All geek questions in one place

Configure Authorize Filter attribute parameter

I have the following requirement for implementing an access control list

public class SecurityObject{ public string Key{get;set;} public string DisplayName{get;set;} public bool isAllowed{get;set;} } public class Role{ List<SecurityObject> AccessibleObjects{get;set;} }

I am currently using authentication for basic authorization. Below is my code

Global.asax.cs

  public class MvcApplication : System.Web.HttpApplication { public override void Init() { this.PostAuthenticateRequest += new EventHandler(MvcApplication_PostAuthenticateRequest); base.Init(); } void MvcApplication_PostAuthenticateRequest(object sender, EventArgs e) { HttpCookie authCookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName]; if (authCookie != null) { string encTicket = authCookie.Value; if (!String.IsNullOrEmpty(encTicket)) { FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(encTicket); string[] userData = ticket.UserData.Split(new string[] { "___" }, StringSplitOptions.None); string[] roles = null; if (userData.Length > 1) { roles = userData[1].Split(','); } MyCustomIdentity identity = new MyCustomIdentity(ticket); GenericPrincipal principle = new GenericPrincipal(identity, roles); HttpContext.Current.User = principle; } } }}

My current controller class

 public class AdminController : Controller { [HttpPost, Authorize, ValidateAntiForgeryToken] public ActionResult SaveUser(UserDetailViewModel viewModel) { } }

Class of my target controller

 public class AdminController : Controller { [HttpPost, Authorize(ACLKey="USR_SAVE"), ValidateAntiForgeryToken] public ActionResult SaveUser(UserDetailViewModel viewModel) { } }

I want my action method to be decorated with ACLKey, and I would like to check if the user role has the given key and based on the fact that I need to execute or return the HttpUnauthorizedResult page, even for Ajax requests from jQuery.

I mentioned many such as Configuring Authentication in ASP.NET MVC But I did not find a way to authenticate both forms and my regular ACLKey.

How to parse USR_SAVE value and handle user authentication using CustomAuthorizeFilter?

+4
source share
2 answers

You can try like this

 public class FeatureAuthenticationAttribute : FilterAttribute, IAuthorizationFilter { public string AllowFeature { get; set; } public void OnAuthorization(AuthorizationContext filterContext) { var filterAttribute = filterContext.ActionDescriptor.GetFilterAttributes(true) .Where(a => a.GetType() == typeof(FeatureAuthenticationAttribute)); if (filterAttribute != null) { foreach (FeatureAuthenticationAttribute attr in filterAttribute) { AllowFeature = attr.AllowFeature; } List<Role> roles = ((User)filterContext.HttpContext.Session["CurrentUser"]).Roles; bool allowed = SecurityHelper.IsAccessible(AllowFeature, roles); if (!allowed) { filterContext.Result = new HttpUnauthorizedResult(); } } } }

In your action method

  [FeatureAuthentication(AllowFeature="USR_SAVE")] public ActionResult Index() { }

Hope this helps you!

+5
source

You can use the filter attribute:

 public class ACLCheckAttribute : FilterAttribute, IActionFilter

In OnActionExecuting, you can capture USR_SAVE. Not knowing where it came from, I would suggest that it comes from:

  • Form: you can capture any form value from the context passed to ONActionExecuting by going to the HttpContext.Request.Form collection.
  • Session etc: HttpContext will also have these.
  • Method of action: from the attribute, using the context passed to the action, it has an ActionParameters list that can be accessed, for example, a dictionary that allows you to check and retrieve your value

If somewhere else, comment on where. You can apply this attribute to a controller or method, or set it globally by adding it to the globalfilters collection (GlobalFilters.Filters.Add ()) or in the FilterConfig file in the App_Start folder.

+1
source

Source: https://habr.com/ru/post/1490103/

More articles:


All Articles