Story Details for tools
SecurityGuard - NuGet package for ASP.NET Membership
SecurityGuard - NuGet Package for the ASP.NET Membership system
December 1, 2014 Update!
There are some minor fixes to Mvc4 and Mvc5. It's probably easier to do these manually. Information can be found here.New!!! SecurityGuard.Mvc5 information here.
SecurityGuard is a complete ASP.NET MVC 3 and MVC 4 application installable via NuGet. If you need a complete way to manage your ASP.NET Membership system for your MVC application, this is the NuGet package to use.
Don't forget to watch the screencast on how to quickly install it and use it.
If you don't know what NuGet is, it's a free online resource that contains components that can easily be installed into your applications for various needs. Go to NuGet.org for more information.
Update for MVC 5
March 24, 2014
If you are installing SecurityGuard.MVC4 in an MVC 5 application via Visual Studio 2013, you will initially get an error when navigating to SecurityGuard. It has to do with the newer version of the System.Web.WebPages.Razor assemblies used in MVC 5.
The error will be something along the lines of:
assembly's manifest definition does not match the assembly reference
Until I have time to create a new version, you can easily fix this by changing the version yourself.
Go into the /Areas/SecurityGuard/Views/web.config and in the config sections, change the Razor version from 18.104.22.168 to 22.214.171.124. That will fix the issue.
On a related note: for SecurityGuard to work, you must be using the database schema that works with the System.Web.Providers assemblies. MVC 5 initially works with the Microsoft Identity system and does not have any Membership config sections in the web.config, so you need to make sure you add those sections for SecurityGuard to work.
MvcInstaller can do that for you. Check my other article on how to use MvcInstaller.
SecurityGuard does NOT work with the Microsoft Identity providers! See this article for more information on the Future of SecurityGuard.
AN IMPORTANT NOTE: SecurityGuard is built on the .Net 4.0 framework so it's only available with ASP.NET MVC 3 or 4!
- .Net 4.0 Framework
- ASP.NET MVC 3 or 4 host application
- ASP.NET Membership is installed based on the System.Web.Providers namespace (not the SimpleMembershipProvider yet)
==== Update for Version 1.0.10 ====
- FIXED: The BeginForm was blank on the EnterSecretAnswer.aspx view, when it should have been pointing to SGAccount/ForgotPassword. Thanks to Paul Randall for catching this.
==== Update for Version 1.0.9 ====
- FIXED: ReturnUrl was null in Login Action. Special thanks to Behrooz for pointing this out.
==== Update for Version 1.0.8 ====
- FIXED: ForgotPassword feature when RequiresQuestionAndAnswer equals true. It no longer returns an error.
==== Update for Version 1.0.8 ====
- FIXED: updated the web.config.transform - changed the forms element/loginUrl to point to the new ~/SGAccount/Login, not LogOn. This is to match the change made in the SGAccountController.
==== Update for Version 1.0.6 ====
- FIXED: broken mailer in 1.0.5. Replaced mailer function to use MvcMailer for the ForgotPassword process.
==== Update for Version 1.0.5 ====
- Changed the name LogOn to Login to match the default method name.
- Added ValidateAntiForgeryToken attributes to ChangePassword, ForgotPassword, Login and LogOff action methods.
- Changed the AcceptVerbs on the LogOff action to accept both Get and Post methods.
- Added the Html.AntiForgeryToken() extension to the ChangePassword, ForgotPassword, Login and Register views.
- Updated the Compare attributes on the ChangePassword and Register ViewModels to be fully qualified to the System.Web.Mvc namespace.
==== Update for ASP.NET MVC 4 Beta - 5/25/2012 ====A new NuGet package is now available for MVC 4 Beta!
In your Package Manager Console, just enter:
PM> install-package SecurityGuard.MVC4
Here is all that was done to make this work.
So to be clear, you do not need to do anything but install the MVC 4 version in order to make it work.
Thanks to Leniel Macaferi for pointing this out. https://github.com/leniel
If you have any problems, create an issue in github. https://github.com/kahanu/Security-Guard
==== End Update ====
What SecurityGuard does not doSecurityGuard does NOT install the required ASP.NET Membership system. You need to have that installed prior to installing SecurityGuard. SecurityGuard is the UI components for you to manage your membership system. There are many ways you can install the ASP.NET Membership system, but the easiest way is with my other NuGet package called MvcInstaller. Check it out at NuGet.org, and take a look at my other article as part of this series on what the MvcInstaller NuGet package is and how it works.
