Authentication and authorization in .Net

Question

I am struggling to choose what to use for authentication and authorization for my .Net application. I am using ASP.Net MVC with C#. In Java I find Spring Acegi Securiyy very easy and good to implement to secure urls, hide menus and button and even secure my methods.

Also I would be using windows Active directory to store user profile.

What is available in .Net world which is similar to Spring Acegi. Anyway here is what I want -

1. XML type configurations to secure urls based on roles, i.e. only Admin role can access /admin/* pages, etc.
2. On UI I want to hide menus and buttons based on role like if (role is Admin) showButton.
3. Although above stuff is enough but I would like to secure my business layer as well. Its because I have exposed a webservice as well.

I know I can write a custome one but why to re-invent the wheel if some .net library is available.

Answer 1

It's true .net has very powerful engine about it. You need look at existing implementation of RoleProvider and MembershipProvider or create you own. In web.config you need specify which of providers to use and least specify folders are secured by role. For implement business-logic layer security you just need to laverage available anywhere Membership.GetUser, Roles.IsUserInRole,...

Answer 2

1. XML configuration? No, not with the base MVC stuff. With WebForms you could argue that the rules in web.config were XML based, but they don't apply to ASP.NET MVC - DO NOT USE path/location in web.config. Authorization is controlled by attributes on the controller class. However someone has written an XML authorization module which might be suitable

2. In the UI you can do that in the View if you wish. You can hide based on authenticated versus unauthenticated like so

   <% if (Request.IsAuthenticated) { %>

   Hi authenticated user

   <% } %> and you can also use the Request.User object to be more specific <% if (User.IsInRole("SuperUsers") { %>

   Hi superuser

   <% } %>

3. You can protected web services with user names and passwords, however if you want to flow identity from the web site to the web service, because the web site calls that's more tricky. There are lots of questions and answers already on here about WCF authentication and authorization.

Answer 3

It's not a real answer but IMVHO, consider to implement your custom logic. It's true, the wheel has been already invented in this case, but I find myself struggling most of the time when using Asp.NET authentication and authorization. You can be up and running very fast, and this is good if you have a simple scenario. When you want to go beyond this, you risk to loose all the time you gained initially. But as I said before, is just my opinion.