Is there a good security library for MVC 3? I am interested in a lightweight Users-Roles-Rights library. I could write the library myself, but I would like to see if there is a good library to leverage which could save some time.
I can leverage Asp.Net security, but I would prefer not to have a separate database. Is it possible to add those tables to my database?
One important point is that this is an Intranet application, which will be us开发者_运维技巧ing Active Directory authenticataion.
I would recommend Rhino Security. I use it in a few of my projects at work and it's been a pretty smooth ride. You do not need a separate database.
The best resource is probably on Ayendes blog. The project is open source and is up on GitHub.
If you go with the built-in ASP.NET security model (users, roles etc) you can add the tables to your own database using the Aspnet_regsql.exe command/wizard.
The ASP.NET Web Site Administration Tool can then be used to do stuff like add users and assign roles (In Visual Studio go to the Website menu, then "ASP.Net Configuration").
Within MVC you can then use the [Authorize] attribute (documentation) to mark controllers or action methods as requiring authorisation or specific roles or users.
It's all about: What and How to secure?
I created an Online Service recently based on a CRM API, and I used the Entity Framework (as my ORM) with my own Membership Provider and Roles Provider (I told how in this question)
where in the Database, all I have is a simple tblUsers and tblRoles.
using the .NET Providers you will end up be happy that you can easily use the methods available for you such as
[Authorize(Roles = "Partner, Admin")]
public ActionResult MyAction()
{
...
}
and
@if (Roles.IsUserInRole(Context.User.Identity.Name, "Admin"))
{
<div>You're an ADMIN, Congrats!</div>
}
For securing the access passwords, I asked here about the best method, and I ended up using BCrypt witch is extremely easy to use.
If you need to have more than just this, I would go with alexn answer and use NHibernate with Rhino-Security.
Always have a separate database for your users/passwords/roles and I would recommend sticking with the .net authentication providers. If your application gets compromised a hacker could find it easier to read users/roles/passwords if you have them stored in the same DB. Even if you've got encrypted passwords hackers have rainbow tables (if they can read the encrypted password chances are they can read the salt too and brute force it offline).
There are a lot of security features built into the .net authentication providers that you wouldn't normally think about when rolling your own (rolling your own is always bad for anything security related).
Also, I would take a look at what is available in the OWASP ESAPI for .NET to see if it would be useful. Its not MVC or authentication specific but there will be a lot of useful features you can use throughout your application.
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
In short to answer your question: Yes there is a good security library for .net, it comes built-in.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论