A simple role-based access control system for .NET

In many cases, I need a simple solution for adding authentication and authorization in my .NET project, so as to easily develop the rest of the system. I need something simple, e.g., hardcode some user information in the configuration file. ASP.NET Identity is for most of the times an overkill. So I decided to create my own solution. You can find the source code of my solution in this GitHub repository. 

The most important part is in the appsettings.Development.json file where users, their passwords, and their roles are defined. For example:

  "AuthorizedUsers": {
    "administrator": {
      "Password": "admin!",
      "Roles": [ "Administrator" ]
    },
    "user1": {
      "Password": "user1!",
      "Roles": [ "User" ]
    }
  }

Then, in the Program.cs file the following code must be added:

builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(options =>
    {
        options.LoginPath = "/Account/Login";

    });

builder.Services.AddAuthorization(options =>
{
    options.FallbackPolicy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .Build();
});
...
app.UseAuthentication();
app.UseAuthorization();

User authentication is handled by the Account controller. By default all pages are accessed only by authenticated users. If you want to restrict a page to particular role a decorator can be added to the corresponding controller method, e.g.:

[Authorize(Roles = "Administrator")]
public IActionResult Admin()
{
   return View();
}

I hope you can find this code useful

Make fun things with your home IoT devices, securely over the internet.

I am planning to start a series of posts discussing how to put your IoT devices in the internet and do fun stuff with them. I will provide them as GitHub Wiki pages and I will also provide code and scripts when this is possible. This page will act as a placeholder.

Interact using Alexa with your IoT devices

In this first post I am using the excellent, free, Cloudflare Tunnel and I make my Raspberry Pi accessible over the internet using a custom domain and HTTPS. Only with a few clicks and no cost (apart from the cost of the domain name).

Then I provide an Amazon Alexa Skill that can be used for interacting with your Raspberry Pi using your Alexa device! In this simple example, I am implementing a simple REST API which is invoked using voice commands.

Have fun!

Running an IIS7 site from a network drive

Running a web site, located in a network share, in IIS7 can be really tricky, as it usually ends up with IIS7 complaining about permission problem. This usually happens because IIS processes run as a different user, who is not allowed to access network shares. In this blog post it is shown how a web site can be run in the context of a user that is eligible to access a network share.

 But before we start an important note: Running a web site in the context of a privileged user may possibly entail security risks.

In this blog post the following setup is considered: a network drive with IP 192.168.2.6 and share called fotiou, which is password-protected. The share has been mapped, by user User_NAME, to a network drive (Z:), windows have been configured to connect to that drive on start up, and our web site is located in Z:\wordpress.

 From the IIS7 manager console add a new web site. In our case the site is named wordpress. In the Physical path textbox insert the full URI to the website and not the mapped drive (in our case this would be \\192.168.2.6\fotiou\wordpress), and press OK.

Now navigate in the Application Pools located above the Sites option (see the picture below)

From the Application Pools list select the newly created site (named wordpress in our example, as depicted below)

Right click and select Advanced Settings. The in the Process Model tab, edit the Identity option, by selecting the Custom account option, and by setting it to the current user, as in the picture below

Now navigate back to the Sites tree, select your web site and double click the Authentication option

Double click on the Anonymous Authentication option and select Application pool identity

Now your web site can be run without permission problems.

Adding an applet to an XHTML page

The traditional way to add a java applet to a web page used to be the <applet> tag but this method has been deprecated.Instead the <object> is now used.

The xhtml code to add an applet is quite tricky now. Here is an example of it:

<!--[if !IE]>-->
<object classid="java:vr.class"  
   type="application/x-java-applet" 
   archive="YOUR_JAR.jar" height="HEIGHT" width="WIDTH" > 
<!--[endif]-->
<object classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"  
   height="HEIGHT" width="WIDTH">  
   <param name="code" value="YOUR_CLASS" />
   <param name="archive" value="YOUR_JAR.jar" />
</object>

More examples and a full explanation of what clsid is can be found here