1

[Problem]

I have a pre-built database with user credentials. The only thing I can change about this database is how the passwords are hashed. (Don't ask about that...let's just say it's dumb and I'm fixing it, please.) It's populated with credentials, so whatever I use has to mold to it. We are switching to the ASP.net MVC4 framework, and starting from scratch.

[Question]

What membership system should I use for the problem, if any?

It should:

a) allow me to check against the database using SHA512 for the password b) set roles depending on the results c) decorate the actions in the controller so I can feel like a boss

[Details]

Assume I've had a website for people who love to roleplay as toothbrushes. There's -a lot- (for a small- to mid-range website) of data already in the existing database. I'm moving to a brand new database layout and will be converting from the old one. We could change how the user system is managed, but to be honest we'd rather not do so. We have a user table with username and password. Very simple.

I have googled, and googled, and Stack Overflow'd, and Stack Overflow'd. What I have found is essentially a choose-your-own-adventure book where they either have blank page numbers, or the give me a page to an older book whose adventure isn't quite like this one.

I'm hoping that either a) someone will call me a dumb butt and point out I'm asking a duplicate question that leads to a resource with some complete example and/or documentation on how to do what I want or b) help me find a way.

As of right now I'm contemplating writing my own user management/authentication filtering system. I was going to go with the MembershipProvider but that seemed like overkill and didn't appear to do what I wanted it to. Maybe I'm narrowing my vision down too much.

I'm more than willing to hack my own way through and work to solve a problem, but I don't want to roll my own thing if there is something available that I can hook in to.

Update 1

Win made a comment about the MembershipProvider being independent of the MVC system which gave me an "Aha!" moment as things come together. I'm re-evaluating my research to see if I simply didn't put the puzzle pieces together correctly.

Update 2

After much help from dkroy and Win, I got a bit deeper into what is going on here. Once I have everything done I will include it in an edit for anyone else looking for information. Essentially, I was on the right track before I was thinking about scrapping it. I hadn't implemented a GetUser call, and I wasn't calling SetAuthCookie, so it wasn't working correctly. I'm now in the process of writing a RoleProvider.

Codeacula
  • 2,329
  • 25
  • 30

2 Answers2

1

You can Create your own custom RoleProvider and MembershipProvider. That way you will be able to use your existing database structures, and still leverage the MembershipProvider and RoleProvider contracts that ASP.NET implements to provide membership services. Minimal searching on custom MembershipProviders should get you started.

dkroy
  • 2,020
  • 2
  • 21
  • 39
  • I've done some searching on that, and it seemed overkill. When I looked, the only function I found to be remotely useful was ValidateUser. All of the CRUD functions are handled elsewhere, and we don't have user locking just yet. Is it typical to have to do that? – Codeacula Apr 12 '13 at 16:46
  • 1
    If you don't use a particular function you don't really need to implement it. If you don't get the answer you want by the end of the day I will write up a minimal implementation. – dkroy Apr 12 '13 at 17:26
  • Thanks! Don't worry about the implementation: I want to figure this out, and would rather not have code thrown at me. I think I'm putting 2 + 2 together now thanks to you and Win. – Codeacula Apr 12 '13 at 17:58
1

a) allow me to check against the database using SHA512 for the password

Membership provider support SHA512.

b) set roles depending on the results c) decorate the actions in the controller so I can feel like a boss

If you want to restrict user by role, you want to implement both Custom Memebership Provider and Custom Role Provider.

However, you do not need to override all. Here are the main ones - 

// Membership provider 
public override bool ValidateUser(string username, string password)

public override MembershipUser GetUser(string username, bool userIsOnline)

public override string GetUserNameByEmail(string email)

// Role provider
public override bool IsUserInRole(string username, string roleName)

public override string[] GetRolesForUser(string username)
Win
  • 61,100
  • 13
  • 102
  • 181
  • Thanks for the link, that is one I haven't found. Unfortunately, when I try to build, I'm told I need to implement every single method and property. Is this a failure with my build process? – Codeacula Apr 12 '13 at 17:16
  • 1
    Yes, you are required to overrides all methods. However, you can just leave it blank (it is normal) except those I listed. Of course, you do not want to call `GetAllUsers` intentionally if you know that you did not implement that method. – Win Apr 12 '13 at 17:24
  • 1
    You do have to provide a method that matches the signature of each method, however you don't have to code an actual implementation for them all. Simply set each of their contents the following `throw new NotImplementedException();` – Nick Albrecht Apr 12 '13 at 17:27
  • VS let me auto-implement it. Given that I'm working on MVC4 and the article references MVC2, are there any issues I should be made aware of? I'll admit half of my ignorance is outright ignoring most pre-MVC4 articles, since the Internet confuses me with "X doesn't work pre-MVC4". – Codeacula Apr 12 '13 at 17:30
  • 1
    Custom Membership is nothing to do with MVC. It's a beauty of Provider Model. Good luck! – Win Apr 12 '13 at 17:37
  • I'm back to the question "Why should I use a Membership Provider?" All that I can see it do for me is return a True/False for if they're a member. Unless there's some background stuff going on with FormsAuthentication, I don't see a purpose. I'm still researching around, but that's where I'm at. – Codeacula Apr 12 '13 at 18:10
  • Main reason is you want to restrict user by role. In order to do that, you need Principal object. It is a lot easier if you use Membership and Role Providers. http://msdn.microsoft.com/en-us/library/shz8h065.aspx – Win Apr 12 '13 at 18:18
  • Thanks, I was actually just looking at that, in a way, here: http://stackoverflow.com/a/2342196/421190 – Codeacula Apr 12 '13 at 18:20