Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How Can I Use Domain Groups as Roles with Fluent Security in ASP.NET MVC 4?

In my ASP.NET MVC 4 application, I am using the intranet template to implement Windows authentication. I am also using Fluent Security.

Out of the box I can use the annotations shown below to limit access to controller methods to either specific domain groups or domain users.

[Authorize(Roles=@"Domain\GroupName")]
public ActionResult Index()
{
    ViewBag.Message = "Modify this template to jump-start your ASP.NET MVC application.";

    return View();
}

[Authorize(Users=@"Domain\UserName")]
public ActionResult About()
{
    ViewBag.Message = "Your app description page.";

    return View();
}

How would I limit these two methods to the same domain group and domain user using Fluent Security? I'm more interested in the group than the user if that is any easier. Do I need to build a custom policy? If so, I'm not quite sure how to check if the authenticated user is in a domain group to return the proper role for Fluent Security to use?

I have already gone through the FluentSecurity getting started so I do know the basics of how to implement FluentSecurity, I'm just not sure how to use Domain Groups as roles.

Thanks!

like image 431
Michael Carrabine Avatar asked Nov 15 '12 19:11

Michael Carrabine


1 Answers

I may have found a way to use domain groups for roles. I have adjusted the extended example from the Fluent Security Getting Started page.

In Global.asax.cs:

SecurityConfigurator.Configure(configuration =>
{
    // Let Fluent Security know how to get the authentication status of the current user
    configuration.GetAuthenticationStatusFrom(() => HttpContext.Current.User.Identity.IsAuthenticated);

    // Let Fluent Security know how to get the roles for the current user
    configuration.GetRolesFrom(System.Web.Security.Roles.GetRolesForUser);

    // This is where you set up the policies you want Fluent Security to enforce
    configuration.For<HomeController>().Ignore();

    configuration.For<AccountController>().DenyAuthenticatedAccess();
    configuration.For<AccountController>(x => x.ChangePassword()).DenyAnonymousAccess();
    configuration.For<AccountController>(x => x.LogOff()).DenyAnonymousAccess();

    configuration.For<BlogController>(x => x.Index()).Ignore();
    configuration.For<BlogController>(x => x.AddPost()).RequireRole(@"Domain\Writers");
    configuration.For<BlogController>(x => x.AddComment()).DenyAnonymousAccess();
    configuration.For<BlogController>(x => x.DeleteComments()).RequireRole(@"Domain\Writers");
    configuration.For<BlogController>(x => x.PublishPosts()).RequireRole(@"Domain\Owners");

    // To authorize the Home Controller Index Action as in my original question
    configuration.For<HomeController>(c => c.Index()).RequireRole(@"Domain\GroupName");
});

GlobalFilters.Filters.Add(new HandleSecurityAttribute(), 0);

In Web.config:

<authentication mode="Windows" />
<authorization>
  <deny users="?" />
</authorization>
<roleManager defaultProvider="WindowsProvider"
      enabled="true"
      cacheRolesInCookie="false">
  <providers>
    <add
      name="WindowsProvider"
      type="System.Web.Security.WindowsTokenRoleProvider" />
  </providers>
</roleManager>

I haven't found a way of authorizing a single user, but we all know it is generally best practice to use groups anyway.

Are there any better ways of doing this?

like image 103
Michael Carrabine Avatar answered Sep 22 '22 06:09

Michael Carrabine