Skip to main content

Custom authorization on class, action/function, code, area level under Asp.Net MVC application

With evolution of ASP.Net MVC there are lot of inbuilt feature came and evolved with time. One of those is Authorization and Custom Authorization. The in-built function is sufficient enough to handle anonymous user restriction, user based on there name, specific roles for user with just single class AuthorizeAttribute.
To implement we need to decorate attribute on any given class, action based on need.
Example:

 [Authorize]  
 public ActionResult Test()  
 {  
 }

By just providing Authorize attribute anonymous user are restricted. It has Roles and Users property parameters to restrict access based on certain role or user which can accept multiple values by comma separated as string format.

In one of the situation, I got chance to built an authorization where roles keep changing. Administrator can add new role, delete any role or modify existing role. In that situation we cannot map roles with codes. So, there were two way to achieve by creating group of roles and letting administrator to modify those groups or sub-dividing roles to permission level. Both approaches are vice-versa to each other.

For me normalizing roles to permission level sounded better approach since I was never happy with inbuilt weakly typed way for authorization as we can miss-type anything which can go wrong. Going with this approach we can create table relation like this:
|--User (One to Many between User and Role)
   |--Role (One to Many between Role and Permission)
       |--Permission

My examples would be based on above approach but there is no restriction with concept we can go ahead for making role based authorization strong typed and extend approach for code level authorization.

There are number of things that need to be followed to achieve it. The brief description are as follows which would easier to understand and to follow article.

  1. Creating tables based on permission structure or skip if we are looking for strongly typed role authorization.
  2. Creating Enums for permission or roles.
  3. Creating common functionalities at common place to be used on Custom authorization, base controller function and Html helper for implementing authorization on HTML elements.
  4. Custom authorization based on enum.
  5. Html helper for authorization on elements.
  6. Base controller, generic function implementation to handle permissions on action level code.
  7. Area level authorization.
Creating tables based on permission structure or skip if we are looking for strongly typed role authorization.
There are two things we need to create the first one is permission model and associate permission model with roles.

   public class AppPermission  
   {  
     public int PermissionId { get; set; }  
     public string PermissionName { get; set; }  
   }

Based on ORM theses need to be mapped with Membership role class. In case of Asp.Identity EF Provider IdentityRole need to be extended to have many to many relationship between AppPermission and the extend class from IdentityRole.
Asp.Net Identity UserManager can be also extended to interact with AppPermission on DB.

Based on ORM and Membership the implementation may vary but key idea is to have many to many relationship between roles and permission and have a way to interact with DB.

Creating Enums for permission or roles.
Since the application authorization would be entirely dependent on Enum values. We need to create enum based on Permission Names. This could be easily done by fpllowing http://vikutech.blogspot.in/2014/01/enumeration-generation-for-lookup-table.html.
We can use similar approach to generate roles. 

After generating it can look like this:

   public enum PermissionRule  
   {  
     CanAddBlog,  
     CanEditBlog,  
     CanViewBlog,  
   }

Now, all authorization parts would be dependent on PermissionRule enum.

If we are going with Permission approach we can extent functionality to check any or all provided permission with new enum called ComparisonType:
   /// <summary>  
   /// Comparison request  
   /// </summary>  
   public enum ComparisonType  
   {  
     /// <summary>  
     /// Comparison based on all fields  
     /// </summary>  
     All,  
     /// <summary>  
     /// Comparison based on any available fields  
     /// </summary>  
     Any,  
   }
Example for implementation that would look like:
[AppAuthorize(PermissionRule.CanAddBlog, PermissionRule.CanEditBlog, ComparisonType =  ComparisonType.Any)]

Creating common functionalities at common place to be used on Custom authorization
In this common functionality we are going to pass all user permission, the requested permission and comparison type to check whether user is authorized or not.

public class WebHelper  
   {  
     /// <summary>  
     /// Determines whether the specified user permissions has requested permission.  
     /// </summary>  
     /// <param name="userPermissions">The user's permissions.</param>  
     /// <param name="requestedPermissions">The expected permissions.</param>  
     /// <param name="userName">Name of the user.</param>  
     /// <param name="comparisonType">Type of the comparison.</param>  
     /// <returns>  
     /// True, If requested permissions exists in User's permission list  
     /// </returns>  
     internal static bool HasPermission(IEnumerable<PermissionRule> userPermissions, IEnumerable<PermissionRule> requestedPermissions,  
       string userName, ComparisonType comparisonType = ComparisonType.All)  
     {  
       // TODO: if having any direct user name who is having global permissions.  
       //if (String.Equals(userName, Constant.ADMIN_NAME, StringComparison.OrdinalIgnoreCase))  
       //{  
       //  return true;  
       //}  
       if (requestedPermissions == null || userPermissions == null)  
       {  
         return false;  
       }  
       bool hasPermission = false;  
       switch (comparisonType)  
       {  
         case ComparisonType.All:  
           hasPermission = requestedPermissions.All(reqPerm => userPermissions.Any(usrPerm => usrPerm == reqPerm));  
           break;  
         case ComparisonType.Any:  
           hasPermission = requestedPermissions.Any(reqPerm => userPermissions.Any(usrPerm => usrPerm == reqPerm));  
           break;  
         default:  
           throw new ArgumentException("New comparison type need to be included");  
       }  
       return hasPermission;  
     }  
   }


