CODEWITHSUNDEEP
asp.net.netsecurity
Brian Mains
Brian Mains

Reputation: 50728

Open Source Security Frameworks for .NET

Are there any security frameworks that are open source for ASP.NET web forms or MVC? I'm looking for something to authenticate users, and authorization capabilities if possible. Just to note, I am NOT interested in the Membership API, but am looking for a framework that has similar capabilities.

Thanks.

Upvotes: 2

Views: 2148

Answers (2)

Earlz
Earlz

Reputation: 63895

I just thought I'd post my open source authentication framework. You didn't say too much about your use case, so I'm not sure how well of a fit it'd be, but I'm sure it's a good starting point since it's BSD licensed.

Anyway, my authentication framework is called FSCAuth. It's located at bitbucket and BSD licensed.

Basically, it's goal is to stay out of your way and be significantly simpler to implement than ASP.Net's Membership API.

Some things it has going for it:

  1. A "stateless" authentication system. This means no database tables required to keep track of logged in users, and therefore trivial to scale to multiple servers.
  2. Simple, yet fine grained authorization. Everything is specified in code, and without any magic attributes.
  3. Extremely secure out of the box. Out of the box it uses SHA256 hashing with salt. It's also trivial to configure for BCrypt support
  4. No messing with hashes or cookies. I try to make it as difficult as possible for your to make your application insecure, this includes handling all of the hashes and cookies.
  5. HTTP Basic Auth out of the box, and works the same way as cookie authentication
  6. Trivial to put into an existing database. It works by using an interface called a UserStore. Examples: MongoDB UserStore, SQL Server UserStore
  7. Supports .Net 2.0+ and runs on Mono and in Medium-trust

It also has some limitations to it.

  1. Windows/domain authentication will never be implemented.
  2. It only has the notion of users and groups. There isn't anything built in for user-group-role or anything like that.
  3. It has some problems with IIS 6 (can't protect static pages and requires a hellish amount of configuration)
  4. It's configuration doesn't use the Web.Config (which I like, but some people don't)

Upvotes: 1

Matteo Mosca
Matteo Mosca

Reputation: 7448

The only thing that comes to my mind is DotNetOpenAuth but I don't know if it can suit your needs.

Upvotes: 0

Related Questions