Simple yet Dynamic MVC Authentication & Role Bases Access

Question

I've recently migrated from traditional ASP.Net web-form based development to MVC2 and I've been looking for the best practices and norms that MVC can leverage to create a long-term maintainable web solution.

I've arrived at the implementation of Authentication and RBAC(role based access). I had simple static RBAC in past to avoid complexity but now with MVC I expect better options and more control over the traditional approach. Membership APIs have been a default for ASP.Net security but it needs many DB objects and it also didn't had easy way to altering its behavior like adding properties to User or overriding some of its default features.

To summarize, in past I had to avoid the Membership API and go with my own simple Userservice layer approach to achieve simple security & RBAC. I had page level access-control and I handled it from within a base-class (Pagebase) from which all the web-form pages were derived. I just had to pass some role parameters to configure security for a page. Our user and role maintenance are pretty simple and I don't need things like security question, hash-password, salt, etc.. atleast not till now.

Now, with MVC - I need something similar with central control. I can have either Controller level and/or Action level authorization([Authorize] or my custom). I can deploy 'Authorization filter'(like action filter). I'm also want to go for a dynamic RBAC. I want to use the Membership features but I don't want its tables and avoid other extra things mentioned above.

Static Membership API based approach: Role based security asp.net mvc

I've learned that I can override the Membership provider as well as the Role Provider to gain total control of the background processing and leverage the features of Membership API and RBAC that sit on top of it.

For example,

Custom Membership Providers

• http://www.codeproject.com/KB/aspnet/CustomMembershipProviders.aspx
• http://mattwrock.com/post/2009/10/14/Implementing-custom-Membership-Provider-and-Role-Provider-for-Authinticating-ASPNET-MVC-Applications.aspx

Implementing a Role Provider

• http://msdn.microsoft.com/en-us/library/8fw7xh74.aspx
• http://msdn.microsoft.com/en-us/library/tksy7hd7.aspx

I've come all this way and I want to make sure that I'm on the right path and that the approach will gradually lead me to dynamic RBAC which I can expose to Admin level users to configure RBAC. Here're my requirements -

1. I hope using Membership API will be worth with MVC and allow me to override its default implementation.
2. I don't want any extra tables. I want to keep it to minimal User/Role tables wihtout unwanted special fields.
3. I can use my own Service layer approach to access and manage tables in DB - no Membership defaults.
4. If too complex I can do with static RBAC for now but in future I want to have a dynamic RBAC.
5. I'm inclined to use Membership API only because I see it can provide useful attributes which otherwise I'd have to deploy myself.
6. Hope it won't get messy, follow my DAL/service layer and allow controller level & action level RBAC.

Pls guide me and share your suggestions.

---

EDIT 1: I found some more from SO: (says to roll out our own)

• Which authentication and authorization schemes are you using - and why?
• ASP.NET MVC - Alternative to Role Provider?

Answer 1

Wow its been over a year!

Well, I tried to implement a Custom Membership provider but then I wanted more an more customization and wanted to have more ad-hoc features for certain models and actions.

So, finally, I ended up using a simple (but highly effective) controller level action filter -

public class IsAuthorizeAttribute : AuthorizeAttribute
...
public IsAuthorizeAttribute(Rights rightToAuthenticate)

Rights is my custom Enum I use to declare rights (most are tied at controller level but some are also at action level). This combined with a simple table structure:

• Users
• Roles
• UserRole