Asp.net MVC 3 applying AuthorizeAttribute to realms

Question

Asp.net MVC 3 applying AuthorizeAttribute to realms

I am currently writing an Admin MVC 3 site, and each user has access only to certain parts of the site.

The areas of my site are the same as those of Role users, so I would like to do this to include the AuthorizeAttribute attribute in each area, using the name of the area as a parameter in the role.

So far, this has worked for me when I hard-coded the verification of each area, but I would just like to skip all areas and apply an authorization filter. (I use this as my own FilterProvider filter - http://www.dotnetcurry.com/ShowArticle.aspx?ID=578 )

My code so far ("Gcm" is one of my areas as well as role):

public static void RegisterGlobalFilters(GlobalFilterCollection filters) { filters.Add(new HandleErrorAttribute()); // for all controllers, run AdminAuthorizeAttribute to make sure they're at least logged in filters.Add(ObjectFactory.GetInstance<AdminAuthorizeAttribute>()); AdminAuthorizeAttribute gcmAuthroizeAttribute = ObjectFactory.GetInstance<AdminAuthorizeAttribute>(); gcmAuthroizeAttribute.Roles = "Gcm"; var provider = new FilterProvider(); provider.Add( x => x.RouteData.DataTokens["area"] != null && x.RouteData.DataTokens["area"].ToString() == "Gcm" ? gcmAuthroizeAttribute : null); FilterProviders.Providers.Add(provider); }

Does anyone know how to get all areas of my application, so I can just scroll through them and not hardcode each area?

Or if someone has a better idea of how to resolve for each area, that would be appreciated.

Thanks for your help Saan

+6

filter asp.net-mvc asp.net-mvc-3 asp.net-mvc-areas

Saan May 16 '11 at 11:46

source share

3 answers

You can create a base controller for each area and place the authorize attribute in the base class. Thus, you can pass a region parameter for each base zone controller.

+2

mccow002 Jun 30 '11 at 10:10

source share

Here is an example of overriding the authorization attribute that I created. I needed my authorization function to support member types, so you might not want to get too involved in the internal actions of the functions, but AuthorizeCore is where the main logic happens. In my case, I am checking it against a datacontext object.

Using:

 [AjaxAuthorize(AjaxRole = "Administrators")] public JsonResult SaveAdministrativeUser(v.... )

The code:

  public class AjaxAuthorizeAttribute : AuthorizeAttribute { private class HttpAuthorizeFailedResult : ActionResult { public override void ExecuteResult(ControllerContext context) { // Set the response code to 403. Membership.Provider.Name == "UnitArchiveMembershipProvider" context.HttpContext.Response.StatusCode = context.HttpContext. User.Identity is WindowsIdentity ? 401 : 403; } } public string AjaxRole { get; set;} public AjaxAuthorizeAttribute() { AjaxRole = "Users"; } protected override bool AuthorizeCore(HttpContextBase httpContext) { if (string.IsNullOrEmpty(MvcApplication.Config.DBSettings.Database)) { return true; } //When authorize parameter is set to false, not authorization should be performed. UnitArchiveData db = DataContextFactory.GetWebRequestScopedDataContext<UnitArchiveData>(MvcApplication.Config.DBSettings.GetConnectionString()); if (httpContext.User.Identity.IsAuthenticated) { login_data user = db.login_datas.Where(n => n.EmailAddress == httpContext.User.Identity.Name).FirstOrDefault(); if (user != null) { return user.cd_login_role.RoleName == "Administrators" || user.cd_login_role.RoleName == AjaxRole; } } return false; } protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) { if (filterContext.RequestContext.HttpContext.Request.IsAjaxRequest()) { //Ajax request doesn't return to login page, it just returns 403 error. filterContext.Result = new HttpAuthorizeFailedResult(); } else base.HandleUnauthorizedRequest(filterContext); } }

0

Sergei Golos May 16, '11 at 14:28

source share

Saan · Accepted Answer · 2011-09-14T12:33:57+0000

When I was studying a separate issue, I came across How to pass parameters to a custom ActionFilter in ASP.NET MVC 2?

This attribute can be changed to check the current area of the controller.

 public class CustomAuthorizeAttribute : AuthorizeAttribute { public override void OnAuthorization(AuthorizationContext filterContext) { RouteData routeData = filterContext.RouteData; // check if user is allowed on this page if (SessionFactory.GetSession().Contains(SessionKey.User)) { User user = (User)SessionFactory.GetSession().Get(SessionKey.User); string thisArea = routeData.DataTokens["area"].ToString(); // if the user doesn't have access to this area if (!user.IsInRole(thisArea)) { HandleUnauthorizedRequest(filterContext); } } // do normal OnAuthorization checks too base.OnAuthorization(filterContext); } }

Then I apply my own authorize attribute to all controllers like this in Global.asax:

 public static void RegisterGlobalFilters(GlobalFilterCollection filters) { filters.Add(new HandleErrorAttribute()); // for all controllers, run CustomAuthorizeAttribute to make sure they're at logged in and have access to area filters.Add(ObjectFactory.GetInstance<CustomAuthorizeAttribute>()); }

Thanks to all who responded

Saan

Asp.net MVC 3 applying AuthorizeAttribute to realms

More articles: