2009-09-06 06:43:07 8 Comments
I'm trying to add simple Authentication and Authorization to an ASP.NET MVC application.
I'm just trying to tack on some added functionality to the basic Forms Authentication (due to simplicity and custom database structure)
Assuming this is my database structure: User: username password role (ideally some enum. Strings if need be. Currently, user only has ONE role, but this might change)
High Level Problem: Given the above database structure, I would like to be able to do the following:
- Simple Login using Forms Authentication
- Decorate my actions with: [Authorize(Roles={ MyRoles.Admin, MyRoles.Member})]
- Use roles in my Views (to determine links to display in some partials)
Currently, all I'm really sure of is how to Authenticate. After that I'm lost. I'm not sure at which point do I grab the user role (login, every authorization?). Since my roles may not be strings, I'm not sure how they will fit in with the User.IsInRole().
Now, I'm asking here because I haven't found a "simple" accomplish what I need. I have seen multiple examples.
For Authentication:
- We have simple user validation that checks the database and "SetAuthCookie"
- Or we override the Membership provider and do this inside of ValidateUser In either of these, I'm not sure how to tack on my simple user Roles, so that they work with the: HttpContext.Current.User.IsInRole("Administrator") Furthermore, I'm not sure how to modify this to work with my enum values.
For Authorization, I've seen:
- Deriving AuthorizeAttribute and implementing AuthorizeCore OR OnAuthorization to handle roles?
- Implementing IPrincipal?
Any assistance would be greatly appreciated. However, I fear I may need a lot of detail, because none of what I've Googled seems to fit with what I need to do.
Related Questions
Sponsored Content
10 Answered Questions
[SOLVED] Authentication versus Authorization
- 2011-07-02 10:44:19
- daGrevis
- 220386 View
- 595 Score
- 10 Answer
- Tags: security authorization authentication
21 Answered Questions
[SOLVED] File Upload ASP.NET MVC 3.0
- 2011-03-04 12:42:08
- user637197
- 340086 View
- 818 Score
- 21 Answer
- Tags: c# asp.net-mvc asp.net-mvc-3
9 Answered Questions
[SOLVED] ASP.NET MVC - Set custom IIdentity or IPrincipal
- 2009-06-30 15:18:15
- Razzie
- 205941 View
- 639 Score
- 9 Answer
- Tags: asp.net asp.net-mvc forms-authentication iprincipal iidentity
3 Answered Questions
[SOLVED] Custom Authorization in Asp.net WebApi - what a mess?
- 2014-10-20 11:41:42
- Royi Namir
- 65525 View
- 109 Score
- 3 Answer
- Tags: asp.net authorization asp.net-web-api
8 Answered Questions
[SOLVED] How to get ELMAH to work with ASP.NET MVC [HandleError] attribute?
- 2009-04-20 02:09:11
- dswatik
- 108384 View
- 562 Score
- 8 Answer
- Tags: asp.net-mvc logging elmah
2 Answered Questions
[SOLVED] Using Roles with Forms Authentication
- 2014-03-03 18:27:03
- Skye MacMaster
- 5092 View
- 1 Score
- 2 Answer
- Tags: asp.net-mvc-4 authorization forms-authentication
4 Answered Questions
[SOLVED] Simple Authorization in MVC3 with Forms Authentication
- 2012-06-08 12:42:29
- growse
- 5916 View
- 4 Score
- 4 Answer
- Tags: asp.net-mvc-3 forms-authentication authorization
3 Answered Questions
[SOLVED] MVC ASP.NET - Manually authorize someone and persist the authorization via Forms Authentication
- 2012-08-30 20:47:02
- contactmatt
- 12351 View
- 10 Score
- 3 Answer
- Tags: asp.net asp.net-mvc-3 forms-authentication
3 Answered Questions
[SOLVED] MVC Custom Authentication, Authorization, and Roles Implementation
- 2011-12-19 20:48:09
- one.beat.consumer
- 25695 View
- 14 Score
- 3 Answer
- Tags: c# asp.net-mvc forms-authentication authorization session-state
2 Answered Questions
[SOLVED] ASP.NET MVC Authorization: Permissions in Place of Roles
- 2011-07-22 17:03:35
- Nick Olsen
- 7073 View
- 21 Score
- 2 Answer
- Tags: asp.net asp.net-mvc permissions authorization
5 comments
@yinner 2010-02-26 14:21:06
I think I've implemented something similar.
