We are designing application using MVC. We have thousands of user and more than 100 roles. Tasks (access rights for specific action )are assigned to roles.
There are many tasks assigned to multiple roles meaning that task can be shared among roles. Due to nature of application we have to add/delete/update roles and therefore we can not use role based authorization.
Need help to advise on how to implement task based authorization where application does not bother about roles.
Thanks.
You can use bit flag enums to create list of tasks and assign user permission using them. Unfortunately, even if you use ulong, this will limit you with maximum 64 options. Here is a sample code:
[Flags]
public enum TaskPermissions : ulong
{
None = 0x0000,
CanDoTask1 = 0x0001,
CanDoTask2 = 0x0002,
CanDoTask3 = 0x0004,
CanDoTask4 = 0x0008,
CanDoTask5 = 0x0010,
// ... powers of 2
CanDoEverything = 0xFFFF
}
public class Member
{
public string Username {get;set;}
public TaskPermissions Permissions { get; set; }
// other things that are necessary
public bool HasPermission(TaskPermissions permissions)
{
return (Permissions & permissions) == permissions;
}
}
To set permissions:
var member=new Member():
member.Permissions= TaskPermissions.CanDoTask1 | TaskPermissions.CanDoTask2;
To check a permission:
member.HasPermission(TaskPermissions.CanDoTask1);
Sample AuthorizationRequiredAttribute for Mvc (assuming member is in session):
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class AuthorizationRequiredAttribute : ActionFilterAttribute
{
public TaskPermissions RequiredPermissions { get; set; }
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
if (filterContext.Controller.Session["Member"].HasPermission(RequiredPermissions))
{
base.OnActionExecuting(filterContext);
return;
}
throw new AuthenticationException("Access denied");
}
}
Usage:
[AuthorizationRequired(RequiredPermissions = TaskPermissions.CanDoTask1)]
public class TestController : Controller
{
//methods
}
Related
If I adopted the last scenario in this thesis :
Then my main layers will be like that:
UI Service (MVC application)
Business Layer
Security Service (used as a wrapper class library for MS identity
framework)
Aspects which use the previous security service to Authorize the
business layer methods.
public class EditEmployeeData : OnMethodBoundaryAspect
{
public override void OnEntry(MethodExecutionArgs args)
{
Employee emp = (Employee)args.Instance;
((System.Security.Claims.ClaimsIdentity)System.Web.HttpContext.Current.User.Identity).HasClaim("Employee", "EditName");
}
}
I want to set the current user in runtime.
How to access the current user to authorize him on a specific
functionality in business layer?
Should the authorization be more near to the UI to disable/hide functionality and to prevent calling not allowed action methods ?(In the preferred scenario there's not any interaction between the security layer and the UI !!)
Update
Please see this answer about using claims...
In a controller, you can get the current user like this:
using Microsoft.AspNet.Identity.Owin;
public class MyController : Controller
{
// this code will return 0 if user is not authenticated
protected long GetUserId()
{
// note: I have changed the default UserId type from Guid to long
return User.Identity.GetUserId<long>();
/*
* use this if you are using Guid UserIds (which is the default)
* return User.Identity.GetUserId();
*/
}
See this, if you want to know how to change type of UserId.
If you have access to HttpContext, you can get the user like this:
// note that I have changed UserId from Guid to long
HttpContext.Current.User.Identity.GetUserId<long>()
If you want to get ApplicationUser use this (more info here):
// this is how you get user manager from OwinContext
var userManager = System.Web.HttpContext.Current.GetOwinContext().GetUserManager<ApplicationUserManager>();
// Get ApplicationUser from UserManager
ApplicationUser user = UserManager.FindById(User.Identity.GetUserId());
How to access the current user to authorize him on a specific
functionality in business layer?
If you need to access current user in a service, you can pass it through or you can inject it. Using ninject, this is how you can inject UserId into a service:
kernel.Bind<MyService>().ToConstructor(ctorArg => new MyService(
HttpContext.Current.User.Identity.GetUserId<long>()).InRequestScope();
And this is how MyService class looks like:
public class MyService
{
private readonly long _userId;
public MyService(long userId)
{
// this service always has access to current user (if logged in)
_userId = userId;
}
// more code...
