Adding an Admin user to an ASP.NET MVC 4 application using a single drop-in file
- by Jon Galloway
I'm working on an ASP.NET MVC 4 tutorial and wanted to set it up so just dropping a file in App_Start would create a user named "Owner" and assign them to the "Administrator" role (more explanation at the end if you're interested). There are reasons why this wouldn't fit into most application scenarios: It's not efficient, as it checks for (and creates, if necessary) the user every time the app starts up The username, password, and role name are hardcoded in the app (although they could be pulled from config) Automatically creating an administrative account in code (without user interaction) could lead to obvious security issues if the user isn't informed However, with some modifications it might be more broadly useful - e.g. creating a test user with limited privileges, ensuring a required account isn't accidentally deleted, or - as in my case - setting up an account for demonstration or tutorial purposes. Challenge #1: Running on startup without requiring the user to install or configure anything I wanted to see if this could be done just by having the user drop a file into the App_Start folder and go. No copying code into Global.asax.cs, no installing addition NuGet packages, etc. That may not be the best approach - perhaps a NuGet package with a dependency on WebActivator would be better - but I wanted to see if this was possible and see if it offered the best experience. Fortunately ASP.NET 4 and later provide a PreApplicationStartMethod attribute which allows you to register a method which will run when the application starts up. You drop this attribute in your application and give it two parameters: a method name and the type that contains it. I created a static class named PreApplicationTasks with a static method named, then dropped this attribute in it: [assembly: PreApplicationStartMethod(typeof(PreApplicationTasks), "Initializer")]
That's it. One small gotcha: the namespace can be a problem with assembly attributes. I decided my class didn't need a namespace.
Challenge #2: Only one PreApplicationStartMethod per assembly
In .NET 4, the PreApplicationStartMethod is marked as AllMultiple=false, so you can only have one PreApplicationStartMethod per assembly. This was fixed in .NET 4.5, as noted by Jon Skeet, so you can have as many PreApplicationStartMethods as you want (allowing you to keep your users waiting for the application to start indefinitely!).
The WebActivator NuGet package solves the multiple instance problem if you're in .NET 4 - it registers as a PreApplicationStartMethod, then calls any methods you've indicated using [assembly: WebActivator.PreApplicationStartMethod(type, method)]. David Ebbo blogged about that here: Light up your NuGets with startup code and WebActivator.
In my scenario (bootstrapping a beginner level tutorial) I decided not to worry about this and stick with PreApplicationStartMethod.
Challenge #3: PreApplicationStartMethod kicks in before configuration has been read
This is by design, as Phil explains. It allows you to make changes that need to happen very early in the pipeline, well before Application_Start. That's fine in some cases, but it caused me problems when trying to add users, since the Membership Provider configuration hadn't yet been read - I got an exception stating that "Default Membership Provider could not be found."
The solution here is to run code that requires configuration in a PostApplicationStart method. But how to do that?
Challenge #4: Getting PostApplicationStartMethod without requiring WebActivator
The WebActivator NuGet package, among other things, provides a PostApplicationStartMethod attribute. That's generally how I'd recommend running code that needs to happen after Application_Start:
[assembly: WebActivator.PostApplicationStartMethod(typeof(TestLibrary.MyStartupCode), "CallMeAfterAppStart")]
This works well, but I wanted to see if this would be possible without WebActivator. Hmm.
Well, wait a minute - WebActivator works in .NET 4, so clearly it's registering and calling PostApplicationStartup tasks somehow. Off to the source code! Sure enough, there's even a handy comment in ActivationManager.cs which shows where PostApplicationStartup tasks are being registered:
public static void Run()
{
if (!_hasInited)
{
RunPreStartMethods();
// Register our module to handle any Post Start methods. But outside of ASP.NET, just run them now
if (HostingEnvironment.IsHosted)
{
Microsoft.Web.Infrastructure.DynamicModuleHelper.DynamicModuleUtility.RegisterModule(typeof(StartMethodCallingModule));
}
else
{
RunPostStartMethods();
}
_hasInited = true;
}
}
Excellent. Hey, that DynamicModuleUtility seems familiar... Sure enough, K. Scott Allen mentioned it on his blog last year. This is really slick - a PreApplicationStartMethod can register a new HttpModule in code. Modules are run right after application startup, so that's a perfect time to do any startup stuff that requires configuration to be read. As K. Scott says, it's this easy:
using System;
using System.Web;
using Microsoft.Web.Infrastructure.DynamicModuleHelper;
[assembly:PreApplicationStartMethod(typeof(MyAppStart), "Start")]
public class CoolModule : IHttpModule
{
// implementation not important
// imagine something cool here
}
public static class MyAppStart
{
public static void Start()
{
DynamicModuleUtility.RegisterModule(typeof(CoolModule));
}
}
Challenge #5: Cooperating with SimpleMembership
The ASP.NET MVC Internet template includes SimpleMembership. SimpleMembership is a big improvement over traditional ASP.NET Membership. For one thing, rather than forcing a database schema, it can work with your database schema. In the MVC 4 Internet template case, it uses Entity Framework Code First to define the user model. SimpleMembership bootstrap includes a call to InitializeDatabaseConnection, and I want to play nice with that.