After the ASP.NET Membership system is installed, simply install the NuGet package for SecurityGuard and it's 99.9% done. You will have to do a few things to tailor it to your application and for configuration, but they are mostly minor view modifications.
INSTALLATIONTo install and configure SecurityGuard correctly will depend on what version of Visual Studio you are using. At the moment it is intended to be used with VS 2010 and VS 2012. It has not been thoroughly tested with VS 2008.
I will cover both installation versions so it's as painless as possible to get up and running.
Install SecurityGuard in an ASP.NET MVC 4 Application in Visual Studio 2010This is the easiest of the two IDE's to install and configure SecurityGuard.
Step-by-step Installation and Configuration
- ConnectionString - set your connection string to point to your database
- Membership Sections - make sure your Membership sections are included in the web.config file and that they are using the System.Web.Providers namespace. (These first two steps are done automatically for you with MvcInstaller)
- Install SecurityGuard - in Visual Studio, open your Package Manager and enter: install-package securityguard.mvc4, and press Enter. This will install all the necessary files and configuration for the application.
- Remove Forms element - in the web.config, in the system.web/authentication element, there are now two "forms" elements. You need to delete the element that has
"~/Account/LogOn"for the loginUrl value. The leaves the one with "~/SGAccount/Login" as the loginUrl value.
- Remove SGAccount views - in the Views folder of the MVC application, open the SGAccount folder. You will see all the views needed in both WebForms (ASPX) and Razor (cshtml) files. You need to delete the version of the files that you are not using.
- Configure SMTP element - this is necessary in order to use the ForgotPassword feature which will email the newly created password to the user.
There is more details on these steps below.
You can use the Package Manager Console or the GUI. I'll demonstrate how to install using the console.
Step 3Now you will see the console where you enter the following:
PM> install-package SecurityGuard.Mvc4
After you hit Enter, you'll notice many files being copied into your application. These are all the files necessary to run the application. Controllers and other C# classes are also being added with your applications namespace so they are assured to work.
Also, a new Area is created called SecurityGuard. This contains all the controllers, models and views for the application. CSS and images have also been included in the Content folder.
The next change is in the web.config file. It places a duplicate forms
authentication node in the file and the default node needs to be
This is the authentication section after SecurityGuard has been installed.
Now you need to remove the forms node on line 2 so it leaves the one you want which points to the SGAccount controller.
In the SGAccount folder in the Views folder, you'll see a large set of views for the operations needed.
SecurityGuard can only work with a single set of views, so you need to delete the set of views that do not match the view type you are working with.
For example, I like to work with the Razor views, so I'm going to select all the WebForms views to delete them.
Now I simply click the Delete button and all those views go away.
Now my application will not throw any exceptions. If you fail to do this step you will see an exception since the view engine is looking for a particular type of MasterPage. (See the Troubleshooting section at the bottom of this article for more information.)
Next, the smtp section should be updated
with your SMTP server information. This is used for the Forgot
Password component. It will email the new password to the user.
One quick note about this section, if you set the enableSsl="true", then it's up to you to make sure you have a working port for your secure SMTP server. If you don't, the operation will timeout and fail.
Install SecurityGuard in an ASP.NET MVC 4 Application in Visual Studio 2012The first thing you need to be aware of is that SecurityGuard CANNOT be used with ASP.NET MVC 4.5 applications that are already configured to use the SimpleMembershipProvider. This is because SecurityGuard has not been built around the SimpleMembershipProvider yet, and it has a completely different schema and framework.
SecurityGuard CAN be used with applications created in VS 2012 from scratch or applications that have not yet incorporated any Membership system.
SecurityGuard uses the System.Web.Providers namespace for the membership system. I think this new provider rocks! If you don't care if you aren't going to use the SimpleMembershipProvider, then you can safely install and use SecurityGuard in VS2012 and .Net 4.5.
The steps to install SecurityGuard are pretty much the same as for the VS2010 installation, but there are a couple things you need to do since there are differences.
