Reputation: 1920
ASP.Net WebApi Authorization using resource data
In WebApi, how & where would I plug in my authorization rules that are based on the resource metadata & audit information.
Here are all the interceptors that I am currently using in my request pipeline
- IHttpModule
- Delegating Handlers
- Authorization Filter
- ActionFilters
Background - My authorization rules around a DELETE request is based on the Audit information around the existing resource. For example, a user can only delete the resources that was created by him. So if a request to delete a resource comes from a user (with delete privileges) who has not created it, I should return a 403 error.
I am not aware of a way to access the Model & Repository from any of the 4 handlers that I am already using. Wondering what would be the right way to do it.
Upvotes: 1
Views: 267
Answers (1)
Reputation: 13834
What did you write your authorization rules in? Is that what you are trying to achieve? The pattern I usually recommend is to use XACML (the eXtensible Access Control Markup Language). It's like SAML but for fine-grained authorization instead.
With XACML, you get a Policy Decision Point (PDP - the authorization engine/service) which evaluates your authorization rules. The PDP exposes a yes/no authorization API. All you then need to do is connect your interceptors to that PDP. The interceptors will create the right authorization request and send the request to the PDP.
This means that you are applying the same authorization logic in all 4 of the filters you mentioned:
- IHttpModule
- Delegating Handlers
- Authorization Filter
- ActionFilters
XACML is an OASIS standard, just like SAML. You can check out their homepage. I am one of the editors in that standard and - disclaimer - I work for one of the vendors, Axiomatics.
XACML also gives you a fine-grained authorization language. For instance you can implement the following type of rules:
- a user with the role==manager can do the action==edit on resources of type==documents if and only if document.location==user.location
I hope this helps.
Upvotes: 1
Related Questions
- Custom authorization attribute not working in WebAPI
- How to filter in webApi using roles
- return status code Unauthorized for custom IActionFilter in WebAPI
- Resource based authorization in .net
- ASP.NET Web API Authorization with AuthorizeAttribute
- How use AuthorizationFilterAttribute in WebApi with WebClient Library?
- WebApi Authorization Filter
- Resource based ASP.NET Authorization FormsAuthentication and WebApi
- ASP.NET Web API Authorization Filter
- Authorisation Action Filters for WebAPI