MVC 5 Role based Permissions (Authorization) - model-view-controller

I want to implement Role based authorization in mvc 5, i am using asp.net identity 2.0 for user authentication.
Please suggest how to implement this by using authorize attribute or any other possible way.
I also want to store user rights after login and do not want to fetch again and again from database while authorizing on controller action. (Don't want to use Session).
[![Role Permissions stored in DB][1]][1]

I probably am not understanding the depth of your question, but I see that your Authorize statement is slightly incorrect.
Try [Authorize(Roles="admin")]
It uses Microsoft.AspNetCore.Authorization;
There's also a Policy Based Authorization. [Authorize(Policy = "Seniors")]
I also found an answer here that may be of interest to you, it speaks of customizing Role Permissions:create custom authorize attribute
The trick will be to assign the User a role, then use the 'Authorize' on the action methods or on the page, or even in the view HTML by testing if the user IsInRole like:
#if(User.IsInRole"admin"){ Add HTML Here }
And if you do use 'Roles', remember that you can add multiple roles to the 'Authorize' tag something like [Authorize(Roles="admin, staff, user")] etc.

Related

Validation in Spring with different Roles

I'm just trying to understand the "Validation" within Spring MVC. I set up a small validation form, which is working just fine. However I got a couple of questions all those Tutorials don't answer
As far as I understood the Validator just gets every form-element altered and checks if it is valid or not. What if I want a user to only be able to alter specific form-elements.
Let's say I have an Admin and a regular User on my webpage, they both are allowed to edit their profiles. The admin however is allowed to alter his username, the regular isn't allowed to do that. They both use the "edit-profile.jsp" and therefore the same Validator. I could just grey out the username field in my regular user's view, but let's assume he's not a total BDU and adds a form-field via debugger of his webbrowser, overriding the actual username input-field. He then alters his username and sends the request to MVC. The validator assumes the username altered came from the original input-field and updates the user's nickname in the db accordingly, since both, the admin and the regular user just use the same Validator and the same "updateAllAltered"-DAO method. The same goes for select option-lists. Let's say the Admin is allowed to set a status of a profile to active AND inactive. The user however is only allowed to set it's own profile to inactive but can't reactivate it by himself. I could do the same as above, just altering the option-panel in the frontend to only show "INACTIVE" in the regular user's dropdown box. But we could repeat the same scenario, where the user just adds a debug form-field containing also the option "ACTIVE". This can get out of hand if e.g. the Admin is allowed to change Roles to "admin, member, moderator", while a user, who's i.e. a moderator within a forum can change roles to "member or moderator". He could just again add another field and plugin "admin" and gain total control of the forum.
How is this handled in Spring?
Basically you have to handle by spring security for your use case, design your application security, you will find basic spring security examples easily.
Example you can block your HTML code in JSP by spring security tags by user roles.
<sec:authorize access="hasAnyRole('ROLE_ADMIN')">
Delete
</sec:authorize>
You can annotate any of your methods by roles to block access.
#Secured({ "ROLE_ADMIN" })

Permission Based Authorization in MVC3

I am trying to use a custom permission based authentication where i have the users-Roles-Permissions tables defined. I need to restrict access based on the permissions - CustomerEdit,CustomerView,CustomerDelete etc.
I have already read about role based access using custom attributes
The problem I see with this is I have to decorate each controller action with the attribute.
Is there another method to do this?
Could look at Fluent Security http://www.fluentsecurity.net/getting-started It is configurable in code

Custom Authorization inside REST Service + MVC 3

We have Implemented REST Based Architecture for our ASP.NET MVC3 App.
We are pondering over the architectural decision to implement a custom Authorization for the contracts we are exposing through our service.
e.g. Any valid authenticated user may get access to a particular Method implementation of the contract and might want to access some other user's info (getting a list of items from the data through Stored Proc) , we need to check after we get back this Items list that whether this authenticated User has proper permissions to access this. The permission check is based on a heavy business logic , hence Attribute based authorization might not be helpful in this scenario as only after getting back the data we might decide the access permission check.
Please advice how to implement this security model inside our REST Service.
Since attribute based auth seemingly won't work for you, then you'll need to determine if they fit the role you need:
HttpContext.Current.User.IsInRole()
After that your controller simply returns an HttpUnauthorizedResult which is an ActionResult.
So check your business logic, if they aren't authorized, then return HttpUnauthorizedResult and you are done.
http://msdn.microsoft.com/en-us/library/system.web.mvc.httpunauthorizedresult.httpunauthorizedresult(v=vs.98).aspx

Restricting access to controller methods in ASP.NET MVC 3

I have a site with a page that contains some tabs and when selecting one, its content is retrieved from the server using an AJAX call. Every tab is loaded through a different controller. For example, I have a Customer page which contains Products and Clients tabs.
The site has different types of users with different permission levels.
What I want to do is to protect the controllers, and show the content of the tabs only if the logged in user has permission. So if a user without permission enters the url of the controller, it should redirect to the login page. The url is like this:
http://localhost/MyApp/Products/1
where 1 is the database ID of the product.
I can implement these 2 solutions but none of them is optimal:
Use the ChildOnlyAction attribute. I would mark the actions of the Product controller with this attribute and render the tabs from the main view using RenderAction. But it would mean that all the tabs on the page would have to be rendered, which is not optimal because I only want to load the data when the user clicks on the tab.
On every request to the Product controller, I would make a database query using the ID of the record to check if the user has permission to access it. But this means that for every request I would have to run an extra query.
I'm wondering if there is a better approach to this.
Similar to what Romias has suggested. You can combine the Authorize meta-attribute with a custom IAuthorizationFilter filter.
When you implement the Authorize meta-attribute you specify a list of users or roles that should have permission to that action. This lacks the ability to use a database to specify which ID's a user should have access to.
It is this ID-to-User mapping where the IAuthorizationFilter comes in to play. In the filter you can check the current user against the database.
A sample IAuthorizationFilter and its usage can be found on the following page:
http://geekswithblogs.net/brians/archive/2010/07/08/implementing-a-custom-asp.net-mvc-authorization-filter.aspx
Have you tried using Authorize filter to decorate the controllers you want to protect?
[Authorize(Roles = "UserType1")]
You could also extend the Authorize filter to add your own logic.
Here you can see an example of extending Authorize filter: https://stackoverflow.com/a/428266/7720

Using global filters to apply role authorization to entire mvc app

I'm using a global authorization filter on my MVC app to ensure that users are authenticated before they access my app, but I'd like to take it one step further. I have three AD groups that the users can potenially be a member of and I'd like the global filter to check for one of those three groups as well.
I do not want to add three authorize attributes to every controller in my application. How would I write the global filter to include role authorization?
Thanks!
You can configure a Role-Based membership provider , which essentially will call an Authorize service with your custom logic and you can mention the roles in a config file you need to check against. This entire logic can be encapsulated inside an attribute , decorated over the Routes.

Resources