I am not sure what is the process of your authorization... ASP.NET Identity, already implements authorization task for you. This is implemented in ApplicationUserManager and ApplicationSignInManager which comes with ASP.NET MVC default template. You can use [Authorize] attribute on your action/class to prevent unauthorized access:
[Authorize] // <-- restricts all action methods of the class, unless marked [AllowAnonymous]
public class MyController : Controller
{
[HttpPost]
[Authorize] // <-- restricts this particular action method
public ActionResult MyAction(long id)
{
// do some action which requires authorization
}
Regarding DDD layers, have a look at this this link which explains services which belong to each layer.
How to access the current user to authorize him on a specific functionality in business layer?
To access user information on the business layer, you can type an interface named ICurrentUser
namespace AOPSample
{
public interface ICurrentUser
{
User GetCurrentUser();
}
public class User
{
public int Id { get; set; }
public string Username { get; set; }
public string Role { get; set; }
}
}
The CurrentUser class must be able to read the information of the user from a common location. HttpContext is available for this.
Let's write a helper class for this.
using System.Web;
namespace AOPSample
{
public class ContextHelper
{
public T Get<T>()
{
T local = default(T);
string key = typeof(T).GUID.ToString();
if (HttpContext.Current.Items.Contains(key))
{
local = (T)HttpContext.Current.Items[key];
}
return local;
}
public T Get<T>(string key)
{
T local = default(T);
if (HttpContext.Current.Items.Contains(key))
{
local = (T)HttpContext.Current.Items[key];
}
return local;
}
public void Set<T>(T value)
{
string str = typeof(T).GUID.ToString();
HttpContext.Current.Items[str] = value;
}
public void Set<T>(T value, string key)
{
HttpContext.Current.Items[key] = value;
}
}
}
Our CurrentUser class will return user information using your helper class
namespace AOPSample
{
public class CurrentUser : ICurrentUser
{
public User GetCurrentUser()
{
return new ContextHelper().Get<User>();
}
}
}
now user information write to HttpContext with ContextHelper class and for this use correct location interceptor class
public class EditEmployeeData : OnMethodBoundaryAspect
{
public override void OnEntry(MethodExecutionArgs args)
{
Employee emp = (Employee)args.Instance;
((System.Security.Claims.ClaimsIdentity)System.Web.HttpContext.Current.User.Identity).HasClaim("Employee", "EditName");
new ContextHelper().Set<User>(new User
{
});
}
}
You can access user information from the domain layer with ICurrentUser. HttpContext is unique for every request and response
Should the authorization be more near to the UI to disable/hide functionality and to prevent calling not allowed action methods ?(In the preferred scenario there's not any interaction between the security layer and the UI !!)
It's your choice
In my opinion, you can take user privileges and log them with cache and use them for client side actions, but according to the technology you use for server side, you can store user information for each request in a similar way. For example; The correct location to store the OperationContext for wcf.
If you use ASP.NET Identity, you can try the following approach in order to get current User:
ApplicationUser user = System.Web.HttpContext.Current.GetOwinContext().GetUserManager<ApplicationUserManager>().FindById(System.Web.HttpContext.Current.User.Identity.GetUserId());
//If you use int instead of string for primary key, use this:
ApplicationUser user = System.Web.HttpContext.Current.GetOwinContext().GetUserManager<ApplicationUserManager>().FindById(Convert.ToInt32(System.Web.HttpContext.Current.User.Identity.GetUserId()));
Hope this helps...
I want to create a Web API MVC.
This API will authorize TOKEN JWT, and I want to create my own Authorize attribute like CanRead, CanModify, CanWrite.
Three attributes just inherit Attribute class (no AuthorizeAttribute), is it ok ?
My application have complicates role and permission so I want to customize all about authorization and authentication.
I want to manage the permission dynamic
So how can I do it ?
