Reputation: 22566
MVC 5 roles based authentication with mvc 5.1.0
I have been having trouble with using roles based Authentication in my project.
I have set-up some roles and linked them to a user.
This works:
[Authorize]
public class UsersController : Controller
{}
If I am not logged in it asks me to login.
However If I change it to:
[Authorize(Roles = "ManageUsers")]
public class UsersController : Controller
{}
And I try access it from the user with that role It asks me to login.
So I did some goggling and I found this post: Link and they suggested to add:
<roleManager enabled="true" defaultProvider="AspNetSqlRoleProvider">
<providers>
<clear />
<add name="AspNetSqlRoleProvider" connectionStringName="DefaultConnection" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
In my web config. Which I did and it then allowed me to access the controller. But I noticed that it let me access the controller if I was in that role or not.
I am using Cookies Authentication for my project. So I think that I am getting confused between the different types of authentication.
public void ConfigureAuth(IAppBuilder app)
{
// Enable the application to use a cookie to store information for the signed in user
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
ExpireTimeSpan = TimeSpan.FromMinutes(5),
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login")
});
So I need some advice on where to go from here:
I simply want to make use of the roles which is implemented by the default project, I have populated the database etc. I just cant get my filters working.
Upvotes: 0
Views: 1418
Answers (1)
Reputation: 47375
I think that I am getting confused between the different types of authentication.
I agree. First of all, authentication has to do with logging in. Once a user logs in, they are authenticated.
Restricting access to a controller action or other resource based on a user's role is called authorization. Many times people talk about both of these security concerns together collectively as auth. However it sounds to me like you have authentication implemented, and are having problems with authorization.
The roleManager section in your web.config as far as I know is not compatible with Microsoft.AspNet.Identity, which it looks like you are using. If you have a UserManager<T> class being set up somewhere, then you should use the Microsoft.AspNet.Identity role system and not the legacy roleManager. So remove that section from your web.config.
It sounds like Microsoft.AspNet.Identity is preventing role-based access to your action because something in there is not properly set up. That library has its own class called RoleManager, similar to UserManager, which is used to manage roles. You haven't provided enough information in your question for anyone to help you determine the exact cause of the problem. However if you do some research on Microsoft.AspNet.Identity RoleManager, then you should be able to debug the issue yourself. Best of luck.
Upvotes: 2
Related Questions
- Implementing role-based authorization using .NET MVC 5
- Use Roles in ASP.NET MVC 5 Identity 2.0
- Using the MVC Authorize attribute with roles using Azure Active Directory + OWIN
- Asp.net mvc role based authentication
- Login system with roles asp.net 4.5.2 not MVC
- Authorization/Roles in MVC5
- Role-Based Authentication with aspnet identity in ASP.NET MVC 4
- MVC 5 Role Based Authentication
- How to setup OWIN with Windows authentication and a custom role provider
- asp.net mvc authorization using roles