How Can I Use Domain Groups as Roles with Fluent Security in ASP.NET MVC 4?

Question

In my ASP.NET MVC 4 application, I am using the intranet template to implement Windows authentication. I am also using Fluent Security.

Out of the box I can use the annotations shown below to limit access to controller methods to either specific domain groups or domain users.

[Authorize(Roles=@"Domain\GroupName")]
public ActionResult Index()
{
    ViewBag.Message = "Modify this template to jump-start your ASP.NET MVC application.";

    return View();
}

[Authorize(Users=@"Domain\UserName")]
public ActionResult About()
{
    ViewBag.Message = "Your app description page.";

    return View();
}

How would I limit these two methods to the same domain group and domain user using Fluent Security? I'm more interested in the group than the user if that is any easier. Do I need to build a custom policy? If so, I'm not quite sure how to check if the authenticated user is in a domain group to return the proper role for Fluent Security to use?

I have already gone through the FluentSecurity getting started so I do know the basics of how to implement FluentSecurity, I'm just not sure how to use Domain Groups as roles.

Thanks!

Answer 1

I may have found a way to use domain groups for roles. I have adjusted the extended example from the Fluent Security Getting Started page.

In Global.asax.cs:

SecurityConfigurator.Configure(configuration =>
{
    // Let Fluent Security know how to get the authentication status of the current user
    configuration.GetAuthenticationStatusFrom(() => HttpContext.Current.User.Identity.IsAuthenticated);

    // Let Fluent Security know how to get the roles for the current user
    configuration.GetRolesFrom(System.Web.Security.Roles.GetRolesForUser);

    // This is where you set up the policies you want Fluent Security to enforce
    configuration.For<HomeController>().Ignore();

    configuration.For<AccountController>().DenyAuthenticatedAccess();
    configuration.For<AccountController>(x => x.ChangePassword()).DenyAnonymousAccess();
    configuration.For<AccountController>(x => x.LogOff()).DenyAnonymousAccess();

    configuration.For<BlogController>(x => x.Index()).Ignore();
    configuration.For<BlogController>(x => x.AddPost()).RequireRole(@"Domain\Writers");
    configuration.For<BlogController>(x => x.AddComment()).DenyAnonymousAccess();
    configuration.For<BlogController>(x => x.DeleteComments()).RequireRole(@"Domain\Writers");
    configuration.For<BlogController>(x => x.PublishPosts()).RequireRole(@"Domain\Owners");

    // To authorize the Home Controller Index Action as in my original question
    configuration.For<HomeController>(c => c.Index()).RequireRole(@"Domain\GroupName");
});

GlobalFilters.Filters.Add(new HandleSecurityAttribute(), 0);

In Web.config:

<authentication mode="Windows" />
<authorization>
  <deny users="?" />
</authorization>
<roleManager defaultProvider="WindowsProvider"
      enabled="true"
      cacheRolesInCookie="false">
  <providers>
    <add
      name="WindowsProvider"
      type="System.Web.Security.WindowsTokenRoleProvider" />
  </providers>
</roleManager>

I haven't found a way of authorizing a single user, but we all know it is generally best practice to use groups anyway.

Are there any better ways of doing this?