No Providers in Web.config
If you are creating a brand new MVC 4 application in VS2012, you'll notice something after the application is finished being created in Visual Studio. The web.config file has no membership providers sections. This is because it's using the new SimpleMembershipProvider and those providers are included in the machine.config file.So in order to use SecurityGuard in this application, which uses the System.Web.Providers namespace, that assembly needs to be included in the application references AND all the membership sections need to be added to the web.config.
To do this there are a couple ways of doing this, and both are pretty easy:
- Use MvcInstaller
The reason to use the Manual method to include the assembly and configuration sections is mostly because you already have a database created with a full working schema, so all you need are these sections and the updated connectionStrings configuration in order to connect your application to your database.
The easy way to do this is via NuGet. In Package Manager, enter:
PM> install-package system.web.providers
... and hit Enter. It will install the assembly reference as well as place all the membership sections in the web.config file. All you need to do is update the connectionStrings key to point to your database and then update the membership sections for the connectionStringName. If you create an application name, then you'll need to update that value in those sections also.
The reason to use the MvcInstaller method is if you are creating the application from scratch but you have a database schema in SQL Server. MvcInstaller will read the schema and update your web.config for you. It will also add the necessary reference to the System.Web.Providers assembly. For more information on MvcInstaller I urge you to read the companion article and watch the video.
NOTE: the appSettings key, SecurityGuardEmailFrom is deprecated. It's not really something you have to worry about. It was used to set the From value in the outgoing email when the ForgotPassword command is executed. Now the value comes from the smtp element in the web.config.The rest of the information below are common configuration changes that you can make to your application, but they aren't required. It's entirely up to you how you make this changes.
LoginPartial UpdatesNow you'll need to make a few little changes. The first you'll make is to the _LoginPartial.cshtml view. You will change the controller names to point to the new SecurityGuard Account controller.
NOTE: this has been updated for the new version of SecurityGuard v.1.0.5 to include the @Html.AntiForgeryToken() extension method, which will match the VS 2012 procedures.
You can see on lines 3, 4, 11, and 12 that I've changed the default "Account" controller name to "SGAccount". Now I want to make a change to my global menu navigation for the application. This is different for every application, so there's no way for me to build something into the NuGet package to do this for you.
You can see I've added a "Change Password" link and a link to the "Security Guard" area. But you'll also notice that I've wrapped them in conditional statements. For the Change Password link, the user needs to be logged on to see this. For the Security Guard link the user needs to be logged on and in the "SecurityGuard" role.
Now that that's done, you are ready to use the application.
Ready To GoNow you can run your application and you should see your site come up as usual. For the rest of this we will assume that I've already installed and configured the ASP.NET Membership system on this server, or local development machine and I've created a user and assigned it to the SecurityGuard role.
To log in as the SecurityGuard role, you just need to log on with those credentials that are assigned to that role. The application will check the credentials in order to give you access to the SecurityGuard Area. A user who logs in that has either no association with a Role or has a less privileged Role, will not gain access to the SecurityGuard Area.
When I log into the site, I should see something like this.
When I click on the "Security Guard" link, I'll be taken to the SecurityGuard MVC Area and I'll see this.
It's a simple, clean web-interface that allows you to easily manage the membership system. Let's go through the application.
RolesWhen I click on the "Manage Roles" link, I'll see this page.
This allows you to enter and delete roles on the left side, and see the users in a particular role on the right side.
Selecting a role to see what users are in that role, looks like this.
You can click on the user name and be taken to the details for that user.
Validation is built in. You can see it working if you try to Add a role without a name entered.
When you enter a role, you will see a success message and it will be added to the Roles list and the Users In Roles list via jQuery Ajax.
Deleting roles is just as easy, but the ASP.NET Membership system has a "check" for users granted to the deleted role. By default, if you try to delete a role that contains users, then it will complain and not let you do it. But it you really want to do it, you can tell the system to go ahead and delete the role and any associated users by checking the box "Delete role if it has users?". This tells the system to go ahead and delete everything.
Manage UsersManaging users is also just as simple. To get back to the Dashboard home page, I just need to click the "Dashboard" link in the top breadcrumb. Then I click on the "Manage Users" link and I'll see this page.
