Windows Authentication and add Authorization Roles through database - MVC asp.net

Question

I am new to mvc4 asp .net and confused with the authentication and authorization. Our's is an internal website that takes username(HttpContext.Current.User.Identity.Name) from windows authentication and check against database if the username exists and what roles the user has. I want to use the global [Authorize] attribute and roles, to give access to controllers. Can anyone help me on how to start with.

For now, I have a function that passes username and get the user data and related roles from database, the query data is added to the model.So, I am using this function to give access to the website but I want to use the same data to check against all controllers and views without querying against db all the time.

Answer 1

You just need to create a custom role provider. You do this by creating a class that inherits from System.Web.Security.RoleProvider and overriding certain members. The below code should get you started. Replace all the throw new NotImplementedException() stuff with your implementation of the function. For example, IsUserInRole you would provide code that would query your database to see if the user is in the specified role.

using System.Web.Security;

namespace MyNamespace
{        
    public class MyRoleProvider : RoleProvider
    {
        public override void AddUsersToRoles(string[] usernames, string[] roleNames)
        {
            throw new NotImplementedException();
        }

        public override string ApplicationName
        {
           get; set;
        }

        public override void CreateRole(string roleName)
        {
            throw new NotImplementedException();
        }

        public override bool DeleteRole(string roleName, bool throwOnPopulatedRole)
        {
            throw new NotImplementedException();
        }

        public override string[] FindUsersInRole(string roleName, string usernameToMatch)
        {
            throw new NotImplementedException();
        }

        public override string[] GetAllRoles()
        {
            throw new NotImplementedException();
        }

        public override string[] GetRolesForUser(string username)
        {
            throw new NotImplementedException();
        }

        public override string[] GetUsersInRole(string roleName)
        {
            throw new NotImplementedException();
        }

        public override bool IsUserInRole(string username, string roleName)
        {
            throw new NotImplementedException();
        }

        public override void RemoveUsersFromRoles(string[] usernames, string[] roleNames)
        {
            throw new NotImplementedException();
        }

        public override bool RoleExists(string roleName)
        {
            throw new NotImplementedException();
        }
    }
}

You may not need to implement all of it. For example, if your application won't be creating or deleting Roles, then no need to do anything with CreateRole or DeleteRole.

You also need to register your role provider with ASP.NET framework so it knows to make use of it. Update your web.config like below.

<configuration>
    <system.web>
        <roleManager defaultProvider="MyRoleProvider" enabled="true">
            <providers>
                <add
                    name="MyRoleProvider"
                    type="MyNamespace.MyRoleProvider"           
                    applicationName="MyApplicationName" />
            </providers>
        </roleManager>
    </system.web>
</configuration>