User Authorization Based on Asp.Net MVC Action

Question

User Authorization Based on Asp.Net MVC Action

I have a web application written in asp.net mvc with seamless nhibernate.

Data Hierarchy: Message → Category → Company
User Roles: user, admin

I am trying to find an architecture for developing custom authorization. A user can be a member of several companies. Also, the user may be the administrator of the company, while he may simply be a member of another company.

We also want to develop custom authorization based on the controller, action, or action identifier. For example, a user can be an administrator of only one category. Namely, in our future system there will be users, user groups in which users and groups belong to the company. While user authorization will be applied to them based on url (contoller / action / id).

any recommendation, useful links, etc.

+4

authorization asp.net asp.net-mvc-2

gandil Jun 03 '11 at 19:11

source share

1 answer

Adam Tuliper - MSFT · Accepted Answer · 2011-06-03T19:57:11+0000

This is a bit complicated - you can review user authorization and consider filling out roles in say Application_AuthenticateRequest, and then use the [Authorize] attribute to perform actual checks if the user belongs to these roles. This method, you apply it directly to the action method and avoid custom mess, but you achieve basically the same result.

we have a similar discussion that is not yet resolved: Questions about configuring user security for MVC3 using the redefined AuthorizeAttribute, thread safety, ChildActions, and caching

User Authorization Based on Asp.Net MVC Action

More articles: