Showing posts from October, 2013

Adding Email Confirmation to ASP.NET Identity in MVC 5

In a previous article I demonstrated how to customize the user profile information in ASP.NET Identity.  Specifically I showed how to add capturing an email address for the user. We will expand on this work and add email confirmation to the registration process.  This process will send an email to the user with a link they can click on to confirm their registration and log in to the system. Prior to confirmation they will not be able to log in.  This process will be similar to the one I described for adding email confirmation to SimpleMembership.

First we need to modify the user information to store a the confirmation token and a flag indicating whether confirmation was completed or not.  So now our ApplicationUser looks like this.

public class ApplicationUser : IdentityUser { public string Email { get; set; } public string ConfirmationToken { get; set; } public bool IsConfirmed { get; set; } }
If you have already made changes to the ApplicationUser…

Upgrading a Web Application Using SimpleMembership to ASP.NET MVC 5

I recently tried to upgrade the SimpleSecurity reference application from MVC 4 to MVC 5 and ran into some issues.  SimpleSecurity encapsulates and decouples SimpleMembership from your ASP.NET application and the underlying issue was compatibility with the WebMatrix assemblies that SimpleMembership uses and the new assemblies for MVC version 5, Web API version 5, and Razor version 3.

I followed the instruction for upgrading to MVC 5 that are posted here and received this error on application start.
Attempt by security transparent method 'WebMatrix.WebData.PreApplicationStartCode.Start()' to access security critical method 'System.Web.WebPages.Razor.WebPageRazorHost.AddGlobalImport(System.String)' failed.

I did some research and found that others were having the same issue. Well it turns out I did not follow the instructions exactly.  Here is one note in the instructions I did not pay close attention to.

Note: Microsoft-Web-Helpers has been replaced  with Microsoft.AspNe…

Customizing ASP.NET Identity in MVC 5

For those of you that follow my Blog you know that one of the subjects I write a lot about is customizing SimpleMembership for ASP.NET security in web applications and some of you have been asking if I have tried using it with Visual Studio 2013 RC or Preview.  Recently I have taken the time to explore using SimpleSecurity and SimpleMembership with VS 2013 RC and more recently the final release now available to MSDN Subscribers.   The short of it is there are problems with upgrading to MVC 5,  which was released to coincide with VS 2013, as described in this StackOverflow QA.  You can still develop your MVC 4 applications in VS 2013 but you will miss out on some of the new features available in MVC 5 and Razor 3.

The other problem is that SimpleMembership is going away in MVC 5 as the provider for ASP.NET security.  Microsoft has gone to another membership provider called ASP.NET Identity. In this article I will start looking at how to customize ASP.NET Identity and contrast that with…

Improving Performance of SimpleMembership By Using Claims-Based Access Control

Claims-based identity and access control became first class citizens with the introduction of .NET version 4.5.  This along with integrating Windows Identify Foundation (WIF) has added some very powerful security features to .NET 4.5.  In this article I will look how we can make a simple changes to SimpleSecurity to make it more efficient and reduce the number of times we need to hit the database during authorization by retrieving some of the information we need from claims. If you are not familiar with claims there is a good introduction here.

I originally introduced the idea of  decoupling the security model from the application by creating a custom AuthorizeAttribute that accepted a resource and operation instead of a role. You can read more about it here and some later improvements here.  In these designs I override the OnAuthorization method and it looked like this.

public override void OnAuthorization(AuthorizationContext actionContext) { base.Roles = ResourceService…