0
I am currently working on a project with aspnet-core and do not have much idea how to proceed to handle user permissions. I even have an idea of how I can do it (and I’ve done it), but I don’t know if it’s the best possible approach.
My application (Web Api) has permissions attached to a user and when it enters the application it must validate its requests from its permissions.
What I do today is to use a [Customauthorizeatribute] that performs the validation of permissions through the request route.
Ex: The user requested produto/get/1, i search your bank permissions and check if it has permission for the product entity.
Any idea of a better approach ?
I can’t say at core how it would work, but at the regular webapi, I deal with Claims along with Oauth. One of the Claims I link with the user in the returned Bearer token is the user’s role, and in each call I check the role. If you don’t have the intended role, I return an Exception.
– Grupo CDS Informática
Like everything else in programming, it depends... hehehe In Asp.net core, they created the policies https://docs.microsoft.com/en-us/aspnet/core/security/authorizationpolicies, always based on Claims. Here is a video of the guy who takes care of that part on Asp.net https://www.youtube.com/watch?v=Pde_Hw2BsG8, if you look for him on Channel 9 you will have several topics about him. Security is hard. (:
– João Mello