Custom role based authorization (without membership)

Question

I'm pretty new to MVC and developing an application with ASP.NET MVC 4. For authentication I'm using Windows Authentication with Active Directory in a domain. Next step is to authorize users (without using membership). Went through several articles and still to find a good approach.

I have my own 3 database tables (Users, Roles, UserRoles) to maintain authorized users with several admin levels. It is many to many. For example, there may be an "admin" (full access to system with create rights), "data operator" (update rights only for a section) and "support user"(read only/ view only access). Since this is many to many - a user may be a "support user" as well as "data entry operator".

For a particular section I need to control the access based on methods. For example, let say there is a controller called "InvoiceController". There may be methods as follows.

CreateNewInvoice() // Accessible only by admin

UpdateInvoice(...) // Accessible for admin and data operator

ViewInvoice(...) // Accessible for admin, data operator and support user

(Only the users exist in roles table can access the system. Access denied for others.)

Please let me know how can I use authentication at method level based on the roles stored in the database.

Answer 1

You can do it in two ways:

Either create a custom AuthorizeAttribute in which you load and check the roles.

But the better solution is to create a custom IPrincipal/IIdentity and assign it in the Application_OnPostAuthenticateRequest. By doing so you can take full advantage of the built in authorization model without no further customizations.

See my answer here: https://stackoverflow.com/a/10949178/70386