Menu
We understand how to implement authentication and authorization in ASP.NET identity with the WebApi. For instance, we can log a user in and then retrieve both his secure token and role.
We now want to add permissions. For instance, user steve may be in the admin role. Now we want to assign read, edit, and delete permissions to the admin role. How do we do that in ASP.NET Identity? Is there existing permissions infrastructure in ASP.NET Identity?
537
Authentication is knowing the identity of the user. For example, Alice logs in with her username and password, and the server uses the password to authenticate Alice. Authorization is deciding whether a user is allowed to perform an action. For example, Alice has permission to get a resource but not create a resource.
In short, permission-based access control defines permissions to each system's user. On the other hand, role-based access control specifies permissions to a set of roles of a system, roles assigned to each user.
I extended ASP.NET Identity to allow for permissions as you describe it. I did it to decouple the security model from your application model. The problem with the traditional approach of putting roles in an AuthorizeAttribute is you have to design your security model the same time as you design your application, and if you make any changes you have to recompile and redeploy your application. With the approach I came up with you define resources and operations in a custom AuthorizeAttribute, where operations are analogous to permissions. Now you decorate methods like this:
[SimpleAuthorize(Resource = "UserProfile", Operation = "modify")]
public ActionResult ModifyUserProfile()
{
ViewBag.Message = "Modify Your Profile";
return View();
}
Then you can assign a resource/operation to a role in the database, configuring your security model during deployment and can modify it without redeployment. I wrote about this approach using SimpleMembership here. And later ported it to ASP.NET Identity here. The articles have links to the full source code with reference applications.
194
You should extend the Identity classes and add this functionality to that. roles and permissions have a many-to-many relation together so you should change the IdentityRole class as something like this:
public class IdentityRole<TKey, TRolePermission>
{
public string Title { get; set; }
public virtual ICollection<TRolePermission> Permissions { get; set; }
}
As you can see you want a intermediate object and table named RolePermission. And the Permission class can look like something like this:
public class IdentityPermission<TKey, TRolePermission>
{
public virtual TKey Id { get; set; }
public virtual string Name { get; set; }
public virtual string Description { get; set; }
public virtual ICollection<TRolePermission> Roles { get; set; }
}
Then you should create custom AuthorizeAttribute to execute authentication check on the controllers and actions. that could be somthing like this:
public class AuthorizePermissionAttribute : AuthorizeAttribute
{
public string Name { get; set; }
public string Description { get; set; }
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
return base.AuthorizeCore(httpContext)
&& Task.Run(() => httpContext.AuthorizePermission(Name, Description, IsGlobal)).Result;
}
}
You can override the AuthorizeCore method to add the permission authentication to the normal Role-based authentication. Although you can do this easily, i implemented it as an open source Permission-based Identity extension here and you can use it direclty or get inspired from that to do it on your own.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