There's a lot happening on this page. First, the drop down list has three selections, "View All", "UserName", and "Email". These are the different filtering methods you can use to manage users.
- View All - this setting doesn't allow you to enter a value in the search box since you are viewing all users.
- UserName - this filter setting allows you to enter a value into the "Starts with:" field. Enter any set of characters that the username would start with.
- Email - this filter setting allows you to enter a value into the "Starts with:" field. Enter any set of characters that the email would start with.
The radio button is a quick way to jump to the "Grant Roles to User" view. Simply select a radio button for a user and the "Grant Roles To User" link above becomes enabled and if you click on it, you will be taken to that view for the selected user. It looks like this.
This shows the roles that are already granted to the user and what roles are still available to be granted. To Grant or Revoke a role, simply select the role in the list box and click the appropriate button. The command is executed instantly via Ajax.
User DetailsViewing user details is one of the views you will most likely visit often. It's a clean interface and allows you to do manage certain details in a friendly Ajaxified manner.
The Update button in the lower right only updates the values from the email and comment fields. You can easily Approve or Deny a user by clicking the link next to that value. It will execute the command via Ajax. The same goes for the Locked out value. If the user is locked out, a link will appear that allows you to quickly unlock them.
Also, at the bottom of the page, you can click the "Edit" link next to "Roles for [user name]", and you'll go back to the "Grant Roles to User" view.
Create UserIt's just as easy to create a new user. From the main Dashboard view, click the "Create User" link.
There are a few nice things built into this view. Much of this view displays attributes from the web.config/membership section. It shows the number of characters that the username should be, and it will also display how many characters non-Alphanumeric characters should be if they are not zero.
It will also dynamically display the Secret Question and Answer fields if the web.config has that set to True.
This view also has Ajax-validation built in. If you try to submit it without any values in the fields, it will display messages nicely.
Once the user is created, you can instantly view it's details.
ConclusionThat's SecurityGuard. A very nice User Interface for managing your ASP.NET Membership database. It's easy to install and just as easy to configure.
Do forget to view my other article in this series on the MvcInstaller NuGet package. This package installs the ASP.NET Membership system for you based on your specifications.
- November 11, 2011 - Version 126.96.36.1995 - made modifications to several files so SecurityGuard will work with or without T4MVC. T4MVC threw some namespace collision exceptions on the RegisterViewModel being using inside the Areas.SecurityGuard.Models folder and when calling SGAccountController and the register view.
- The required anti-forgery form field "__RequestVerificationToken" is not present. - in version 1.0.5 I've updated the SGAccountController to verify the AntiForgeryTokens for Login, Logoff, ChangePassword and some others, so you'll need to include the @HTML.AntiForgeryToken() extension method in your HTML inside a form for LogOff and others. See the LoginPartial Updates chapter above for information.
- The file "/Views/Shared/Site.Master" does not exist. - if you see this error it simply means that you are most likely using the Razor views and you forgot to delete the WebForms (ASPX) views in the SGAccount folder in the Views folder. Just delete those files and the application will work.
- The element <forms> may only appear once in this section. - the problem is clearly shown in the exception. It means that you forgot to remove the old forms element that points to "~/Account/Login". Just delete that element and the application will work.
- To call this method, the "Membership.Provider" property must be an instance of "ExtendedMembershipProvider". - If you get this error it's most likely because you clicked on the Manage link in a VS 2012 MVC application. This link points to the original AccountController and not the SGAccountController. This Manage command is specific to the default MVC template that comes with VS2012 and has nothing to do with SecurityGuard. In other words, ignore it. The primary command that it contains that you would want is the ChangePassword command. SecurityGuard has that command already, so simply remove all references to any default commands and just use the SecurityGuard commands.
- The "Manage" view or controller action doesn't exist in SGAccountController - this is by design. As I mention in the previous bullet point, this "Manage" command is built into the default MVC template in Visual Studio 2012. It has nothing to do with SecurityGuard. The Manage view contains some commands that work with the External login options this template gives you, such as Facebook, Google, etc. It provides a way of setting your local account to the external account, changing your password, etc. I have not yet implemented any means of synching up to external logins, so there is no need for the Manage command in existing version as of 1.0.9. So for now, just ignore this and use the commands in SecurityGuard.