Geek Answers Handbook

Permission Based Permissions in ASP.NET MVC3

I am adding ASP.NET MVC to an existing WebForms application. So far, I do not need authentication / registration, as this part is processed by existing code (forms authentication).

In the existing WebForms application, we have fully custom authorization based on page permissions. Thus, each user has a set of rights, listing the pages to which he is allowed access.
Now I need to decide how I can use the same permission system to restrict access to certain controllers and MVC actions.

As I understand it, for ASP.NET MVC there is a standard AuthorizeAttribute where I can specify roles. I also found some articles that suggest specifying permissions instead of roles - then you can do something like this:

[CustomAuthorize(Roles = "View products, Edit products")]

By extending AuthorizeAttribute, I can also determine how I store and get permissions.

This solution would be acceptable to me (although changing the semantics of roles smells a bit).
But before doing this, I would like to see what other options are. And where am I stuck - I did not find a full-blown overview of the various authorization approaches in ASP.NET MVC. I would also like to know how all security concepts (e.g. Form Authentication, Membership Providers, Authorization Attribute, IPrincipal, etc.) are related to each other and how they should work together.

+7
source share
1 answer

The first thing you need to understand is what looks like Webforms, MVC has a pipeline. Each request goes through several methods, and there are extension points along the way that you can “hook on” and do something.

All AuthorizeAttribute attributes connect to the OnAuthorization extension point and decide whether to grant someone access or not based on the criteria that you have provided to him (usernames, roles, etc.).

Here is an example: http://geekswithblogs.net/brians/archive/2010/07/08/implementing-a-custom-asp.net-mvc-authorization-filter.aspx

You can create your own authorization attribute and do the same with your own criteria. You do not need to reassign the Roles parameter; you can create your own if you want.

This is the method that MVC prefers. Another nice thing: if you also make it a filter, you can add it to global filters and apply it to everything if you want.

You basically have two other reasonable options. Deploy the handler in global.asax to Application_AuthenticateRequest (not recommended) or create a generic BaseController that you override OnAuthorize (the attribute intercepts the same thing, but in a different place).

Many people try to authenticate using Session variables, and this is the worst.

Since we do not know anything about your authentication and permission system, all we can do is provide general recommendations.

+7
source

More articles:


All Articles