Altairis Web Security Toolkit

Closed Issue: SimpleSqlProfileProvider is not Unicode compatible [33674]

altair — Thu, 17 Jan 2013 15:17:45 GMT

KeyValue column (where the User Name is stored) is getting its value via a varchar type parameter instead of nvarchar. That means if one needs to provide Unicode characters as user name it will strip some useful characters from that.
Comments: That's one of the reasons why it's deprecated and not recommended to be used anymore. Use http://code.msdn.microsoft.com/aspnet4profile

Created Issue: SimpleSqlProfileProvider is not Unicode compatible [33674]

denes — Thu, 17 Jan 2013 12:55:43 GMT

Source code checked in, #99885

Project Collection Service Accounts — Mon, 01 Oct 2012 21:24:31 GMT

Upgrade: New Version of LabDefaultTemplate.xaml. To upgrade your build definitions, please visit the following link: http://go.microsoft.com/fwlink/?LinkId=254563

Source code checked in, #99884

Project Collection Service Accounts — Mon, 01 Oct 2012 21:16:08 GMT

Checked in by server upgrade

Created Issue: UserID in RoleMemberships Table [32976]

merarischroeder — Fri, 27 Jul 2012 06:18:38 GMT

You support userKeyType="IntIdentity", which is great for linking the user throughout the rest of the DB, however it would be beneficial if this was:

1) Supported by the RoleProvider - perhaps also requiring userKeyType="IntIdentity". That is, supported UserId instead of UserName column.
2) (The default, surrogate keys are the bomb!)

This should help by making UserNames (as well as Email addresses) completely fluid without impacting the DB integrity.

Cheers!

Updated Wiki: Home

altair — Sun, 08 Jul 2012 14:18:52 GMT

The Altairis Web Security Toolkit consists of several parts:

SQL Table Providers are re-implementation of standard ASP.NET membership, profile and role providers, but using simple database structure.
PlainTextMembershipProvider is basic low-security membership provider using plain text file as its user database.
BasicAuthenticationModule is authentication module for ASP.NET/IIS7, implementing standard HTTP Basic Authentication, working with any membership provider (including, but not limited to the two contained in this library)

The original release (older than 2.0) contained also Simple SQL Providers, which are no longer developed and were replaced by SQL Table Providers mentioned above. The relevant classes are still present in the assembly, but are now marked as obsolete.

Altairis Web Security toolkit is in the NuGet Gallery

You may install Altairis Web Security Toolkit using the NuGet package manager (former NuPack). The package name is Altairis.Web.Security,

For more info about NuGet visit http://www.nuget.org.

Database agnostic providers

Since release 2.2.0 are the TableMembershipProvider and TableRoleProvider classes database agnostic. They should be working with any SQL database, for which an ADO.NET provider is available. Currently, SQL Server and SQL Compact 4.0 are tested to work. See the following links for setup instructions:

Microsoft SQL Server Support (version 2005, 2008, 2008 R2, including Express editions)
SQL Server Compact Support (version 4.0)

Using Entity Framework Code First

The Table*Providers work well with Entity Framework Code first. Read more in the following articles on Culbertson Exchange:

Further information

Author and contact

Updated Wiki: SQL Table Providers

altair — Sun, 08 Jul 2012 14:12:24 GMT

SQL Table Providers

The provider object model, as present in ASP.NET 2.0, is a great step forward from hand-coded behavior in ASP.NET 1.x. But the provider model is only as useful as are available providers. Microsoft .NET itself contains set of providers which can store their data in Microsoft SQL Server database: SqlMembershipProvider, SqlRoleProvider and SqlProfileProvider. However, database structure used by these providers is pretty complicated and almost impossible to interconnect with your own tables etc.

So I created set of my own providers, using very simple table structure. Some functionality of the original providers was lost, especially the ability to store data for several applications in single database. But the simple and straightforward database allows you to easily plug it into your existing infrastructure.

Features

Simplicity, ability to connect to rest of database infrastructure

The main goal of these providers is to use simple table structure, which can be easily connected to other database architecture using foreign keys etc. The tables used are also extendable, additional columns may be created, as long as they are nullable or have default values.

