnnotations;
  6.   using System.ComponentModel.DataAnnotations.Schema;
  7.   using System.Data.Entity.Spatial;
  9.   // Login model
  10.   public class LoginModel
  11.   {
  12.     [Required]
  13.     public string Name { get; set; }
  15.     [Required]
  16.     [DataType(DataType.Password)]
  17.     public string Password { get; set; }
  18.   }
  20.   // Model for registering a new user
  21.   public class RegisterModel
  22.   {
  23.     [Required]
  24.     public string Name { get; set; }
  26.     [Required]
  27.     [DataType(DataType.Password)]
  28.     public string Password { get; set; }
  30.     [Required]
  31.     [DataType(DataType.Password)]
  32.     [Compare("Password", ErrorMessage = " Passwords do not match ")]
  33.     public string ConfirmPassword { get; set; }
  34.   }
  35. }

These models will be used for the authentication and registration views, respectively. The authentication view is coded as follows:

  1. @model FBMVCExample.Models.LoginModel
  3. @{
  4.   ViewBag.Title = "Login";
  5. }
  7. <h2>Login</h2>
  9. @using (Html.BeginForm())
  10. {
  11.   @Html.AntiForgeryToken()
  12.   <div class="form-horizontal">
  14.     @Html.ValidationSummary(true)
  15.     <div class="form-group">
  17.       @Html.LabelFor(model => model.Name,
  18.         new { @class = "control-label col-md-2" })
  19.       <div class="col-md-10">
  20.         @Html.EditorFor(model => model.Name)
  21.         @Html.ValidationMessageFor(model => model.Name)
  22.       </div>
  23.     </div>
  25.     <div class="form-group">
  26.       @Html.LabelFor(model => model.Password,
  27.         new { @class = "control-label col-md-2" })
  28.       <div class="col-md-10">
  29.         @Html.EditorFor(model => model.Password)
  30.         @Html.ValidationMessageFor(model => model.Password)
  31.       </div>
  32.     </div>
  34.     <div class="form-group">
  35.       <div class="col-md-offset-2 col-md-10">
  36.         <input type="submit" value="Logon" class="btn btn-default" />
  37.       </div>
  38.     </div>
  39.   </div>
  40. }
  42. @section Scripts {
  43.   @Scripts.Render("~/bundles/jqueryval")
  44. }
  46. The registration view, in turn, is coded as follows:
  47. @model FBMVCExample.Models.RegisterModel
  49. @{
  50.   ViewBag.Title = "Registration";
  51. }
  53. <h2>???????????</h2>
  55. @using (Html.BeginForm())
  56. {
  57.   @Html.AntiForgeryToken()
  58.   <div class="form-horizontal">
  60.     @Html.ValidationSummary(true)
  61.     <div class="form-group">
  62.       @Html.LabelFor(model => model.Name,
  63.         new { @class = "control-label col-md-2" })
  65.       <div class="col-md-10">
  66.         @Html.EditorFor(model => model.Name)
  67.         @Html.ValidationMessageFor(model => model.Name)
  68.       </div>
  69.     </div>
  71.     <div class="form-group">
  72.       @Html.LabelFor(model => model.Password,
  73.         new { @class = "control-label col-md-2" })
  75.       <div class="col-md-10">
  76.         @Html.EditorFor(model => model.Password)
  77.         @Html.ValidationMessageFor(model => model.Password)
  78.       </div>
  79.     </div>
  81.     <div class="form-group">
  82.       @Html.LabelFor(model => model.ConfirmPassword,
  83.         new { @class = "control-label col-md-2" })
  85.       <div class="col-md-10">
  86.         @Html.EditorFor(model => model.ConfirmPassword)
  87.         @Html.ValidationMessageFor(model => model.ConfirmPassword)
  88.       </div>
  89.     </div>
  91.     <div class="form-group">
  92.       <div class="col-md-offset-2 col-md-10">
  93.         <input type="submit" value="Register"
  94.                class="btn btn-default" />
  95.       </div>
  96.     </div>
  97.   </div>
  98. }
  100. @section Scripts {
  101.   @Scripts.Render("~/bundles/jqueryval")
  102. }
Comment about users

The model, views and controllers for user authentication and registration are made as simple as possible in this example. A user usually has a lot more attributes than just a username and a password.