Will I access database from attributes (CanRead or CanModify) to check permission
Create a custom AuthorizeAttribute instead. an example below.
public class KeyAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
string key = httpContext.Request["X-Key"];
return ApiValidatorService.IsValid(key);
}
}
public static class ApiValidatorService
{
public static bool IsValid(string key)
{
int keyvalue;
if (int.TryParse(key, out keyvalue))
{
return keyvalue % 2137 == 7;
}
return false;
}
}
Taken from Jon Galloway's blog. I don't know specifically how you are authorizing, but if you create a class with:
public bool CanRead { get; set; }
public bool CanWrite { get; set; }
public bool CanModify { get; set; }
And then within the AuthorizeCore method, determine based on the setting if the user has the right permission.
I have a windows authentication MVC app that needs the username to do a lookup to determine if links are visible and set authorization. Note: I do visibility/Authorization with roles as well.
I need the username so I am currently doing it in OnAuthentification (not sure if this is the right place). I am splicing the username down to put it on the main page and say welcome, User. (presentation purposes)
[Authorize]
public abstract class ApplicationController : Controller
{
public static bool IsApprover;
protected override void OnAuthentication(AuthenticationContext filterContext)
{
base.OnAuthentication(filterContext);
if (filterContext.RequestContext.HttpContext.User.Identity.IsAuthenticated == true)
{
string userName = User.Identity.Name.Remove(0, 16).Replace('.', ' ').ToLower();
HttpContext.Application["UserName"] = TitleCase(userName, "Nothing");
//Initialize Values
HttpContext.Application["IsApprover"] = false; //used for link visibility
IsApprover = false; //used for Authorization
//do db lookup and set IsApprover values
}
}
}
So, I set the values above. I am not including the entity framework code just to be brief. The above works fine and every controller inherits from ApplicationController.
I also have
public class CustomAuthorizationValue : AuthorizeAttribute
{
private bool localIsAllowed;
public CustomAuthorizationValue(bool isAllowed)
{
localIsAllowed = isAllowed;
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext.Request.IsLocal)
{
var authorized = base.AuthorizeCore(httpContext);
if (!authorized)
{
// The user is not authorized => no need to go any further
return false;
}
return localIsAllowed;
}
return false;
}
}
For Authorization I use:
[CustomAuthorizationValue(IsApprover)]
public ActionResult Approve()
{
//code
}
For Visibility in Razor I use
#if((bool)#HttpContext.Current.Application["IsApprover"] == true)
{
<li>Approve (#HttpContext.Current.Application["ApproveCount"])</li>
}
This works fine but I have 2 different variables to use,
one for visibility (HttpContext.Current.Application["IsApprover"])
and
one for Authorization (IsApprover).
Is there a more elegant solution?
Is there another place to put the code rather than override void OnAuthentication?
Is there a way I can just set 1 variable for visibility and Authorization rather than having 2?
Is this the best practice or am I way off?
The above works fine and every controller inherits from
ApplicationController.
Hmmmm. You are storing user specific information information in the wrong scope:
HttpContext.Application["UserName"] = TitleCase(userName, "Nothing");
HttpContext.Application["IsApprover"] = false;
In ASP.NET, the Application scope is shared among ALL users of your website. So you have a concurrency issue here.
You should use the HTTP Context scope instead:
HttpContext.Items["UserName"] = TitleCase(userName, "Nothing");
HttpContext.Items["IsApprover"] = false;
Is there a more elegant solution?
