Doubt on authentication/authorization based on access profiles with Webapi Asp.Net Core MVC

Asked

Viewed 44 times

1

I have here a Windows Forms + Sybase application that has an authentication scheme based on access profiles. The diagram of the database is as follows:

Diagrama de relacionamentos

On the table Permission we have descriptions of all the features of the system. If you can access the customer register, if you can adjust the stock, if you can delete a product, if you can make a sale, etc.

On the table Profile we have "Manager", "Seller 1", "Seller 2", "Administrator", etc.

And the table Profile is the associative entity of the two tables, where we say which functions each profile has access to.

And each user has their profile, with the appropriate profile access permissions.

I am creating a Webapi for this system, but I am not able to reconcile this form of authentication of the current system with the possibilities of authentication of Asp.Net MVC.

I would like controller and action authorizes to be based on this permission scheme to grant or deny access to them.

Is there any way to tailor this access permission scheme of the current system to the "Authorize", "policy", "Claims", etc of Asp.Net Core MVC?

asp.net-mvc permissions asp.net-core-web-api authorization

1 answer

1


In this profile permission format, I used the Claims to solve the problem. It is possible to send, for example, multiple "Role" type Claims, placing each of the permissions in these Claims.

Something similar to this can be used:

foreach(Permissao permissao in permissoes)
{
    Claim item = new Claim(ClaimTypes.Role, permissao.Codigo );
    lstClaims.Add(item);
}

And later the list of Claims is passed to the token used.

...
Subject = new ClaimsIdentity( lstClaims.ToArray() )
...

That’s how I resolved.

Browser other questions tagged asp.net-mvc permissions asp.net-core-web-api authorization

You are not signed in. Login or sign up in order to post.