Now let us add one more controller — AccountController — with the following contents:

  1. using System;
  2. using System.Collections.Generic;
  3. using System.Linq;
  4. using System.Web;
  5. using System.Web.Mvc;
  6. using System.Web.Security;
  7. using FBMVCExample.Models;
  9. namespace FBMVCExample.Controllers
  10. {
  11.   public class AccountController : Controller
  12.   {
  13.     public ActionResult Login()
  14.     {
  15.       return View();
  16.     }
  18.     [HttpPost]
  19.     [ValidateAntiForgeryToken]
  20.     public ActionResult Login(LoginModel model)
  21.     {
  22.       if (ModelState.IsValid)
  23.       {
  24.         // search user in db
  25.         WEBUSER user = null;
  26.         using (DbModel db = new DbModel())
  27.         {
  28.           user = db.WEBUSERS.FirstOrDefault(
  29.                u => u.EMAIL == model.Name &&
  30.                     u.PASSWD == model.Password);
  31.         }
  32.         // if you find a user with a login and password,
  33.         // then remember it and do a redirect to the start page
  34.         if (user != null)
  35.         {
  36.           FormsAuthentication.SetAuthCookie(model.Name, true);
  37.           return RedirectToAction("Index", "Invoice");
  38.         }
  39.         else
  40.         {
  41.           ModelState.AddModelError("",
  42.             " A user with such a username and password does not exist ");
  43.         }
  44.       }
  45.       return View(model);
  46.     }
  48.     [Authorize(Roles = "admin")]
  49.     public ActionResult Register()
  50.     {
  51.       return View();
  52.     }
  54.     [HttpPost]
  55.     [ValidateAntiForgeryToken]
  56.     public ActionResult Register(RegisterModel model)
  57.     {
  58.       if (ModelState.IsValid)
  59.       {
  60.         WEBUSER user = null;
  61.         using (DbModel db = new DbModel())
  62.         {
  63.           user = db.WEBUSERS.FirstOrDefault(u => u.EMAIL == model.Name);
  64.         }
  65.         if (user == null)
  66.         {
  67.           // create a new user
  68.           using (DbModel db = new DbModel())
  69.           {
  70.             // get a new identifier using a sequence
  71.             int userId = db.NextValueFor("SEQ_WEBUSER");
  72.             db.WEBUSERS.Add(new WEBUSER {
  73.               WEBUSER_ID = userId,
  74.               EMAIL = model.Name,
  75.               PASSWD = model.Password
  76.             });
  77.             db.SaveChanges();
  78.             user = db.WEBUSERS.Where(u => u.WEBUSER_ID == userId)
  79.                      .FirstOrDefault();
  80.             // find the role of manager
  81.             // This role will be the default role, i.e.
  82.             // will be issued automatically upon registration
  83.             var defaultRole =
  84.                 db.WEBROLES
  85.                   .Where(r => r.NAME == "manager")
  86.                   .FirstOrDefault();
  87.             // Assign the default role to the newly added user
  88.             if (user != null && defaultRole != null)
  89.             {
  90.               db.WEBUSERINROLES.Add(new WEBUSERINROLE
  91.                 {
  92.                   WEBUSER_ID = user.WEBUSER_ID,
  93.                   WEBROLE_ID = defaultRole.WEBROLE_ID
  94.                 });
  95.               db.SaveChanges();
  96.             }
  97.           }
  98.           // if the user is successfully added to the database
  99.           if (user != null)
  100.           {
  101.             FormsAuthentication.SetAuthCookie(model.Name, true);
  102.             return RedirectToAction("Login", "Account");
  103.           }
  104.         }
  105.         else
  106.         {
  107.           ModelState.AddModelError("",
  108.             "User with such login already exists");
  109.         }
  110.       }
  111.       return View(model);
  112.     }
  114.     public ActionResult Logoff()
  115.     {
  116.       FormsAuthentication.SignOut();
  117.       return RedirectToAction("Login", "Account");
  118.     }
  119.   }
  120. }

Note the attribute [Authorize(Roles = "admin")] to stipulate that only a user with the admin role can perform the user registration operation. This mechanism is called an authentication filter. We will get back to it a bit later.

Adding a New User

We add a new user to the database during registration and check during authentication as to whether that user exists. If the user is found, we use form authentication to set a cookie, as follows:

  1. FormsAuthentication.SetAuthCookie(model.Name, true);

All information about a user in Asp.Net MVC is stored in the proprty HttpContext.User that implements the IPrincipal interface defined in the System.Security.Principal namespace.

The IPrincipal interface defines the Identity property that stores the object of the IIdentity interface describing the current user.

The IIdentity interface has the following properties:

AuthenticationType

authentication type

IsAuthenticated

returns true if the user is logged in

Name

the username in the system

To determine whether a user is logged in, ASP.NET MVC receives cookies from the browser and if the user is logged in, the property IIdentity.IsAuthenticated is set to true and the Name property gets the username as its value.

Next, we will add authentication items using the universal providers mechanism.

Universal Providers

Universal providers offer a ready-made authentication functionality. At the same time, these providers are flexible enough that we can redefine them to work in whatever way we need them to. It is not necessary to redefine and use all four providers. That is handy if we do not need all of the fancy ASP.NET Identity features, but just a very simple authentication system.

So, our next step is to redefine the role provider. To do this, we need to add the Microsoft.AspNet.Providers package using NuGet.

