CODEWITHSUNDEEP
c#asp.net-mvcasp.net-mvc-4authorization
cadrell0
cadrell0

Reputation: 17327

MVC Condintional Authorization

I'm trying to figure out the correct way to control access to the different sections of my application.

My app has 3 sections.

  1. Admins
  2. Super Users
  3. Regular Users

I've read http://blogs.msdn.com/b/rickandy/archive/2011/05/02/securing-your-asp-net-mvc-3-application.aspx, so I understand that even though I have an area for each, I do not want to use that for my authorization.

My idea is to have 3 base controller classes, one for each section. Something like AdminBaseController, SuperUserBaseController, and RegularUserBaseController.

I know I could then add an AuthorizeAttribute to each of those, but I want to store the required roles in my settings, so I can't set those in the attribute.

So I'm thinking I need a to inherit off of AuthorizeAttribute and override OnAuthorization, and this is where I am stuck. This is what I have so far.

    public override void OnAuthorization(HttpActionContext actionContext)
    {
        if (actionContext.ControllerContext.Controller is AdminBaseController)
        {
            //do something
        }
        else if (actionContext.ControllerContext.Controller is SuperUserBaseController)
        {
            //do something
        }
        else if (actionContext.ControllerContext.Controller is RegularUserBaseController)
        {
            //do something
        }
        else
        {
            //someone forgot to use a base controller
            //deny be default
        }
    }

I'm thinking I just set the Roles and Users property to the correct values, then call base.OnAuthorization at the end. Does this seem like a reasonable solution? Also, to deny all, should I just be setting both properties to ""?

If I'm way off, please point me in a better direction.

Upvotes: 0

Views: 216

Answers (1)

Brett Allred
Brett Allred

Reputation: 3487

Look at Fluent Security http://www.fluentsecurity.net/

I like it a lot better than the built in security features in .NET. They have examples of Role Based permissions in their samples. It is also cleaner than what you are trying to do.

Here is a sample on how you would configure security for your site using Fluent Security

/// <summary>
/// Configuration Helper for Fluent Security. See http://www.fluentsecurity.net
/// </summary>
public static class SecurityConfig
{
    public static void Configure()
    {
        SecurityConfigurator.Configure(c =>
        {
            c.GetAuthenticationStatusFrom(() => HttpContext.Current.User.Identity.IsAuthenticated);
            c.GetRolesFrom(() => (HttpContext.Current.Session["Roles"] as string[]));

            // Blanket Deny All
            c.ForAllControllers().DenyAnonymousAccess();                

            // Publicly Available Controllers
            c.For<HomeController>().Ignore();
            c.For<RegistrationsController>().Ignore();
            c.For<LoginController>().Ignore();

            // Only allow Admin To Create
            c.For<ReservationsController>(x => x.Create())
             .RequireRole(UserRoles.Admin.ToString());

            c.For<ReservationsController>(x => x.Edit(""))
             .RequireRole(UserRoles.Admin.ToString(),UserRoles.User.ToString());

            c.For<ReservationsController>(x => x.Delete(""))
             .RequireRole(UserRoles.Admin.ToString(),UserRoles.User.ToString());           
        });
    }
}

Upvotes: 3

Related Questions