Validating a user and authenticating a user with Oracle

I am trying to get my arms around the providers and how to best use the login controls in asp.net 2.0 with Oracle.

First, I have read through a number of documents discussing the provider model, different providers (membership, role, etc.) ref: ASP.NET 2.0 Provider Model:Introduction to the Provider Model Oct. 2005

I am getting a mental disconnect from what I think I understand about the provider model and how to code the web application.To me it seems the provider model abstracts the code so I am not coupled to a specific database. This is great if you need to use multiple or different backend data stores. We just use Oracle and that isn't going to change anytime soon.

It seems I could write my own custom Oracle Membership provider but their are pro's and con's to this approach. It seems I have to use seperate tables for roles and membership that would have user's username, password, email, etc.This seems redundant though since I have this information in the Oracle system tables and Oracle authenticates this data. If I create a seperate table to support the Membership provider it seems it would quickly be out of sync with the system tables whenever passwods are changed. How can I make use of Oracle's authentication in my own custom Membership/Role provider and during the course of running the application?

For example, I have Oracle behind that scenes that needs a username/password whenever I want to connect to the database. I would like to use select providers (Membership and Role) but Don't want to create a seperate table in Oracle that these providers would use for validation.

I login to the web application and at some point I need to display the orders for my customers. I select the orders and the web app uses my System.Data.Oracle.Client provider to run the query and return the results. Did ASP.NET 2.0 refer to a cookie to get the correct oracle username/password that should be used for the query to be executed ?

Any advice and counsel is appreciated and is there a free Oracle Membership and Role provider that I can use in my applications?

 


Bill Kirkman
Concentra Preferred Systems
bkirkman@-nospam-concentra.com
0
wkirkman84
12/19/2005 8:37:27 PM
asp.net.security 27051 articles. 1 followers. Follow

5 Replies
885 Views

Similar Articles

[PageSpeed] 39
Get it on Google Play
Get it on Apple App Store

I don't know if it'll help you at this time, but it looks like Oracle is intending on releasing a membership provider.  http://forums.oracle.com/forums/message.jspa?messageID=1066867
0
Xanderno
12/20/2005 5:02:37 AM

Thanks for the reply. Yes, it's helpful to know they are working on it. Unfortunately, we may have to re-invent the wheel since Oracle is draggin their feet (or so it seems like they are) with Oracle Developer Tools for Visual Studio 2005.

The overall question still remains for me:

1) Create a seperate table in Oracle, and Oracle custom Membership and Role provider 
2) Use SQL Server Express for my Membership and Role provider data store 
3) use a basic Forms Authentication approach that is custom coded to let a user access the web application if they are validated logging in to Oracle.

Anyone using Oracle as a backend for their web applications have any comments on why they chose one of the approachs above over another, or even a different approach than the three stated above?

 


Bill Kirkman
Concentra Preferred Systems
bkirkman@-nospam-concentra.com
0
wkirkman84
12/20/2005 3:47:32 PM

Actually i dont understand why you use Oracle system account for your user authentication. . Why dont you use one Oracle account to connect DB and create a user table and validate user on that table. Or am i misunderstood your problem?

We are using the Oracle for our web app. and we wrote custom provider for oracle. And you dont need to implement all methods.

Second method is generally useless why do you need another DB. when you got Oracle. Just create tables and custom provider.

 

0
lostxp
12/21/2005 7:28:30 AM

>Actually i dont understand why you use Oracle system account for your user authentication. . Why >dont you use one Oracle account to connect DB and create a user table and validate user on that >table. Or am i misunderstood your problem?

Well, I may understand this wrong, too.
To me it looks like if I want to use the Membership or Role objects I need a supporting data store.  Microsoft only has their providers which are SQL Server specific for the Membership and Role providers. I may want to use Oracle instead since that is our back-end. We can either write our own custom Membership and Role provider, OR install SQL Express on our Web Server then configure and use it for Membership and Role data.

The problem is redundant information in Oracle. We have users configured in Oracle today that we use in our applications. Oracle has the roles and privledges already defined for the database objects. All Oracle specific and nothing new to Oracle.
BUT, if I use an Oracle custom provider I'll have to create a table to support the Membership and Role data. The username/password in this new table could be the same as defined for their Oracle login or it could be different.So, we end up with one username/password combo that is Oracle specific in the Oracle system tables and another username/password combo in the new table that is used for our web application. Now a user may have to remember multiple username/passwords. I'd like to avoid this if possible.

>We are using the Oracle for our web app. and we wrote custom provider for oracle. And you dont >need to implement all methods.

If I understand it correctly then, this customer provider accesses a seperate table in Oracle you created to hold the Membership and Role data necessary for these objects to authenticate/validate your users. This is seperate from what the DBA defined for your users in Oracle I assume. Your ASP.NET 2.0 app then uses this new table from your web app to valida users and authenticate through the custom provider/membership object/login controls. Correct?