Database independence

The providers are written to be database agnostic, as long as the database has ADO.NET provider and understands SQL and named parameters. Microsoft SQL Server and SQL Compact are the main target databases and the providers are tested to work with them. See the following links for setup instructions:

Microsoft SQL Server Support (version 2005, 2008, 2008 R2, including Express editions)
SQL Server Compact Support (version 4.0)

Account lockdown not supported

The ASP.NET Membership infrastructure supports the account lockdown feature. After several failed login attempts, the account is disabled. In my eyes this feature offers great opportunity for denial of service attack directed to certain users - I can write a program which will repeatedly login with random passwords and deny access to legitimate users. Therefore the functionality is intentionally not implemented in the providers. use other way to protect your application from dictionary attacks.

Differences from Simple SQL Providers

The first generation of providers was quite successful, so I retained the good bits, but the providers are basically rewritten from scratch, in new .NET 4.0.

The new SQL Table providers have several additional features:

For hashing, the standard HMACSHA512 class and algo are supported, instead of homebrew salting.
Password hash and salt (or key, in HMAC terminology) are stored as binary database fields, not Base64-encoded strings.
The int UserId column was dropped and UserName is now used as primary key instead.
Implemented better tracking of user activity and now supporting the GetNumberOfUsersOnline method.
Names of all tables are now configurable.

The downside of the new password hashing and storage is that there is no upgrade path from the Simple SQL Providers. You can upgrade easily, but the passwords are lost. So in case of upgrading, you need to notify your users and issue new passwords or use some kind of password reset mechanisms.

Configuring the providers in web.config

To use the SQL Table providers, include the following settings in your web.config file:

<configuration>
    <appSettings/>
    <connectionStrings>
        <add name="TableAuthDB" providerName="System.Data.SqlClient" connectionString="..."/>
    </connectionStrings>
    <system.web>
        <membership defaultProvider="MyMembershipProvider">
            <providers>
                <clear/>
                <add name="MyMembershipProvider"
                     type="Altairis.Web.Security.TableMembershipProvider, Altairis.Web.Security"
                     connectionStringName="TableAuthDB" />
            </providers>
        </membership>
        <roleManager enabled="true" defaultProvider="MyRoleProvider">
            <providers>
                <clear/>
                <add name="MyRoleProvider" 
                     type="Altairis.Web.Security.TableRoleProvider, Altairis.Web.Security"
                     connectionStringName="TableAuthDB"/>
            </providers>
        </roleManager>
    </system.web>
</configuration>

Configuring membership provider

The following configuration attributes are supported:

Common for all membership providers:
- applicationName (can be set, but is ignored)
- minRequiredNonAlphanumericCharacters
- minRequiredPasswordLength
- passwordStrengthRegularExpression
- requiresUniqueEmail
Specific for this provider:
- connectionStringName - name of connection string defined in the connectionStrings section to use for database connectivity.
- tableName - name of database table to store user information. Default is Users.
- useEmailAddressAsUserName - when set to true, user name is forced to be the same as e-mail address. The requiresUniqueEmail attribute must be set to true as well. By changing e-mail address, user name is changed too, which may cause interoperability problems, so use with caution.
- useDateTimeOffset* - when set to true, the datetimeoffset data type is used internally instead of datetime. Use when working with database structure using it.
- userKeyType - allows specify Custom Provider User Keys; may have following values:
  - UserName (default) - user name is used as provider user key
  - IntIdentity - integer generated by database backend (by means of IDENTITY clause or similar mechanism) is used as provider user key
  - Guid - GUID is generated by membership prpvoder and used as key

Configuring role provider

The following configuration attributes are supported:

Common for all role providers:
- applicationName (can be set, but is ignored)
Specific for this provider:
- connectionStringName - name of connection string defined in the connectionStrings section to use for database connectivity.
- rolesTableName - name of database table to store roles. Default is Roles.
- roleMembershipsTableName - name of database table to store information about role members. Default is RoleMemberships.

Created Release: 2.4.4 (7 08, 2012)

altair — Sun, 08 Jul 2012 14:09:49 GMT

Added UseDateTimeOffset property to TableMembershipProvider, to allow using SQL type datetimeoffset in database.

Released: 2.4.4 (Jul 08, 2012)

Sun, 08 Jul 2012 14:09:49 GMT

Added UseDateTimeOffset property to TableMembershipProvider, to allow using SQL type datetimeoffset in database.

