Doubt about Security, Authentication and Authorization

Asked

Viewed 247 times

3

Hello, I’m having a hard time setting up an architecture in the application security related part. I need only logged in and duly authorized users to have access to certain functions of the application. I know I could normally use the Roles-based authorization, but the problem is that the business rules of this application are the users (Master) who will create the access profiles, so there is no way I can pre-define in the filters which will be the Roles that will have access to each controller/action of the application.

Would anyone have any solution to the scenario I described? The architecture will be built in Asp.Net MVC5 C#, with Entity Framework and Autofac.

c# asp.net-mvc

2 answers

4


If I understand your problem correctly, it’s that Roles cannot be predefined. I also imagine that you will be able to have a way to add new Roles at ease (as you said, a user Master creating the profiles).

In that case, I would use the database to record the Roles already created, including information of which route/controller/action is permitted for that Roll. Also define an associative relationship between users and roles (basically speaking "these users have these roles").

In their Controllers, instead of using the [Authorize], would implement a AuthorizeAttribute customized, and instead of confirming whether the user has a Roll based on one of the strings (this being the function of [Authorize], would confirm whether the user has a Roll who lets you access this Controller/route/action.

(Excuse the Portuguese, and if not clear, please let me know!)

  • That’s exactly what I was about to suggest as a solution! (:

1

You can create your own solution or use a ready-made.

A good solution is the Fluent Security. It has Nuget package and is quite simple to install. Here is a small tutorial.

Another option is to implement your own authorization attribute ( @brazilianldsjaguar reply). Here are several questions and answers that can help you. Just create your logic and put it into the method AuthorizeCore of AuthorizeAttribute.

This method returns True whether the user is able to visit a particular part of the code and False otherwise.

Browser other questions tagged c# asp.net-mvc

You are not signed in. Login or sign up in order to post.