And finally I have a great article on the provider model where I can see that I don't need to support all the methods of the Membership provider. If we go this route(customer Oracle provider) I'll probably create a ReadOnly Membership Provider just to validate and authenticate and let the DBA's only do admin.

I am trolling to see if this is the way most shops handle validation/authentication in ASP.NET 2.0 or is there a "better" way to do this.


Bill Kirkman
Concentra Preferred Systems
bkirkman@-nospam-concentra.com
0
wkirkman84
12/21/2005 2:58:13 PM
Install SQL Express on our Web Server is an option but it's the same process as the writing custom provider except for creating new provider :) So it must be the last option.

"If I understand it correctly then, this customer provider accesses a seperate table in Oracle you created to hold the Membership and Role data necessary for these objects to authenticate/validate your users. This is seperate from what the DBA defined for your users in Oracle I assume. Your ASP.NET 2.0 app then uses this new table from your web app to valida users and authenticate through the custom provider/membership object/login controls. Correct?"

Correct.

In your position you should create a user and role table, migrate users&role the new tables. and then write a custom provider. If you go to http://msdn.microsoft.com/asp.net/downloads/providers/
you see there is Sample Access provider and code template for user and role management. This i what we do in our project.
0
lostxp
12/22/2005 6:01:27 AM
Reply:

Similar Artilces:

Combining non-authenticated users with authenticated users
Hi!I'm busy with "upgrading" my ASP-website's to asp.Net-website's.I've done a lot of tutorials on the net, but I still have a question. All the tutorials are about securing a whole directory (I need to use forms authentication). This means, a user is logged in and can access all files in the secured directory. When the user is not logged in, he will be forwarded to the login-page.My question is about the technique used, for example, by forums. A user that is not logged in, can read the page. But a user that is logged in, can read the page also, but has also the rights to post messages....

Login Control logs user in, but User is not authenticated, but user really is!
I am using aspnetmembershipprovider.  Everything works fine.  I slap a login control on my login page and am able to login and get to my secure folder etc.  When I try and put some code in the LoggedIn method "User.Identity.IsAuthenticated" = false, yet if I blow through that, I am logged, authenicated etc.  The documentation says that the LoggedIn event is "after the user is authenticated".  Any Ideas what is up?Thanks,TPS------------------------------------------------------Note Collaboration for your next confernce call.http://www.ConferenceCallNotes.com I am...

How to stop user on secured website if user keep the authentication cookie locally?
A secured web application only allows authenticated user. However, on the login page, there is a checkbox that allow user to keep the authenciation cookie locally. So if the checkbox checked, next time when user comes back and he will be able to pass the login page and goto the requested page directly. If I disable the user account and want to stop user's access, when and where I should check the account's status?  Should I check it at Session_Start in Global.asax file? Or check it in the masterpage? I don't like the masterpage idea, because it will access the DB ...

How to use user/password authentication/security within users' public_html folders
Hello, I have NW5.1SP5.1.5 and Netware Enterprise Web Server 3.5.3 installed. Can I provide my account owners the ability to use user/password authentication/security within their public_html folders of their home directories ? Regards. Mustafa Cagatayli: > within their public_html folders of their home > directories ? > sure, go into the admin server, click the Restrict Access link, and remove PUBLIC_HTML from the list of public directory designations. Joe Moore Novell Support Connection Volunteer Sysop http://just.fdisk-it.com - Coming soon: &q...

How to user user-functions in Oracle
Hi, Using PB5.0 & PFC & Or7.1/7.2/7.3 I have a user defined function in Oracle in the format Function foo( in number) return varchar2 which i wish to use as follows, in my Datawindow syntax select var1, foo( var2 ) from tab1 This works perfectly in SQL*plus but when I try putting this in the datawindow SQL by converting to syntax or otherwise I get erroe ORA-00904, Invalid column name. What is to be done to use user defined functions & Stored Proc in this manner --- Sanjay Minni Software Consultant Minisoft Pvt. Ltd. 2...

How to user user-functions in Oracle
Hi, Using PB5.0 & PFC & Or7.1/7.2/7.3 I have a user defined function in Oracle in the format Function foo( in number) return varchar2 which i wish to use as follows, in my Datawindow syntax select var1, foo( var2 ) from tab1 This works perfectly in SQL*plus but when I try putting this in the datawindow SQL by converting to syntax or otherwise I get erroe ORA-00904, Invalid column name. What is to be done to use user defined functions & Stored Proc in this manner --- Sanjay Minni Software Consultant Minisoft Pvt. Ltd. 2...

A user control to authenticate users
Hi all I have a simple user control..with two textboxes(Email and Password) and a button and two links (Forgot your password & To  register click here) ... i'm using windows forms ... when the sign in button is clicked ...i'm trying to validate user credentials against a database..if valid..i instantiate a new principal object ...and place it in the Context.User   string encPassword = new User().Encrypt(txtPassword.Text); MySitePrincipal newUser = MySitePrincipal.ValidateLogin( txtEmailAddress.Text, encPassword); if (newUser != null) { Context.User = newUser; Response....

