1

In WebApi, how & where would I plug in my authorization rules that are based on the resource metadata & audit information.

Here are all the interceptors that I am currently using in my request pipeline

  1. IHttpModule
  2. Delegating Handlers
  3. Authorization Filter
  4. ActionFilters

Background - My authorization rules around a DELETE request is based on the Audit information around the existing resource. For example, a user can only delete the resources that was created by him. So if a request to delete a resource comes from a user (with delete privileges) who has not created it, I should return a 403 error.

I am not aware of a way to access the Model & Repository from any of the 4 handlers that I am already using. Wondering what would be the right way to do it.

Improve this question

1 Answer 1

Reset to default
1

What did you write your authorization rules in? Is that what you are trying to achieve? The pattern I usually recommend is to use XACML (the eXtensible Access Control Markup Language). It's like SAML but for fine-grained authorization instead.

With XACML, you get a Policy Decision Point (PDP - the authorization engine/service) which evaluates your authorization rules. The PDP exposes a yes/no authorization API. All you then need to do is connect your interceptors to that PDP. The interceptors will create the right authorization request and send the request to the PDP.

This means that you are applying the same authorization logic in all 4 of the filters you mentioned:

  1. IHttpModule
  2. Delegating Handlers
  3. Authorization Filter
  4. ActionFilters

XACML is an OASIS standard, just like SAML. You can check out their homepage. I am one of the editors in that standard and - disclaimer - I work for one of the vendors, Axiomatics.

XACML also gives you a fine-grained authorization language. For instance you can implement the following type of rules:

  • a user with the role==manager can do the action==edit on resources of type==documents if and only if document.location==user.location

I hope this helps.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.