Defining the Role Provider

To define the role provider, first we add the Providers folder to the project and then add a new MyRoleProvider class to it:

  1. using System;
  2. using System.Collections.Generic;
  3. using System.Linq;
  4. using System.Web;
  5. using System.Web.Security;
  6. using FBMVCExample.Models;
  8. namespace FBMVCExample.Providers
  9. {
  10.   public class MyRoleProvider : RoleProvider
  11.   {
  12.     /// <summary>
  13.     /// Returns the list of user roles
  14.     /// </summary>
  15.     /// <param name="username">Username</param>
  16.     /// <returns></returns>
  17.     public override string[] GetRolesForUser(string username)
  18.     {
  19.       string[] roles = new string[] { };
  20.       using (DbModel db = new DbModel())
  21.       {
  22.         // Get the user
  23.         WEBUSER user = db.WEBUSERS.FirstOrDefault(
  24.                          u => u.EMAIL == username);
  25.         if (user != null)
  26.         {
  27.           // fill in an array of available roles
  28.           int i = 0;
  29.           roles = new string[user.WEBUSERINROLES.Count];
  30.           foreach (var rolesInUser in user.WEBUSERINROLES)
  31.           {
  32.             roles[i] = rolesInUser.WEBROLE.NAME;
  33.             i++;
  34.           }
  35.         }
  36.       }
  37.       return roles;
  38.     }
  40.     /// <summary>
  41.     /// Creating a new role
  42.     /// </summary>
  43.     /// <param name="roleName">Role name</param>
  44.     public override void CreateRole(string roleName)
  45.     {
  46.       using (DbModel db = new DbModel())
  47.       {
  48.         WEBROLE newRole = new WEBROLE() { NAME = roleName };
  49.         db.WEBROLES.Add(newRole);
  50.         db.SaveChanges();
  51.       }
  52.     }
  54.     /// <summary>
  55.     /// Returns whether the user role is present
  56.     /// </summary>
  57.     /// <param name="username">User name</param>
  58.     /// <param name="roleName">Role name</param>
  59.     /// <returns></returns>
  60.     public override bool IsUserInRole(string username, string roleName)
  61.     {
  62.       bool outputResult = false;
  63.       using (DbModel db = new DbModel())
  64.       {
  65.         var userInRole =
  66.             from ur in db.WEBUSERINROLES
  67.             where ur.WEBUSER.EMAIL == username &&
  68.                   ur.WEBROLE.NAME == roleName
  69.             select new { id = ur.ID };
  70.         outputResult = userInRole.Count() > 0;
  71.       }
  72.       return outputResult;
  73.     }
  75.     public override void AddUsersToRoles(string[] usernames,
  76. string[] roleNames)
  77.     {
  78.       throw new NotImplementedException();
  79.     }
  81.     public override string ApplicationName
  82.     {
  83.       get { throw new NotImplementedException(); }
  84.       set { throw new NotImplementedException(); }
  85.     }
  87.     public override bool DeleteRole(string roleName,
  88. bool throwOnPopulatedRole)
  89.     {
  90.       throw new NotImplementedException();
  91.     }
  93.     public override string[] FindUsersInRole(string roleName,
  94. string usernameToMatch)
  95.     {
  96.       throw new NotImplementedException();
  97.     }
  99.     public override string[] GetAllRoles()
  100.     {
  101.       throw new NotImplementedException();
  102.     }
  104.     public override string[] GetUsersInRole(string roleName)
  105.     {
  106.       throw new NotImplementedException();
  107.     }
  109.     public override void RemoveUsersFromRoles(string[] usernames,
  110. string[] roleNames)
  111.     {
  112.       throw new NotImplementedException();
  113.     }
  115.     public override bool RoleExists(string roleName)
  116.     {
  117.       throw new NotImplementedException();
  118.     }
  119.   }
  120. }

For the purpose of illustration, three methods are redefined:

GetRolesForUser

for obtaining a set of roles for a specified user

CreateRole

for creating a role

IsUserInRole

determines whether the user has a specified role in the system

Configuring the Role Provider for Use

To use the role provider in the application, we need to add its definition to the configuration file. Open the web.config file and remove the definition of providers added automatically during the installation of the Microsoft.AspNet.Providers package.

Next, we insert our provider within the system.web section:

  1. <system.web>
  2.   <authentication mode="Forms">
  3.     <forms name="cookies" timeout="2880" loginUrl="~/Account/Login"
  4.            defaultUrl="~/Invoice/Index"/>
  5.   </authentication>
  6.   <roleManager enabled="true" defaultProvider="MyRoleProvider">
  7.     <providers>
  8.       <add name="MyRoleProvider"
  9.            type="FBMVCExample.Providers.MyRoleProvider" />
  10.     </providers>
  11.   </roleManager>
  12. </system.web>