You could use a view model:
public class MyViewModel
{
public string UserName { get; set; }
public bool IsApprover { get; set; }
}
and then have a couple of extension methods to work more easily:
public static class HttpContextExtensions
{
private const string MyViewModelKey = "__MyViewModel__";
public static MyViewModel GetMyViewModel(this HttpContextBase context)
{
return (MyViewModel)context.Items[MyViewModelKey];
}
public static void SetMyViewModel(this HttpContextBase context, MyViewModel model)
{
context.Items[MyViewModelKey] = model;
}
}
and then use those extension methods:
if (filterContext.RequestContext.HttpContext.User.Identity.IsAuthenticated)
{
string userName = User.Identity.Name.Remove(0, 16).Replace('.', ' ').ToLower();
bool isApprover = ... do db lookup and set IsApprover value
var model = new MyViewModel
{
UserName = TitleCase(userName, "Nothing"),
IsApprover = isApprover,
}
this.HttpContext.SetMyViewModel(model);
}
and in your view:
#if(HttpContext.GetMyViewModel().IsApprover)
{
<li>
<a href="#Url.Action("Approve", "Approve")">
Approve (#HttpContext.Current.Application["ApproveCount"])
</a>
</li>
}
NOTE: In this anchor text once again you seem to be using the Application scope to store user specific information such as ApproveCount which we discussed earlier.
Is this the best practice or am I way off?
Well, I would probably use claims based authentication and store this information (IsApprover, ...) as claims in the current user.
ASP.NET MVC has good support for role-based security, but the usage of strings as role names is maddening, simply because they cannot be strongly-typed as enumerations.
For example, I have an "Admin" role in my app. The "Admin" string will now exist in the Authorize attribute of my action, in my master page (for hiding a tab), in my database (for defining the roles available to each user), and any other place in my code or view files where I need to perform special logic for admin or non-admin users.
Is there a better solution, short of writing my own authorization attribute and filter, that would perhaps deal with a collection of enumeration values?
Using magic strings gives you the flexibility to declare multiple roles in the Authorize attribute (e.g. [Authorize(Roles = "Admin, Moderator")] which you tend to lose as you go to a strongly typed solution. But here's how you can maintain this flexibility while still getting everything strongly typed.
Define your roles in an enum that uses bit flags:
[Flags]
public enum AppRole {
Admin = 1,
Moderator = 2,
Editor = 4,
Contributor = 8,
User = 16
}
Override AuthorizeAttribute:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class MyAuthorizeAttribute : AuthorizeAttribute {
public AppRole AppRole { get; set; }
public override void OnAuthorization(AuthorizationContext filterContext) {
if (AppRole != 0)
Roles = AppRole.ToString();
base.OnAuthorization(filterContext);
}
}
Now if you can use MyAuthorizeAttribute like this:
[MyAuthorize(AppRole = AppRole.Admin | AppRole.Moderator | AppRole.Editor)]
public ActionResult Index() {
return View();
}
The above action will only authorize users that are in at least one of the roles listed (Admin, Moderator, or Editor). The behavior is the same as MVC's default AuthorizeAttribute, except without the magic strings.
If you use this technique, here's an extension method on IPrincipal that may also be useful:
public static class PrincipalExtensions {
public static bool IsInRole(this IPrincipal user, AppRole appRole) {
var roles = appRole.ToString().Split(',').Select(x => x.Trim());
foreach (var role in roles) {
if (user.IsInRole(role))
return true;
}
return false;
}
}
You can use this extension method like this:
public ActionResult Index() {
var allowed = User.IsInRole(AppRole.Admin | AppRole.Moderator | AppRole.Editor);
if (!allowed) {
// Do Something
}
return View();
}
I usually use a class with a bunch of string constants. It's not a perfect solution, since you need to remember to stick to using it everywhere, but at least it gets rid of the possibility of typos.
static class Role {
public const string Admin = "Admin";
}
Although it doesn't use enums, I've used the solution below, where we sub-class the Authorize filter to take in variable length role name arguments in the constructor. Using this together with role names declared in const variables somewhere, we avoid magic strings:
public class AuthorizeRolesAttribute : AuthorizeAttribute
{
public AuthorizeRolesAttribute(params string[] roles) : base()
{
Roles = string.Join(",", roles);
}
}
public class MyController : Controller
{
private const string AdministratorRole = "Administrator";
private const string AssistantRole = "Assistant";
[AuthorizeRoles(AdministratorRole, AssistantRole)]
public ActionResult AdminOrAssistant()
{
return View();
}
}
(I blogged about this in a little bit more detail - http://tech-journals.com/jonow/2011/05/19/avoiding-magic-strings-in-asp-net-mvc-authorize-filters)
I took JohnnyO's response but changed the enumeration items to use the DescriptionAttribute to specify the string value for the role. This comes in handy if you want your role string to be different from the Enum name.