Custom authorization based on enum.
In MVC, we can find dedicated filter name AuthorizeAttribute which can be inherited and customized with implementation of AuthorizeCore method. IActionFilter is also going to be used for setting up permissions under ViewBag so that it can be accessed on Html Helpers through ViewBag.

   /// <summary>  
   /// Custom authorization implementation for checking permission rules.  
   /// </summary>  
   public class AppAuthorizeAttribute  
     : System.Web.Mvc.AuthorizeAttribute, System.Web.Mvc.IActionFilter  
   {  
     /// <summary>  
     /// Gets or sets the requested permissions.  
     /// </summary>  
     /// <value>  
     /// The requested permissions.  
     /// </value>  
     public IList<PermissionRule> RequestedPermissions { get; set; }  
     /// <summary>  
     /// Gets or sets the type of the comparison.  
     /// </summary>  
     /// <value>  
     /// The type of the comparison.  
     /// </value>  
     public ComparisonType ComparisonType { get; set; }  
     /// <summary>  
     /// Initializes a new instance of the <see cref="AppAuthorizeAttribute"/> class.  
     /// </summary>  
     /// <param name="permissions">The permissions.</param>  
     public AppAuthorizeAttribute(params PermissionRule[] permissions)  
     {  
       RequestedPermissions = permissions.ToList();  
     }  
     #region " IActionFilter implementation for saving permission status "  
     /// <summary>  
     /// Called before an action method executes.  
     /// Set users permission into ViewBag  
     /// </summary>  
     /// <param name="filterContext">The filter context.</param>  
     void IActionFilter.OnActionExecuting(ActionExecutingContext filterContext)  
     {  
       if (filterContext.RequestContext.HttpContext.Request.IsAuthenticated)  
       {  
         // Set users permission to ViewBag  
         var usrPermissions = GetUserPermission(filterContext.HttpContext);  
         filterContext.Controller.ViewBag.UserPermissionRules = usrPermissions;  
       }  
     }  
     /// <summary>  
     /// Called after the action method executes.  
     /// </summary>  
     /// <param name="filterContext">The filter context.</param>  
     void IActionFilter.OnActionExecuted(ActionExecutedContext filterContext)  
     {  
       // Not required  
     }  
     #endregion " IActionFilter implementation for saving permission status "  
     /// <summary>  
     /// An entry point for custom authorization checks. This will check user roles and  
     /// permission.  
     /// </summary>  
     /// <param name="httpContext">The HTTP context, which encapsulates all HTTP-specific  
     /// information about an individual HTTP request.</param>  
     /// <returns>true if the user is authorized; otherwise, false.</returns>  
     protected override bool AuthorizeCore(HttpContextBase httpContext)  
     {  
       if (!base.AuthorizeCore(httpContext))  
       {  
         return false;  
       }  
       var userName = httpContext.User.Identity.Name;  
       if (RequestedPermissions != null && RequestedPermissions.Any())  
       {  
         var usrPermissions = GetUserPermission(httpContext);  
         if (!WebHelper.HasPermission(usrPermissions, RequestedPermissions, userName, ComparisonType))  
         {  
           return false;  
         }  
       }  
       return true;  
     }  
     /// <summary>  
     /// Processes HTTP requests that fail authorization.  
     /// </summary>  
     /// <param name="filterContext">Encapsulates the information for using <see cref="T:System.Web.Mvc.AuthorizeAttribute" />. The <paramref name="filterContext" /> object contains the controller, HTTP context, request context, action result, and route data.</param>  
     protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)  
     {  
       // TODO: Page redirect if having any otherwise no need to override function.  
     }  
     /// <summary>  
     /// Gets the user permission.  
     /// </summary>  
     /// <param name="httpContext">The HTTP context.</param>  
     /// <returns>Permissions related to user</returns>  
     protected IList<PermissionRule> GetUserPermission(HttpContextBase httpContext)  
     {  
       var userName = httpContext.User.Identity.Name;  
       // TODO: Get all permission list for user.  
       // TODO: Add caching logic to avoid DB hits  
       return new List<PermissionRule>();  
     }  
   }

The above implementation is doing two things, first checking permission on AuthorizeCore function and saving user's permission under ViewBag ViewBag.UserPermissionRules.

