asp.net mvc - How would authentication and authorization be implemented using RavenDb in an MVC app? -

-

while i'm used using standard asp.net membership provider new mvc web applications, i've been getting kick out of using ravendb lately still don't believe have grasp on best practice implementing user authentication , role authorisation.

the code have replaced register , logon methods in accountcontroller looks following:

[httppost] public actionresult register(registermodel model) {     if (modelstate.isvalid)     {     using (idocumentsession session = datadocumentstore.instance.opensession())     {         session.store(new authenticationuser         {             name = email,             id = string.format("raven/users/{0}", name),             alloweddatabases = new[] { "*" }         }.setpassword(password));         session.savechanges();         formsauthentication.setauthcookie(model.username, createpersistentcookie: false);         // ...etc. etc.       [httppost]     public jsonresult jsonlogon(logonmodel model, string returnurl)     {         if (modelstate.isvalid)         {             using (idocumentsession session = datadocumentstore.instance.opensession())             {                 book ok = session.load<authenticationuser>(string.format("raven/users/{0}", username)).validatepassword(password);                 formsauthentication.setauthcookie(model.username, model.rememberme);                 // etc...

i've seen ravendb membership provider code number of people have referenced in similar posts or questions, there seems number of people consider on top , leveraging inefficient api data store doesn't need of what's provided within it.

so best architectural / design strategy ravendb authentication (not oauth, forms authentication) , barking right tree?

i think there few parts problem. first, mvc project's perspective, want use work authorizationattribute. not require using membershipprovider per se, rather stuffing appropriate iprincipal httpcontext.current.user attributes @ authorize things.

from http perspective, taking advantage of existing forms authentication infrastructure makes ton of sense -- solves of sticky security issues should not solve , flexible in terms of working provide.

from there gist of question -- how want authentication system data perspective. think tactical call -- apps might make sense use membershipprovider style model. if had app user centric storing lots of user data consider rolling custom user store based around requirements. if using authentication bundle glom onto extent well. don't think there hard , fast rule @ point -- makes sense app.

one thing should not use authenticationuser above -- meant database system users. in sql server terms making every user in app sql user , authenticating against that. how old intranet products used work world has moved past now.


Comments

Post a Comment

Popular posts from this blog

c# - SVN Error : "svnadmin: E205000: Too many arguments" -

-
i trying reposotries using c# code process svncommand = null; var psi = new processstartinfo("svnadmin"); psi.redirectstandardoutput = true; psi.redirectstandarderror = true; psi.useshellexecute = false; psi.arguments= @"dump c:\repositories\myrepo > c:\temp\myrepodumpfile.dump"; using (svncommand = process.start(psi)) { var myoutput = svncommand.standardoutput; var myerror = svncommand.standarderror; debug.write("output :" + environment.newline + environment.newline + myoutput.readtoend() + environment.newline + "error :" + environment.newline + environment.newline + myerror.readtoend()); svncommand.close(); } when use dump command commandline svnadmin dump c:\repositories\myrepo > c:\temp\myrepodumpfile.dump it works fine when try ...
Read more

c++ - Using OpenSSL in a multi-threaded application -

-
i have been writing soap client application in c++ on ubuntu using openssl https transport , pthreads threading. have number of threads - 1 central data acquisition thread periodically gets worker threads make soap requests via shared mutex protected queues. reading documentation openssl found is openssl thread-safe? in openssl faq describes mechanisms required ensure thread safety when using openssl. implemented , works fine. the reason question conceptual difficulty really. thinking implementing same functionality application has already, instead of using threads, create 2 seperate applications : 1 worker thread (of multiple copies running) , main data acquisition thread. use tcp sockets communicate between 2 rather mutex protected queues. may bad idea not important - confusing me would have implement same functions required ensure openssl thread safety in second approach or not? my guess not have , treated independent (indeed surely must many applications use openssl) re...
Read more

All overlapping substrings matching a java regex -

-
is there api method returns (possibly overlapping) substrings match regular expression? for example, have text string: string t = 04/31 412-555-1235; , , have pattern: pattern p = new pattern("\\d\\d+"); matches strings of 2 or more characters. the matches are: 04, 31, 412, 555, 1235. how overlapping matches? i want code return: 04, 31, 41, 412, 12, 55, 555, 55, 12, 123, 1235, 23, 235, 35. theoretically should possible -- there obvious o(n^2) algorithm enumerates , checks substrings against pattern. edit rather enumerating substrings, safer use region(int start, int end) method in matcher . checking pattern against separate, extracted substring might change result of match (e.g. if there non-capturing group or word boundary check @ start/end of pattern). edit 2 actually, it's unclear whether region() expect zero-width matches. specification vague, , experiments yield disappointing results. for example: string line = "xx90xx"; strin...
Read more