Mobilink User vs Authentication User
Can the Authentication user be different from ml_user ? Here is the scenario I am trying to understand. user A has 10 devices. A's password is stored in custom user_table. authentication done using custom authentication providing username/password. If authentication successful, the ml_user is added with the username I provided. Now how would the ml_user be unique in this scenario with the same user using 10 devices. Is there a get around for this ? what I am looking for is user providing same login information on any device, but make th...

Get User Groups of an Authenticated User
I am currently running applications in an Intranet Environment which only authenticated users are allowed to access. I was wondering if anyone new of a way to get the User Groups of the authenticated user, without having to have them type in the login information of username, pass, and domain. The current method I'm using to get the user group information using a Directory Entry and Directory Searcher Object require Username, Password, and Domain to be entered. My Code: Dim domainAndUsername As String = "domain\username" Dim entry As DirectoryEntry = New...

Impersonate a different user than authenticated user
Can anyone explain how I would solve the following problem? The purpose of this app is to allow users access to corporate reports based on their username. The a web app that has the the integrated windows authentication selected at the IIS security level. I am able to retrieve the username using "Page.User.Identity.Name" to verify from an SQL database what group of reports a user is able to see. The reports are located in a network directory that I do not want to add "everyone" to the directory security in order for the application to retrieve the report. This woul...

User validated but not authenticated
I'm having problems with forms authentication using a SQL Server data store. I can log in successfully, but get returned immediately to the login page. After putting some code in my login form for diagnostic purposes I've found that Membership.ValidateUser will return True (so I assume that validation against the stored user name and password is working okay), but User.Identity.IsAuthenticated returns False.What am I doing wrong here? In case it helps, here is the relevant section from Web.config:  <authentication mode="Forms">       <forms name="SqlAut...

Authenticated User Security
I create to web page in asp.net 2.0 1) Login.aspx 2) Welcome.aspx In Login.aspx I put login control, now I am authenticated that username & passwowrd through web config when I press on log in at that time welcome.aspx page is open. Problem :- after login, I click [welcome.aspx] back button login page is displayed, now I click on forward button once again welcome.aspx is opened I want that once the login screen were come, user could not able to move any page without log in Note :- am talking abt explorer's back/forward button in the above button no one event is fire Once ...

User validate but do not authenticate.
I have an issue that I can not understand. My website functions as designed when run locally on the server and when using the IP address/port number directly in the address bar. However when accessing the page through a redirect page users will not authenticate.   I do not get any error messages (Invalid ID or Password) but I cannot access the protected content (the login page just reappears).  I am using forms authentication with the standard login control.  If I access the protected content page, using the IP address in the URL users authenticate without any...

Cannot open user default database. Login failed. Login failed for user 'DOMAIN\User'. (.Net SqlClient Data Provider)
Hi when i try and open a database in sql server management studio i get the error "Cannot open user default database. Login failed. Login failed for user 'DOMAIN\User'. (.Net SqlClient Data Provider)", what can i do to rectify this, i have googled around and still havent found no answers. Which authentication mode is your Sql Server configured - MixedMode, Windows Authentication or Sql Server Authentication? Please refer to http://msdn2.microsoft.com/en-us/library/ms366351.aspx and http://blogs.msdn.com/sql_protocols/archive/2006/02/21/536201.aspx    Ple...

Web resources about - Validating a user and authenticating a user with Oracle - asp.net.security

Self-authenticating document - Wikipedia, the free encyclopedia
This means that if a defendant does not stipulate to the authenticity and accuracy of a trade inscription, and the plaintiff lacks testimony ...

Scholar Denies Authenticating 'Lost Leonardo' Found in Swiss Vault
Leonardo expert denies that he authenticated painting found in a Swiss bank vault.

New in Android Samples: Authenticating to remote servers using the Fingerprint API
... tampered with, and positively identifies the original author of that data. In this way, asymmetric keys can be used for network login and authenticating ...

Leonardo expert denies authenticating 'lost' Leonardo
MILAN (AP) — Assertions that an eminent scholar had authenticated a portrait by Leonardo da Vinci tantalized art lovers with the prospect of ...

Lack Of Authenticating Expert Renders Valuable Artwork Practically Worthless
When is a perfectly authentic work of art by someone who changed art history worth a fraction of it real value?

DEVELOPING: US authenticating video of American journalist's reported killing at hands of ISIS
DEVELOPING: US authenticating video of American journalist's reported killing at hands of ISIS

Keep Your Files Safe With Voice-Authenticating USB Drive
... don't fall into the wrong hands, such as contracts, financial records, and that stash of naked pics you have from college. This voice-authenticating ...

Patent US5070479 - External memory having an authenticating processor and method of operating same ...
A system for determining a truth comprises a main unit which is employed together with an external memory, for example, ROM cartridge, floppy ...

'Pawn Stars': Authenticating Paul Newman's Autograph
The late, great Paul Newman was not just an Oscar-winning actor. The philanthropist, humanitarian and family man was also a passionate race car ...


Resources last updated: 1/19/2016 4:00:35 AM