Showing posts from 2014

Recent Updates to SimpleSecurity

The latest bits for SimpleSecurity have been updated to include the Manage controller, which allows users to change their password and their external logons.  This was a major request by readers of this blog.  It will also be the place where users will configure two-factor authentication.  This will be the next feature added to SimpleSecurity and it will support email, SMS, and phone.

So watch these pages for a post on how to add two-factor authentication with ASP.NET Identity that supports email, SMS, and phone.  With all of the cyber security attacks these days you should seriously consider adding two-factor authentication to your web site.

Using External Logins with ASP.NET Identity

A feature request for SimpleSecurity has been the ability to support external logins.  This has been completed and by default it supports login with a Google account.  Google login is enabled because it does not require setup of any accounts on the provider side.  In order to enable other social logins, like Facebook, follow this tutorial for ASP.NET Identity, which will work the same way in SimpleSecurity.

As part of this process I have also upgraded SimpleSecurity to ASP.NET Identity 2.0.  This version of ASP.NET Identity has added missing features that SimpleSecurity already provided, such as email confirmation and password reset.  It has also added some other beneficial features that you can read about here.  Watch for future posts in this blog that will compare how the ASP.NET Identity team implemented email confirmation compared to SimpleSecurity, and I explore some of the other new features.

For those that have not been following the evolution of SimpleSecurity it originally wa…

Performing Authorization In Class Libraries Without Coupling Security in ASP.NET Identity

Most of the time it makes sense to perform authorization at the Controller or Web API level in an ASP.NET MVC application using an AuthorizeAttribute on the controller or action.  This handles at least 95% of the scenarios but occasionally it makes sense to handle authorization down in a class library or it needs to be handled in code for more complex situations. An example might be an application that allows users to create folders and files that have individual permissions.  In this scenario the resource being acted upon must be determined at run-time and therefore we cannot use a static AuthorizeAttribute.

So how do we determine permissions on a dynamic resource without coupling security with our application domain. This is a good time to use a custom ClaimsAuthorizationManager.   A ClaimsAuthorizationManager will allow a class library to loosely couple authorization in our application domain and configure it at deployment.  Here is an example on using the ClaimsAuthorizationManage…

Migrating an Existing Website from SimpleMembership to ASP.NET Identity (Update)

In a previous post I describe how to move the data from a SimpleMembership database to an ASP.NET Identity database.  After some more research I found that the ASP.NET Identity Team has put together a sample solution for migrating from SimpleMembership to ASP.NET Identity that includes some SQL scripts to assist with the migration.  Be sure to check out this solution on CodePlex if you are migrating your SimpleMembership website.

I also realized in my previous post that I did not mention the benefit of using SimpleSecurity in your migration.  SimpleSecurity contains an implementation of ASP.NET Identity that has an API that is a super-set of the WebSecurity class used in SimpleMembership.  This will allow you to plug in ASP.NET Identity into your existing code base with little to no changes. In addition it provides features such as email confirmation during registration and password reset that are not available in the initial release of ASP.NET Identity.

Happy Migrations.

Migrating an Existing Website from SimpleMembership to ASP.NET Identity

ASP.NET Identity is replacing SimpleMembership as the security/membership framework to use when creating ASP.NET applications.  If you are moving to MVC 5 and Visual Studio 2013 the ASP.NET templates generate code that uses ASP.NET Identity.  ASP.NET Identity is much more extensible than SimpleMembership is and it uses the new OWIN architecture available in MVC 5.  I think that ASP.NET Identity is an improvement over SimpleMembership and the old membership provider model that historically was used with ASP.NET applications.  The main problem I have with it is the lack of documentation that is currently available.  One article I was looking for in particular was how to migrate an existing website that uses SimpleMembership to ASP.NET Identity.  You can move to MVC 5 and keep using SimpleMembership as I wrote about here.  But what if you wanted to take advantage of benefits and features of ASP.NET Identity in a legacy website.  Microsoft wrote about Migrating an Existing Website from SQ…