Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Implementing role-based authorization using .NET MVC 5

I would like to implement a role-based authorization in my web application that I'm building. The way I imagined to make this is to create 3 tables in my DB like following:

1. Roles
2. UserRoles (many to many table)
3. Users 

After that each user would have a role assigned to him. Now... My question is, How do I permit or forbid access to specific views/controllers inside my .NET MVC application. I've stumbled upon this:

[Authorize(Roles = "HrAdmin, CanEnterPayroll")]
[HttpPost]
public ActionResult EnterPayroll(string id)
{
    //  . . . Enter some payroll . . . 
}

The Authorize property seems to be limiting the specific controllers/actions to specific roles... But what if I read the user roles from the table UserRoles like in my case?? How is my application gonna know what role does the User have on the system ??

Can someone help me out with this ?

like image 316
User987 Avatar asked Oct 27 '16 09:10

User987


People also ask

How will you implement role based authorization in MVC 5?

Choose MVC5 Controller with views, using Entity Framework and click "Add". After clicking on "Add", another window will appear. Choose Model Class and data context class and click "Add". The EmployeesController will be added under the Controllers folder with respective views.

How MVC authorization is implemented?

Authorization in MVC is controlled through the AuthorizeAttribute attribute and its various parameters. At its simplest applying the AuthorizeAttribute attribute to a controller or action limits access to the controller or action to any authenticated user.

How is role based authentication implemented?

5 Steps to Implement Role-Based Access ControlCreate a mapping of roles to resources from step 1 such that each function can access resources needed to complete their job. Create security groups that represent each role. Assign users to defined roles by adding them to the relevant role-based groups.


2 Answers

Lets pretend you have stored your UserName and Roles in Session:

[AllowAnonymous]
[HttpGet]
public ActionResult Login()
{
    . . . .

    string userName = (string)Session["UserName"];
    string[] userRoles = (string[])Session["UserRoles"];

    ClaimsIdentity identity = new ClaimsIdentity(DefaultAuthenticationTypes.ApplicationCookie);

    identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, userName));

    userRoles.ToList().ForEach((role) => identity.AddClaim(new Claim(ClaimTypes.Role, role)));

    identity.AddClaim(new Claim(ClaimTypes.Name, userName));

    AuthenticationManager.SignIn(identity);

    . . . .
}
like image 149
SᴇM Avatar answered Oct 17 '22 05:10

SᴇM


if you Authorize a role to access a controller ( at class level ) or a action ( function level ) they roles will have access. otherwise the access is denied.

if you use just the Authorize keyword without specifying the roles or users, all authenticated users will have access.

hope fully i am making it clear ?

to use claims based identity refer to the following

https://msdn.microsoft.com/en-gb/library/ee517291.aspx

https://msdn.microsoft.com/en-gb/library/ff359101.aspx

this is on Core

What is the claims in ASP .NET Identity

like image 30
Emil Avatar answered Oct 17 '22 06:10

Emil