6

I am implementing the security part of an ASP MVC application and I am getting confused in how to implement a custom membership provider since there seems to be a lot of functionallity that I wouldn't use.

The application I'm porting usually managed the security through an object stored in session called "SecurityManager" which contained the current user and a form permission collection. Each item of this collection contains the permission per form of the logged user and permissions per field of that form (in case they were needed if not full control of the form is assumed).

However, when I see the methods of the MembershipProvider and the AuthorizeAttribute tag they assume that I will use roles which my application does not use, we just have permission groups which are just the permissions grouped together for certain user groups, but they tend to change in time.

So basically the only thing I would need would be something that when a request is made would check if the security manager is stored in session (if it is not the user is not authenticated and will be redirected to the login page) and then get that object from session and perform operation with it to know if the user can or cannot access the view.

What would be the best approach for this? I've read that bypassing the custom membership was not a good idea.

Improve this question

1 Answer 1

Reset to default
1

Update: I recently came up against this and figured out how to use the AuthorizeAttribute to do exactly as you wanted. My attribute, that verifies if the user is an administrator, works as follows:

public class AuthorizeAdminAttribute : AuthorizeAttribute
{
    public bool IsValidUser { get; protected set; }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (httpContext == null) { throw new ArgumentNullException("httpContext"); }

        // Make sure Forms authentication shows the user as authenticated
        if (httpContext.User.Identity.IsAuthenticated == false) return false;

        // Retrieve the unit of work from Windsor, and determine if the current user is an admin
        var unitOfWork = Bootstrapper.WindsorContainer.Resolve<IUnitOfWork>();
        var user = new UserByIdQuery(unitOfWork).WithUserId((int)Membership.GetUser().ProviderUserKey).Execute();

        if (user == null)
            return false;

        // Otherwise the logged in user is a real user in the system
        IsValidUser = true;

        return user.IsAdmin;
    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        if (filterContext == null) { throw new ArgumentNullException("filterContext"); }

        // If this user is a valid user but not an admin, redirect to the homepage
        if (IsValidUser)
        {
            // Redirect them to the homepage
            filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary
            {
                { "area", "" },
                { "action", "Index" },
                { "controller", "Home" }
            });
        }
        else
        {
            // User isn't logged in, perform normal operations
            base.HandleUnauthorizedRequest(filterContext);
        }
    }
}

Essentially you have to user the AuthorizeCore() to determine if the user is logged in, store that result, and then perform authorization for the roles in your system. Then in your HandleUnauthorizedRequest you have to figure out if the request was unauthorized because the user wasn't logged in, or if it was because they weren't authorized.

Old Answer I accomplish using the Authorize attribute by creating a subclass of the AuthorizeAttribute class. So for example: 

public class MyCustomAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (httpContext == null) { throw new ArgumentNullException("httpContext"); }

        // Make sure Forms authentication shows the user as authenticated
        if (httpContext.User.Identity.IsAuthenticated == false) return false;

        // replace with whatever code you need to call to determine if the user is authorized
        return IsUserAuthorized();
    }
}

Now when a controller or action is called, and is decorated with [MyCustomAuthorize] it will run this code to determine if the user is authorized based on your custom logic, and if not will redirect them exactly how the [Authorize] attribute would.

I don't know if this is the best approach, but it is what I came up with.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Pardon me if this goes off-track. Whats the difference if I create my own ChkSecurityAttribute inherited from ActionFilterAttribute and check the security in overrided OnActionExecuting event? Whats the benefit of having it inherited from AuthorizeAttribute (and does it require Forms Authentication and/or Membership implemented)? Finally, I'd like to know what is the best place to redirect to "You do not have access" page when user is not authorized. Thank you.
I honestly don't know except maybe less manual work. For example, if you create your own action filter you have to put in your own Roles property for the attribute to take in or any other AuthorizeAttribute property you wish to use as well (which admittedly isn't hard). To handle authorization issues (user is logged in but doesn't have access) you need to return a 403 http result, though I'm not sure how to do that from the AuthorizeAttribute, and it may be easier from a custom action filter
Also I wouldn't be afraid to work outside of the Asp.NET membership framework for authorization when needed. The membership provider system is mostly to allow a common interface to authentication/authorization, but by you using a custom provider you are already showing that your requirements are outside the scope of the default providers, and the likely hood of you changing to another non-custom provider is pretty nil at that point.
Thank you for detailed info. Yes, I haven't been a fan of Membership APIs since past so I was looking for something separate if everything can be handled manually in the action filter of this custom attribute (I can roles as string array) - I've to figure out if a simple redirect to "No access" page would work or not. My authentication/authorization is set in a Session variable as the user logs in (again no Membership here). I'm happy use 'AuthorizeAttribute' but can I accomplish this 'without' Membership or would this demand a Custom Membership provider (and Roles provider) implementation.
I don't see any reason you couldn't accomplish this outside the Membership API, and I don't really see a reason it would be more difficult by just creating your own action filters.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.