How can I use domain groups as well-protected roles in ASP.NET MVC 4?

Question

How can I use domain groups as well-protected roles in ASP.NET MVC 4?

In my ASP.NET MVC 4 application, I use the intranet pattern to implement Windows authentication. I also use Fluent Security.

Out of the box, I can use the annotations below to restrict access to controller methods for specific domain groups or domain users.

[Authorize(Roles=@"Domain\GroupName")] public ActionResult Index() { ViewBag.Message = "Modify this template to jump-start your ASP.NET MVC application."; return View(); } [Authorize(Users=@"Domain\UserName")] public ActionResult About() { ViewBag.Message = "Your app description page."; return View(); }

How to limit these two methods to the same domain group and domain user using Fluent Security? I'm more interested in a group than a user, if it's easier. Do I need to create my own policy? If so, I'm not quite sure how to check if the authenticated user in the domain group is verified to return the correct role to use Fluent Security?

I’ve already completed FluentSecurity training, so I know the basics of implementing FluentSecurity, I'm just not sure how to use domain groups as roles.

Thanks!

+8

asp.net-mvc fluent-security

Michael carrabine Nov 15 '12 at 19:07

source share

1 answer

Michael carrabine · Answer 1 · 2012-11-16T13:50:26+0000

Perhaps I found a way to use domain groups for roles. I adjusted the extended example on the Free Security page.

In Global.asax.cs:

 SecurityConfigurator.Configure(configuration => { // Let Fluent Security know how to get the authentication status of the current user configuration.GetAuthenticationStatusFrom(() => HttpContext.Current.User.Identity.IsAuthenticated); // Let Fluent Security know how to get the roles for the current user configuration.GetRolesFrom(System.Web.Security.Roles.GetRolesForUser); // This is where you set up the policies you want Fluent Security to enforce configuration.For<HomeController>().Ignore(); configuration.For<AccountController>().DenyAuthenticatedAccess(); configuration.For<AccountController>(x => x.ChangePassword()).DenyAnonymousAccess(); configuration.For<AccountController>(x => x.LogOff()).DenyAnonymousAccess(); configuration.For<BlogController>(x => x.Index()).Ignore(); configuration.For<BlogController>(x => x.AddPost()).RequireRole(@"Domain\Writers"); configuration.For<BlogController>(x => x.AddComment()).DenyAnonymousAccess(); configuration.For<BlogController>(x => x.DeleteComments()).RequireRole(@"Domain\Writers"); configuration.For<BlogController>(x => x.PublishPosts()).RequireRole(@"Domain\Owners"); // To authorize the Home Controller Index Action as in my original question configuration.For<HomeController>(c => c.Index()).RequireRole(@"Domain\GroupName"); }); GlobalFilters.Filters.Add(new HandleSecurityAttribute(), 0);

In Web.config:

 <authentication mode="Windows" /> <authorization> <deny users="?" /> </authorization> <roleManager defaultProvider="WindowsProvider" enabled="true" cacheRolesInCookie="false"> <providers> <add name="WindowsProvider" type="System.Web.Security.WindowsTokenRoleProvider" /> </providers> </roleManager>

I did not find a way to authorize a single user, but we all know that in any case it is best to use groups.

Are there any better ways to do this?

How can I use domain groups as well-protected roles in ASP.NET MVC 4?

More articles: