CODEWITHSUNDEEP
c#asp.net.netasp.net-mvcasp.net-mvc-4
VaibhavR
VaibhavR

Reputation: 13

ASP.NET MVC 4 : Authentication and Authorization:Intranet Application

I'm new to ASP.NET MVC world. I'm building an intranet web application. Authentication and authorization is defined in my case as below:

Authentication: If HttpRequest contains an Header with "USER_ID", user is authenticated. Authorization: There is one in-house WCF Service, which returns list of roles user is entitled to taking USER_ID as input. I keep the roles required by my application in xml file. If user's required role is in svc response then, she is allowed to use the application.

I'm thinking of implementing it like below:

In Global.asax - > Application_AuthenticateRequest, I'll put code to check http Header. If its non_blank, I'll let user to go through this stage.

In OnAuthorization method of AuthorizeAttribute class, I'll put code to fetch role list and match it against required roles from xml file.

Is there any way that I can use existing authentication,authorization infrastructure?

I see code like this

[Authorize(Roles = "admin")]
public string Index() {
return "only admins!";
}

How can I link Roles property like above to some Xml or Table instead of hard coding?

Please help me to implement this logic in asp.net mvc application.

Upvotes: 1

Views: 999

Answers (2)

to StackOverflow
to StackOverflow

Reputation: 124696

For Authorization, I would either:

  • Create a GenericPrincipal in the global.asax AuthorizeRequest event handler with the appropriate roles, and assign it to both HttpContext.User and Thread.CurrentPrincipal.

  • Or (better), write a custom RoleProvider that gets the users roles from the xml file. If you configure such a RoleProvider, ASP.NET will assign a suitable RolePrincipal to both HttpContext.User and Thread.CurrentPrincipal.

You can then use the standard AuthorizeAttribute.

Upvotes: 0

Admir Tuzović
Admir Tuzović

Reputation: 11177

You should check Windows Identity Foundation (WIF), in particular ClaimsAuthorizationManager and ClaimsPrincipalPermissionAttribute. The later allow you to specify what operation and resource need to be secured, while in ClaimsAuthorizationManager you can check whether the current user can perform the operation on the resource, and that can be read from any source you desire.

Upvotes: 1

Related Questions