tags:

views:

1742

answers:

4
+1  Q: 

How to do Authorization redirect on ASP.NET MVC

Hi Everybody.

So, I come from a ASP.NET 2.0 WebForms background and am new to ASP.NET MVC which I find it wonderful, however, i've been somewhat accostumed to it.

This time, my problem has to do with Authentication and Authorization Model:

I used to restrict folders via Web.config's authorization section

 <authorization>
  <deny users="?"/>
  <!--
  <allow users="*"/>
  -->
 </authorization>

So when a user tries to access a private "page" be redirected to index page; How can I do this on MVC? I used to save the user id (or object) in the session data... now I don't know how or where to store it, in a MVC'ish way.

As a side note, my data model has a table like this:

CREATE TABLE user_perm (
    user INT,
    feature INT,
)

And I would like to restrict access to certain controllers based on the content of this table. Ho w can I achieve it?

PS: i'm aware of these other questions, but they refer to beta version and I'm unsure if yet apply to the current released version.

Thanks in advance

+2  A: 

Have a look at this blog post: Securing your controller actions

Praveen Angyan  2009-06-05 18:55:52
+2  A: 

You should try attribute filtering on controller actions. (See this link for good information.)

Controller actions point you to actual 'pages', you should secure those.

What I use (custom attribute...):

Public Class ProjectController
    Inherits System.Web.Mvc.Controller

    <Models.Authentication.RequiresAuthentication()> _
    Function Edit(ByVal id As Integer) As ActionResult

    End Function

    <Models.Authentication.RequiresRole(Role:="Admin")> _
    Function Delete(ByVal id As Integer) As ActionResult

    End Function
End Class

And the authorization attribute:

Namespace Models.Authentication
    Public Class RequiresAuthenticationAttribute : Inherits ActionFilterAttribute
        Public Overrides Sub OnActionExecuting(ByVal filterContext As System.Web.Mvc.ActionExecutingContext)
            If Not filterContext.HttpContext.User.Identity.IsAuthenticated Then
                Dim redirectOnSuccess As String = filterContext.HttpContext.Request.Url.AbsolutePath
                Dim redirectUrl As String = String.Format("?ReturnUrl={0}", redirectOnSuccess)
                Dim loginUrl As String = FormsAuthentication.LoginUrl + redirectUrl

                filterContext.HttpContext.Response.Redirect(loginUrl, True)
            End If
        End Sub
    End Class

    Public Class RequiresRoleAttribute : Inherits ActionFilterAttribute
        Private _role As String

        Public Property Role() As String
            Get
                Return Me._role
            End Get
            Set(ByVal value As String)
                Me._role = value
            End Set
        End Property

        Public Overrides Sub OnActionExecuting(ByVal filterContext As System.Web.Mvc.ActionExecutingContext)
            If Not String.IsNullOrEmpty(Me.Role) Then
                If Not filterContext.HttpContext.User.Identity.IsAuthenticated Then
                    Dim redirectOnSuccess As String = filterContext.HttpContext.Request.Url.AbsolutePath
                    Dim redirectUrl As String = String.Format("?ReturnUrl={0}", redirectOnSuccess)
                    Dim loginUrl As String = FormsAuthentication.LoginUrl + redirectUrl

                    filterContext.HttpContext.Response.Redirect(loginUrl, True)
                Else
                    Dim hasAccess As Boolean = filterContext.HttpContext.User.IsInRole(Me.Role)
                    If Not hasAccess Then
                        Throw New UnauthorizedAccessException("You don't have access to this page. Only " & Me.Role & " can view this page.")
                    End If
                End If
            Else
                Throw New InvalidOperationException("No Role Specified")
            End If

        End Sub
    End Class
End Namespace
Ropstah  2009-06-05 18:57:08
ewww VerBose.net :P
Nathan Ridley  2009-06-05 19:54:18
Sorry, i go way back on VB :). I really like C# / Javascript constructs and really HATE the line continuation mark _ for VB. But VB is perfectly readable to me. Hurray for intellisense hehe
Ropstah  2009-06-05 20:53:56
+1  A: 

use the Authorize attribute. You can place it on individual actions or on the entire controller.

[Authorize(Roles="admin")]

More information here:

http://forums.asp.net/p/1428467/3192831.aspx

Nathan Ridley  2009-06-05 18:58:08
And how to do it based on the user_perm table? should I inherit Authorize?
Jhonny D. Cano -Leftware-  2009-06-05 19:31:42
You should build a custom attribute. Please see my answer with the custom attribute example....
Ropstah  2009-06-05 19:46:21
Yeah I use my own custom attribute for my stuff - check out ropstah's example.
Nathan Ridley  2009-06-05 19:53:36
A: 

They way we are handling it is through Attributes.

    [Authorize]
    public ActionResult SomeAction() {
        return View();
    }

“[Authorize]” is equvalent to “[Authorize(Roles="user")]”. For specific roles use [Authorize(Roles="")].

Jack Marchetti  2009-06-05 18:58:13

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data