Source code checked in, #98637

altair — Sun, 08 Jul 2012 14:05:19 GMT

* Added UseDateTimeOffset property to TableMembershipProvider * Updated copyright years

Commented Issue: How to use Altairis with Entity Framework 4.3 Migrations? [32273]

altair — Mon, 20 Feb 2012 21:46:46 GMT

Hi,

First off - thanks so much for making this toolkit. I use it on tons of projects to help make memberships even earlier to use :)

I have a small issue trying to create a user when my database is generated using Migrations (EF 4.3).

I receive the following error:
The password-answer supplied is invalid.

My code is:
internal sealed class Configuration : DbMigrationsConfiguration<MyProject.Data.DataContext>
{
public Configuration()
{
AutomaticMigrationsEnabled = true;
}

protected override void Seed(MyProject.Data.DataContext context)
{
// create default User
MembershipCreateStatus status = new MembershipCreateStatus();
User admin = context.Users.Find("TestGuy");
if (admin == null)
{
Membership.CreateUser("TestGuy", "TestGuy123", "testguy@test.com");
if (status == MembershipCreateStatus.Success)
{
admin.Firstname = "Test";
admin.Surname = "Guy";
admin.DateLastActivity = DateTime.Now;
admin.LastActivityRoute = "/Home/Index";
Role adminRole = context.Roles.Find("Administrator");
admin.Roles = new List<Role>();
admin.Roles.Add(adminRole);
}
}
context.SaveChanges();
}
}

The thing is - I don't set one up on the create user call so I'm wondering how I could bypass this option. I have also set requiresQuestionAndAnswer="false" in my web.config on the TableMembershipProvider tag.

I have this question open over at StackOverflow.com -

http://stackoverflow.com/questions/9326115/how-can-i-create-a-user-account-in-my-user-table-using-entity-framework-migratio

Any ideas on how to overcome this would be very handy as all my projects have one super user access setup for me so I can manage the projects for my clients.

Thanks for your help!

Regards,
Rich
Comments: ** Comment from web user: altair **

Honestly, I don't think it's the right and supported way, to try create users from database seeding, especially when the seeding is supposed to work in non-web environments. I would recommend you to bypass the provider and seed the raw data to database.

But I didn't had yet enough time to look into EF 4.3, so take it 'grano salis'.

Commented Issue: How to use Altairis with Entity Framework 4.3 Migrations? [32273]

onimusha_kiyoko — Mon, 20 Feb 2012 20:27:15 GMT

Hi again,

Thanks for your updates. I have managed to get this working by settings the initial user to be created when the user first goes to the Account/Logon page instead of in the database initializer. It's a bit of a shame that the EF 4.3 Seed options don't play nice with memberships. I'm sure they'll sort it out soon or someone else will post a work around.

You're right through, this is not an issue with your provider. This is an issue trying to use the provider with the EF migrations code.

Thanks for your time.

Regards,
Rich

Commented Issue: How to use Altairis with Entity Framework 4.3 Migrations? [32273]

altair — Mon, 20 Feb 2012 16:44:58 GMT

I don't understand the EF database migration and the mechanism is completely unrelated to my providers, which do not have anything in common with EF. So maybe the problem is in context where the provider methods are called.

Can you please provide me with some simple but complete project I can take a look on?

Commented Issue: How to use Altairis with Entity Framework 4.3 Migrations? [32273]

onimusha_kiyoko — Mon, 20 Feb 2012 11:11:22 GMT

My code was not correct in my previous post and I am unable to edit. Please see below for current code. As mentioned, this compiles and database is initialized but no user is created in the User table for me.

// create default User
MembershipCreateStatus status;
User admin = context.Users.Find("TestGuy");
if (admin == null)
{
Membership.CreateUser("TestGuy", "TestGuy123", "testguy@test.com", null, null, true, out status);
if (status == MembershipCreateStatus.Success)
{
admin = context.Users.Find("TestGuy");
admin.Firstname = "Test";
admin.Surname = "Guy";
admin.DateLastActivity = DateTime.Now;
admin.LastActivityRoute = "/Home/Index";
Role adminRole = context.Roles.Find("Administrator");
admin.Roles = new List<Role>();
admin.Roles.Add(adminRole);
}
}

Commented Issue: How to use Altairis with Entity Framework 4.3 Migrations? [32273]

onimusha_kiyoko — Mon, 20 Feb 2012 10:04:34 GMT

Thanks for coming back to me on this issue. I have altered my code so that now it compiles and EF 4.3 runs without any errors but no user is not generated. Any ideas what this could be?

