Reputation: 91
DNN API Role based authorization
I want to apply authorization on API call with respect to DNN roles. so that DNN itself will perform checks whether logged user has access to particular API call. I got one solution but not exactly what I want. = > How to handle security/authentication on a DNN-based web API. This link suggest to have separate module for API authorization so that we can assign roles to this module and by using [SupportedModules("ModuleName")] attribute on API call we can restrict authorization. I checked this example but no luck...PLZ suggest me proper way to do it.
Upvotes: 5
Views: 3732
Answers (2)
Reputation: 678
Have you checked this post? http://www.dotnetnuke.com/Resources/Blogs/EntryId/3329/Authorization-in-the-new-DNN-Services-Framework.aspx
I have found this useful (as well as the other answer you referred to)... but it's taken me a long time to understand it! Here's what I've figured out so far: If you're using a web browser, DNN can accept your request and evaluate the permissions (based on your login). The linked blog entry demonstrates this with an API that lists tabs -- it only shows the tabs your login has permission to see. If you write an HTTP request from somewhere else (such as in a PHP script), you can see the same behavior if you send username/password with the request.
You can use the DnnAuthorize attribute, but using role names directly can be problematic for the reasons you mentioned -- what if they change? However, you can write your own attribute. Basically, it will require (in some way, shape, or form) a TabID and ModuleID. That way, instead of checking a role name, you can have DNN check what permissions the current user has for that module.
You can write a module for it, assign role-based permissions to your module, and have DNN just check that tab/module for the given login. Writing your own attribute will make it easy to assign the permissions in your controller... without specifying the roles directly.
I believe the link refers to DNN 6.2, so there may be some differences with 7.
Upvotes: 2
Reputation: 63126
As long as you work with the DnnApiController as part of 7.x you can simply add this attribute to any method to require authorization based on role.
[DnnAuthorize(StaticRoles = "MyRoleNameHere")]
Where "MyRoleNameHere" is the name of the role that the user must have.
Upvotes: 3
Related Questions
- ASP.NET Core Web API and roles authorization
- Custom Policy-Based Authorization in ASP.NET Framework
- ASP.Net Core 3.0 Windows Authentication with Custom Role Based Authorization
- Role based authentication for webapi
- Role Based Authorization for Web API with IdentityServer4
- ASP.NET Web Api with Role based authorization
- Basic auth in DNN Web API service
- ASP.NET Web API role based security
- How to implement custom role based authorization in ASP.Net MVC
- How to do role based authorization for asp.net mvc 4 web api