Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Implementing role-based authorization using .NET MVC 5

Tags:

c#

asp.net

asp.net-mvc

roles

asp.net-mvc-4

I would like to implement a role-based authorization in my web application that I'm building. The way I imagined to make this is to create 3 tables in my DB like following:

1. Roles
2. UserRoles (many to many table)
3. Users

After that each user would have a role assigned to him. Now... My question is, How do I permit or forbid access to specific views/controllers inside my .NET MVC application. I've stumbled upon this:

[Authorize(Roles = "HrAdmin, CanEnterPayroll")]
[HttpPost]
public ActionResult EnterPayroll(string id)
{
    //  . . . Enter some payroll . . . 
}

The Authorize property seems to be limiting the specific controllers/actions to specific roles... But what if I read the user roles from the table UserRoles like in my case?? How is my application gonna know what role does the User have on the system ??

Can someone help me out with this ?

like image 316
User987 Avatar asked Oct 27 '16 09:10

User987

People also ask

How will you implement role based authorization in MVC 5?

Choose MVC5 Controller with views, using Entity Framework and click "Add". After clicking on "Add", another window will appear. Choose Model Class and data context class and click "Add". The EmployeesController will be added under the Controllers folder with respective views.

How MVC authorization is implemented?

Authorization in MVC is controlled through the AuthorizeAttribute attribute and its various parameters. At its simplest applying the AuthorizeAttribute attribute to a controller or action limits access to the controller or action to any authenticated user.

How is role based authentication implemented?

5 Steps to Implement Role-Based Access ControlCreate a mapping of roles to resources from step 1 such that each function can access resources needed to complete their job. Create security groups that represent each role. Assign users to defined roles by adding them to the relevant role-based groups.

2 Answers

Lets pretend you have stored your UserName and Roles in Session:

[AllowAnonymous]
[HttpGet]
public ActionResult Login()
{
    . . . .

    string userName = (string)Session["UserName"];
    string[] userRoles = (string[])Session["UserRoles"];

    ClaimsIdentity identity = new ClaimsIdentity(DefaultAuthenticationTypes.ApplicationCookie);

    identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, userName));

    userRoles.ToList().ForEach((role) => identity.AddClaim(new Claim(ClaimTypes.Role, role)));

    identity.AddClaim(new Claim(ClaimTypes.Name, userName));

    AuthenticationManager.SignIn(identity);

    . . . .
}
like image 149
SᴇM Avatar answered Oct 17 '22 05:10

SᴇM

if you Authorize a role to access a controller ( at class level ) or a action ( function level ) they roles will have access. otherwise the access is denied.

if you use just the Authorize keyword without specifying the roles or users, all authenticated users will have access.

hope fully i am making it clear ?

to use claims based identity refer to the following

https://msdn.microsoft.com/en-gb/library/ee517291.aspx

https://msdn.microsoft.com/en-gb/library/ff359101.aspx

this is on Core

What is the claims in ASP .NET Identity

like image 30
Emil Avatar answered Oct 17 '22 06:10

Emil
Sign in to Comment

Related questions

Deserializing LocalTime from JSON using JSON.NET and NodaTime results in NodaTime.Text.UnparsableValueException
DataGridCheckBoxColumn loses IsReadOnly state when applying ElementStyle
Possible risks of turning off AutoDetectChangesEnabled in Entity Framework
EmailAttribute is not validating correctly in a ViewModel from ASP.NET Core
Why is the synchronization context null even when I try to change UI from a worker and why does the worker wait on the UI thread even when I don't?
How to force reload of NLog configuration file?
Are static methods with out arguments thread safe?
Running (one pass) calculation of covariance
How can I programmatically get the title of Microsoft knowledge base article by KB number?
Identity Server and web api for user management
The specified task executable location "C:\Program Files (x86)\Java\jdk1.7.0_71\\bin\javac.exe" is invalid
Is code coverage included with Visual Studio Team Services (Visual Studio Online) packages
How do I validate an SQL query before executing it using C#
"dynamic" keyword with builder pattern hides extension method [duplicate]
Injecting Dependency programmatically asp.net core
c# How to get the version of This current executable .exe
Invalid output with inherit class
.Net regex matching $ with the end of the string and not of line, even with multiline enabled
Get connection string in .NET Core application
Detect when a specific window in another process opens or closes

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!