All geek questions in one place

ASP MVC: Confusing ASP MVC Security

I am implementing part of the security of an ASP MVC application, and I am confused about how to implement a custom membership provider, since there seems to be a lot of functionality that I would not use.

I usually port an application that manages security through an object stored in a session called "SecurityManager" that contains the current user and the collection of form permissions. Each element of this collection contains permission for the registered user form and permissions for each field of this form (if necessary, if full control over the form is not required).

However, when I see the methods of the MembershipProvider and AuthorizeAttribute tag, they assume that I will use roles that my application does not use, we only have permission groups, which are only permissions grouped for specific user groups, but they tend to change in time.

Thus, basically the only thing I need would be that when the request is checked whether the security keeper will be stored in the session (if it is not a user it is not authenticated and will be redirected to the login page) and then get this object from the session and perform an operation with it to find out if the user can or not access the view.

What would be the best approach for this? I read that circumventing user membership was not a good idea.

+6
source share
1 answer

Update . I recently came across this and figured out how to use AuthorizeAttribute to accomplish exactly what you need. My attribute, which checks if the user is an administrator, works as follows:

 public class AuthorizeAdminAttribute : AuthorizeAttribute { public bool IsValidUser { get; protected set; } protected override bool AuthorizeCore(HttpContextBase httpContext) { if (httpContext == null) { throw new ArgumentNullException("httpContext"); } // Make sure Forms authentication shows the user as authenticated if (httpContext.User.Identity.IsAuthenticated == false) return false; // Retrieve the unit of work from Windsor, and determine if the current user is an admin var unitOfWork = Bootstrapper.WindsorContainer.Resolve<IUnitOfWork>(); var user = new UserByIdQuery(unitOfWork).WithUserId((int)Membership.GetUser().ProviderUserKey).Execute(); if (user == null) return false; // Otherwise the logged in user is a real user in the system IsValidUser = true; return user.IsAdmin; } protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) { if (filterContext == null) { throw new ArgumentNullException("filterContext"); } // If this user is a valid user but not an admin, redirect to the homepage if (IsValidUser) { // Redirect them to the homepage filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "area", "" }, { "action", "Index" }, { "controller", "Home" } }); } else { // User isn't logged in, perform normal operations base.HandleUnauthorizedRequest(filterContext); } } }

Essentially, the user must AuthorizeCore() determine if the user is logged in, save this result, and then authorize the roles on your system. Then in your HandleUnauthorizedRequest you need to find out if the request was unauthorized because the user was not registered or was caused because they were not authorized.

Old answer I use the Authorize attribute, subclassing the AuthorizeAttribute class. For example:
 public class MyCustomAuthorizeAttribute : AuthorizeAttribute { protected override bool AuthorizeCore(HttpContextBase httpContext) { if (httpContext == null) { throw new ArgumentNullException("httpContext"); } // Make sure Forms authentication shows the user as authenticated if (httpContext.User.Identity.IsAuthenticated == false) return false; // replace with whatever code you need to call to determine if the user is authorized return IsUserAuthorized(); } }

Now, when the controller or action is called and [MyCustomAuthorize] decorated, it will run this code to determine if the user is allowed based on your user logic, and if it will not redirect them exactly as the [Authorize] attribute will be.

I don’t know if this is the best approach, but this is what I came up with.

+1
source

Source: https://habr.com/ru/post/892054/

More articles:


All Articles