My solution, based on NerdDinner tutorial, is following.
When you sign the user in, add code like this:
Add following code to
Global.asax.cs
:After you've done this, you can use
[Authorize]
attribute in your controller action code:Please let me know if you have further questions.
@ocanal 2014-01-11 00:27:47
If it doesn't work for you, just add this
<appSettings> <add key="enableSimpleMembership" value="false" /> </appSettings>
in Web.config.@Fredrik Stolpe 2014-01-23 12:32:28
Just what I was looking for! Thanks
@Skye MacMaster 2014-03-25 14:57:45
I tried this but Context.User is always null for me. Maybe I need to change something in web.config. However, I got it to work by removing 'if (Context.User != null)' and changing the last line in Application_AuthenticateRequest to 'Context.User = new GenericPrincipal(new GenericIdentity(authTicket.Name), roles);'.
@Nezam 2015-03-22 08:56:00
exactly what i needed ! Can't imagine that such a simple thing like this would require dvelving into so many blogs,questions and books !!
@Sagiv b.g 2018-06-11 07:09:00
Hmmz,
User.IsAuthenticated
always returnsfalse
. Would i be able to check forUser.IsInRole
as well (after i'll sort out my issue)?@Neal 2009-10-10 02:52:58
Build a custom
AuthorizeAttribute
that can use your enums rather than strings. When you need to authorise, convert the enums into strings by appending the enum type name + the enum value and use theIsInRole
from there.To add roles into an authorised user you need to attach to the
HttpApplication
AuthenticateRequest
event something like the first code in http://www.eggheadcafe.com/articles/20020906.asp ( but invert the massively nested if statements into guard clauses!).You can round-trip the users roles in the forms auth cookie or grab them from the database each time.
@Kevin 2009-12-30 21:46:08
Actually, that's exactly what I ended up doing. I finally realized that you can't get around the String thing if you're using IsInRole. So I could have my enums throughout my Controllers, but if I ever need to check Roles in the view, I'm stuck with IsInRole... ThanX
@Neal 2010-01-10 20:59:32
Factor out the enum -> string conversion from the attribute into a helper, use the helper from the attribute and create a html helper extension method IsUserInRole that also uses the helper but is easily accessible from the view.
@Nenotlep 2012-08-09 06:50:39
Also one options is to use a class with string properties for the roles.
public static class MyRoles { public const string Viewer = "Viewer"; ..etc.. }
. Then you can add methods like GetAll(), GetDefault() and call the role like[Authorize(Roles=MyRoles.Viewer)]
.@wchoward 2013-04-04 16:37:30
I did something like this:
Assign the [Authorize] attribute to your controllers, you want to require authorization for
or to allow access, for example the Login and ValidateUser controllers use the below attribute
My Login Form
Login Controller and ValidateUser controller invoked from the Form post
Validate user is authentication via a WCF service that validates against the Windows AD Context local to the service, but you can change this to your own authentication mechanism
}
User is authenticated now create the new Identity
On my site at the the top of my _Layout.cshtml I have something like this
Then in the body
@Marlon 2010-04-08 13:14:37
@Phil Cooper 2012-11-27 17:13:29
This post needs an explanation as to why it should be considered.
@Mike McClintock 2009-09-06 14:48:41
Add your users to the table "users in roles". Use the stored procedure "addusertorole" (something like that) in your code to add to various roles. You can create the roles very simply in the "roles" table.
Your tables to use: User, UsersInRole, Roles
Use the built in Stored Procs to manipulate those tables. Then all you have to do is add the attribute.
For example you can have an "Admin" attribute on a view that selects a user and adds them to a role. You can use the stored proc to add that user to the role.
@Kevin 2009-09-06 21:34:32
I'm not concerned about the SQL database. I can handle that on my own. I just need to know "where".
@Mike McClintock 2009-09-27 03:31:25
When you say "where" do you mean where do you put the attribute?