Thanks again for your help with this.

// create default User
MembershipCreateStatus status;
User admin = context.Users.Find("TestGuy");
if (admin == null)
{
Membership.CreateUser("TestGuy", "TestGuy123", "testguy@test.com", null, null, true, out status);
if (status == MembershipCreateStatus.Success)
{
admin.Firstname = "Test";
admin.Surname = "Guy";
admin.DateLastActivity = DateTime.Now;
admin.LastActivityRoute = "/Home/Index";
Role adminRole = context.Roles.Find("Administrator");
admin.Roles = new List<Role>();
admin.Roles.Add(adminRole);
}
}

Commented Issue: How to use Altairis with Entity Framework 4.3 Migrations? [32273]

altair — Fri, 17 Feb 2012 14:54:15 GMT

In your code you don't fill the 'status' variable anywhere -- you just initialize it. That's the first problem I see.

Created Issue: How to use Altairis with Entity Framework 4.3 Migrations? [32273]

onimusha_kiyoko — Fri, 17 Feb 2012 14:24:17 GMT

Hi,

First off - thanks so much for making this toolkit. I use it on tons of projects to help make memberships even earlier to use :)

I have a small issue trying to create a user when my database is generated using Migrations (EF 4.3).

I receive the following error:
The password-answer supplied is invalid.

My code is:
internal sealed class Configuration : DbMigrationsConfiguration<MyProject.Data.DataContext>
{
public Configuration()
{
AutomaticMigrationsEnabled = true;
}

protected override void Seed(QSatCRM.Data.DataContext context)
{
// create default User
MembershipCreateStatus status = new MembershipCreateStatus();
User admin = context.Users.Find("TestGuy");
if (admin == null)
{
Membership.CreateUser("TestGuy", "TestGuy123", "testguy@test.com");
if (status == MembershipCreateStatus.Success)
{
admin.Firstname = "Test";
admin.Surname = "Guy";
admin.DateLastActivity = DateTime.Now;
admin.LastActivityRoute = "/Home/Index";
Role adminRole = context.Roles.Find("Administrator");
admin.Roles = new List<Role>();
admin.Roles.Add(adminRole);
}
}
context.SaveChanges();
}
}

The thing is - I don't set one up on the create user call so I'm wondering how I could bypass this option. I have also set requiresQuestionAndAnswer="false" in my web.config on the TableMembershipProvider tag.

I have this question open over at StackOverflow.com -

http://stackoverflow.com/questions/9326115/how-can-i-create-a-user-account-in-my-user-table-using-entity-framework-migratio

Any ideas on how to overcome this would be very handy as all my projects have one super user access setup for me so I can manage the projects for my clients.

Thanks for your help!

Regards,
Rich

Commented Issue: VerifyPasswordHash missing argument checks [32089]

AlesR — Wed, 18 Jan 2012 10:41:07 GMT

Method VerifyPasswordHash is missing argument checks for null for storedHash and storedSalt.

Proposed code is in attached file.

Also
if (storedSalt.Length != 128) throw new ArgumentException("Invalid length of password salt (128 bytes expected).", "passwordHash");
should be
if (storedSalt.Length != 128) throw new ArgumentException("Invalid length of password salt (128 bytes expected).", "storedSalt");
Comments: ** Comment from web user: AlesR **

Yes, this does not really affect toolkit behavior. There is no way for arguments to be wrong.
It's just that when you're testing arguments, I would think that you will test everything.
It also includes one typo, but this is very minor. Maybe not worth opening Visual Studio. For that reason I've also proposed the code so it's zero work for you.
I'm done, it's your call.

Closed Issue: VerifyPasswordHash missing argument checks [32089]

altair — Wed, 18 Jan 2012 10:02:35 GMT

There is no legitimate way incorrect value can be stored in the database in first place. The only way this can happen is that someone fiddles with database and in such case anything may happen - anything can be null, fields can be renamed or having wrong type... There is no way how to handle that, once someone starts corrupting real data.

Created Issue: VerifyPasswordHash missing argument checks [32089]

AlesR — Wed, 18 Jan 2012 08:41:07 GMT

Method VerifyPasswordHash is missing argument checks for null for storedHash and storedSalt.

Proposed code is in attached file.