Best IT Recipes

User authentication and authorization based on user rights

I am currently developing an ASP.Net MVC 5 application with an MS Sql server database. I need to implement authentication and authorization based on the ASP.Net 2.0 identifier. I just looked at the basic concepts of Identity and try to implement them in my application. Since the database is already defined, I need to configure Identity a bit. When I looked at the database, the tables are slightly different from each other, which I usually found in identity identification projects.

enter image description here

It can be seen from the image that there is a table named user group and a specific set of rights to them based on the module. The same rights will be available to the user by default. If you want to change any rights, you can override them by setting the permission in the user rights table.

So my first question is: is ASP.NET Identity with user authorization and authorization the right method to implement such a scenario?

From the point of view, I need to create a menu based on the rights of the user / user group, and also want to enable / disable buttons based on them. I was able to create a menu based on database values. But I need to resolve every client request, and for this I believe that AuthorizeAttribute is the best option. Please suggest? Any good design templates or posts are appreciated.

+10
authentication c # asp.net-mvc asp.net-identity
May 1 '15 at 2:33
source share
1 answer

Of course, Identity so powerful and flexible that you can customize it. Use your user right as a claim, and then write an individual AuthorizeAttribute to check the claim, for example, consider this code:

 [HttpPost] public ActionResult Login(string username, string password) { if (_userManager.IsValid(username, password)) // your own user manager { var ident = new ClaimsIdentity( new[] { // adding following 2 claim just for supporting default antiforgery provider new Claim(ClaimTypes.NameIdentifier, username), new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "ASP.NET Identity", "http://www.w3.org/2001/XMLSchema#string"), new Claim(ClaimTypes.Name, username), // populate assigned user rightID form the DB and add each one as a claim new Claim("UserRight","FirstAssignedUserRightID"), new Claim("UserRight","SecondAssignedUserRightID"), }, DefaultAuthenticationTypes.ApplicationCookie); HttpContext.GetOwinContext().Authentication.SignIn( new AuthenticationProperties { IsPersistent = false }, ident); return RedirectToAction("MyAction"); // auth succeed } // invalid username or password ModelState.AddModelError("", "invalid username or password"); return View(); }

And write an authorization attribute based on the claim:

 public class ClaimsAccessAttribute : AuthorizeAttribute { // in the real world you could get claim value form the DB, // I simplified the example public string ClaimType { get; set; } public string Value { get; set; } protected override bool AuthorizeCore(HttpContextBase context) { return context.User.Identity.IsAuthenticated && context.User.Identity is ClaimsIdentity && ((ClaimsIdentity)context.User.Identity).HasClaim(x => x.Type == ClaimType && x.Value == Value); } }

In the end, you just need to add your attribute to your actions:

 [ClaimsAccess(CliamType="UserRight",Value="YourRightID"] public ActionResult MyAction() { // also you have access the authenticated user claims // simply by casting User.Identity to ClaimsIdentity // ((ClaimsIdentity)User.Identity).Claims }

I skipped the user group to simplify this example, and I also hard-coded some parts that you need to write to the provider to retrieve from the database.

+17
Jul 31 '15 at 21:10
source share


More articles:


All Articles