There's a new [InitializeSimpleMembership] attribute on the AccountController, which calls \Filters\InitializeSimpleMembershipAttribute.cs::OnActionExecuting(). That comment in that method that says "Ensure ASP.NET Simple Membership is initialized only once per app start" which sounds like good advice. I figured the best thing would be to call that directly:
new Mvc4SampleApplication.Filters.InitializeSimpleMembershipAttribute().OnActionExecuting(null);
I'm not 100% happy with this - in fact, it's my least favorite part of this solution. There are two problems - first, directly calling a method on a filter, while legal, seems odd. Worse, though, the Filter lives in the application's namespace, which means that this code no longer works well as a generic drop-in.
The simplest workaround would be to duplicate the relevant SimpleMembership initialization code into my startup code, but I'd rather not. I'm interested in your suggestions here.
Challenge #6: Module Init methods are called more than once
When debugging, I noticed (and remembered) that the Init method may be called more than once per page request - it's run once per instance in the app pool, and an individual page request can cause multiple resource requests to the server. While SimpleMembership does have internal checks to prevent duplicate user or role entries, I'd rather not cause or handle those exceptions. So here's the standard single-use lock in the Module's init method:
void IHttpModule.Init(HttpApplication context)
{
lock (lockObject)
{
if (!initialized)
{
//Do stuff
}
initialized = true;
}
}
Putting it all together
With all of that out of the way, here's the code I came up with:
using Mvc4SampleApplication.Filters;
using System.Web;
using System.Web.Security;
using WebMatrix.WebData;
[assembly: PreApplicationStartMethod(typeof(PreApplicationTasks), "Initializer")]
public static class PreApplicationTasks
{
public static void Initializer()
{
Microsoft.Web.Infrastructure.DynamicModuleHelper.DynamicModuleUtility
.RegisterModule(typeof(UserInitializationModule));
}
}
public class UserInitializationModule : IHttpModule
{
private static bool initialized;
private static object lockObject = new object();
private const string _username = "Owner";
private const string _password = "p@ssword123";
private const string _role = "Administrator";
void IHttpModule.Init(HttpApplication context)
{
lock (lockObject)
{
if (!initialized)
{
new InitializeSimpleMembershipAttribute().OnActionExecuting(null);
if (!WebSecurity.UserExists(_username))
WebSecurity.CreateUserAndAccount(_username, _password);
if (!Roles.RoleExists(_role))
Roles.CreateRole(_role);
if (!Roles.IsUserInRole(_username, _role))
Roles.AddUserToRole(_username, _role);
}
initialized = true;
}
}
void IHttpModule.Dispose() { }
}
The Verdict: Is this a good thing?
Maybe.
I think you'll agree that the journey was undoubtedly worthwhile, as it took us through some of the finer points of hooking into application startup, integrating with membership, and understanding why the WebActivator NuGet package is so useful
Will I use this in the tutorial? I'm leaning towards no - I think a NuGet package with a dependency on WebActivator might work better:
It's a little more clear what's going on
Installing a NuGet package might be a little less error prone than copying a file
A novice user could uninstall the package when complete
It's a good introduction to NuGet, which is a good thing for beginners to see
This code either requires either duplicating a little code from that filter or modifying the file to use the namespace
Honestly I'm undecided at this point, but I'm glad that I can weigh the options.
If you're interested: Why are you doing this?
I'm updating the MVC Music Store tutorial to ASP.NET MVC 4, taking advantage of a lot of new ASP.NET MVC 4 features and trying to simplify areas that are giving people trouble. One change that addresses both needs us using the new OAuth support for membership as much as possible - it's a great new feature from an application perspective, and we get a fair amount of beginners struggling with setting up membership on a variety of database and development setups, which is a distraction from the focus of the tutorial - learning ASP.NET MVC.
Side note: Thanks to some great help from Rick Anderson, we had a draft of the tutorial that was looking pretty good earlier this summer, but there were enough changes in ASP.NET MVC 4 all the way up to RTM that there's still some work to be done. It's high priority and should be out very soon.
The one issue I ran into with OAuth is that we still need an Administrative user who can edit the store's inventory. I thought about a number of solutions for that - making the first user to register the admin, or the first user to use the username "Administrator" is assigned to the Administrator role - but they both ended up requiring extra code; also, I worried that people would use that code without understanding it or thinking about whether it was a good fit.
