Method attributes in WebForms

Question

What is the best way to assign security logic to a method in ASP.NET WebForms? Where instead of checking under each method if the user is logged in, can't we use method attributes? Example, instead of doing this:

protected override void OnInit(EventArgs e)
    {
        base.OnInit(e);
        if (!UserLoggedIn)
        {
            Response.Redirect("/login");
        }
        //Do stuff
    }

I would like to do something like below. I've seen it done in ASP.NET MVC apps but I wonder if I can pull it off with webforms. And also what would be the best practice for ensuring only an authenticated user can continue and others get redirected to login page?

Ex: Desired. Where Secure is a method attribute:

[Secure]
    protected override void OnInit(EventArgs e)
    {
        base.OnInit(e);
        //Do stuff
    }

How do I go about creating such method attribute? And if that is not possible, how would you recommend I do it? I have many usercontrols that need this on page_load or oninit and I am looking for a better way to do it.

Answer 1

Declare your attribute

[AttributeUsage(AttributeTargets.Class)]
public class SecureAttribute: Attribute
{             
}

Create custom base page class for all forms

public class PageBase: Page
{
    protected override void OnInit(EventArgs e)
    {
        base.OnInit(e);

        var secureAttr = Attribute.GetCustomAttribute(this.GetType(), typeof (SecureAttribute));
        if (secureAttr != null)
        {
            bool UserLoggedIn = false; // get actual state from DB or Session

            if (!UserLoggedIn)
            {
                Response.Redirect("/login");
            }
        }
    }
}

Inherit all your forms from the PageBase

[Secure]
public partial class Profile: PageBase
{

}

Create similar UserControlBase for user controls.

Answer 2

One possible Solution would be a PageBase helper class to avoid check that condition on every single pages on your ASP.NET web forms and just inherits the page-base in your aspx.cs classes. something like the code below:

for example you want to make sure that some web forms are only accessible by Admin users then you could have a AdminPageBase class to check this condition for all of your web pages.

your base class:

public class AdminPageBase : System.Web.UI.Page
{

    protected void Page_Init(object sender, EventArgs e)
    {
        if (!Context.User.Identity.IsAuthenticated ||
            !HttpContext.Current.User.IsInRole(Roles.Admin.ToString()))
        {
            this.RedirectToLogin();
        }
    }

    protected void RedirectToLogin()
    {
        //...

        Response.Redirect("~/SignIn.aspx");
    }
}

Note: Roles.Admin.ToString() is an enum, but you can also use a plain string if you like

and in your web form classes you only inherits this base class like this:

e.g. AdminPage1.aspx.cs

public partial class AdminPage1: AdminPageBase
{
    //....
}

e.g. AdminPage2.aspx.cs

public partial class AdminPage2: AdminPageBase
{
    //....
}

and you could always do the same for all other pages in your solution. you could also change Page_Init to Page_Load on your PageBase class but the reason I have chosen the Page_Init is because you may need Page_Load event to check other things on your page so it's a good place to check your website security.