The enum example:
[Flags]
public enum AppRole
{
[Description("myRole_1")]
RoleOne = 1,
[Description("myRole_2")]
RoleTwo = 2
}
The extension method:
public static bool IsInRole(this IPrincipal user, AppRole appRole)
{
var roles = new List<string>();
foreach (var role in (AppRole[])Enum.GetValues(typeof(AppRole)))
if ((appRole & role) != 0)
roles.Add(role.ToDescription());
return roles.Any(user.IsInRole);
}
The custom attribute:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class AppAuthorizeAttribute : AuthorizeAttribute
{
public AppRole AppRoles { get; set; }
public override void OnAuthorization(AuthorizationContext filterContext)
{
var roles = new List<string>();
foreach (var role in (AppRole[])Enum.GetValues(typeof(AppRole)))
if((AppRoles & role) != 0)
roles.Add(role.ToDescription());
if (roles.Count > 0)
Roles = string.Join(",", roles);
base.OnAuthorization(filterContext);
}
}
Extension method to get the description value:
public static string ToDescription(this Enum value)
{
var da = (DescriptionAttribute[])
(value.GetType().GetField(value.ToString()))
.GetCustomAttributes(typeof (DescriptionAttribute), false);
return da.Length > 0 ? da[0].Description : value.ToString();
}
It's not that hard to customize AuthorizeAttribute in the way you suggest.
Subtype it, add a custom property for your enum type, and call ToString() on the passed value. Put that in the regular roles property. This should take just a few lines of code, and AuthorizeAttribute still does all the real work.
+1 for Matti, too, since consts are also a good choice.
I have used a static class defining a bunch of string constants as suggested by Matti and on my current project I use the below extension method with an enum. Both approaches work very well.
public static class EnumerationExtension
{
public static string GetName(this Enum e)
{
return Enum.GetName(e.GetType(), e);
}
}
How can I include a user regardless of his role, dependent on a matching userID, and not always same user:
[Authorize(Roles="Group1") AND userID=uniqueID]
You won't be able to do this with the default AuthorizeAttribute. You will need to extend AuthorizeAttribute with a custom class that adds the user behavior. Typically it uses named users, but you could provide an alternative. Normally if you supply both Users and Roles, it will require that the user be in the list of users and have one of the indicated roles.
public class UserOrRoleAuthorizeAttribute : AuthorizeAttribute
{
public int? SuperUserID { get; set; }
protected override bool AuthorizeCore( HttpContextBase httpContext )
{
if (base.AuthorizeCore( httpContext ))
{
var userid == ...get id of current user from db...
return userid == this.SuperUserID;
}
return false;
}
}
Used as:
[UserOrRoleAuthorize(Roles="Admin",SuperUserID=15)]
public ActionResult SomeAction() ...
Note that you could also add in some way of specifing where to look for the id for this action, .i.e.,
Table="Admins",Column="AdminID",MatchProperty="Company",MatchParameter="company"
then put some code into the attribute to look up the value in the property table and column and comparing it to the specified RouteValue entry instead of hard-coding it.
You could write a custom Authorize filter (implement IAuthorizationFilter)
Your custom Authorize filter could take the userId as a parameter.
Something like
public class
YourAuthorizeFilterAttribute : AuthorizeAttribute, IAuthorizationFilter
{
public string UserId { get; set; }
public void OnAuthorization(AuthorizationContext filterContext)
{
if(filterContext.HttpContext.User.Identity.Name != UserId &&
!filterContext.HttpContext.User.IsInRole(base.Roles))
{
filterContext.Result = new RedirectResult("/Account/LogOn");
}
}
}
Then use your own filter like so
[YourAuthorizeFilter(UserId = "theuser", Roles ="Group1")]
Kindness,
Dan