How to use?

 Example 1:
 [AppAuthorize(PermissionRule.CanAddBlog, PermissionRule.CanEditBlog, ComparisonType = ComparisonType.Any)]  
 public ActionResult ViewBlog()  
 {  
 }

Example 2:
 [AppAuthorize(PermissionRule.CanViewBlog)]  
 public ActionResult ViewBlog()  
 {  
 }

The same approach can be used on class level as well.

Html helper for authorization on elements
Since, user permission list is already saved under view bag it would be much easier to access.

   /// <summary>  
   /// Native HTML Helper extension  
   /// </summary>  
   public static class HtmlExtensions  
   {  
     /// <summary>  
     /// Determines whether user is having permission.  
     /// </summary>  
     /// <param name="htmlHelper">The HTML helper.</param>  
     /// <param name="comparisonType">Type of the comparison.</param>  
     /// <param name="permissions">The permission checks.</param>  
     /// <returns>  
     /// True, if  
     /// </returns>  
     /// <exception cref="System.Exception">The controller used to render this view doesn't inherit from BaseController</exception>  
     public static bool IsUserHavingPermission(this HtmlHelper htmlHelper,  
       ComparisonType comparisonType = ComparisonType.All, params PermissionRule[] permissions)  
     {  
       IEnumerable<PermissionRule> userPermissionRules = htmlHelper.ViewBag.UserPermissionRules;  
       if (userPermissionRules == null)  
       {  
         throw new NotImplementedException("User permissions not set.");  
       }  
       return WebHelper.HasPermission(userPermissionRules, permissions,  
         htmlHelper.ViewContext.RequestContext.HttpContext.User.Identity.Name  
         , comparisonType);  
     }  
     /// <summary>  
     /// Determines whether user is having specified permissions.  
     /// </summary>  
     /// <param name="htmlHelper">The HTML helper.</param>  
     /// <param name="permissions">The permissions.</param>  
     /// <returns></returns>  
     public static bool IsUserHavingPermission(this HtmlHelper htmlHelper, params PermissionRule[] permissions)  
     {  
       return IsUserHavingPermission(htmlHelper, ComparisonType.All, permissions);  
     }  
   }

The Html helper contains overloaded IsUserHavingPermission functions which deals with required permission rule and optional ComparisonType parameter. It is consuming previously created ViewBag to access all user permissions.

How to use?
Please note that the namespace reference need to be added under web.config or need to be used under view.
Example 1:
 @if (Html.IsUserHavingPermission(PermissionRule.CanEditBlog))  
 {  
   <!-- Blog edit button-->  
 }

Example 2 (Same can be used to add CSS)
@Html.IsUserHavingPermission(PermissionRule.CanEditBlog)

Base controller generic function implementation to handle permissions on action level code.

This is optional, if need authorization on code level under action we can implement. For this implementation we need Base Controller or we can create somewhere at common place to use it.

   public class BaseController  
   : Controller  
   {  
     /// <summary>  
     /// Determines whether the specified comparison type has permission.  
     /// </summary>  
     /// <param name="comparisonType">Type of the comparison.</param>  
     /// <param name="permissionRules">The permissions.</param>  
     /// <returns>True, If user has permission.</returns>  
     protected bool HasPermission(ComparisonType comparisonType = ComparisonType.All,  
       params PermissionRule[] permissionRules)  
     {  
       return WebHelper.HasPermission(ViewBag.UserPermissionRules, permissionRules,  
         HttpContext.User.Identity.Name, comparisonType);  
     }  
     /// <summary>  
     /// Gets the result based on authorization.  
     /// </summary>  
     /// <param name="resultOnCondition">The result on condition.</param>  
     /// <param name="comparisonType">Type of the comparison.</param>  
     /// <param name="permissionRules">The permission rules.</param>  
     /// <returns>If authorization success then the view else redirect to page not authorized.</returns>  
     protected ActionResult GetResultOnAuthorization(Func<ActionResult> resultOnCondition,  
       ComparisonType comparisonType = ComparisonType.All,  
       params PermissionRule[] permissionRules)  
     {  
       return HasPermission(comparisonType, permissionRules) ? resultOnCondition() :  
           new HttpUnauthorizedResult(); // Unauthorized action redirect  
     }  
     /// <summary>  
     /// Gets the result based on authorization.  
     /// </summary>  
     /// <param name="resultOnCondition">The result on condition.</param>  
     /// <param name="permissionRules">The permission rules.</param>  
     /// <returns>If authorization success then the view else redirect to page not authorized.</returns>  
     protected ActionResult GetResultOnAuthorization(Func<ActionResult> resultOnCondition, params PermissionRule[] permissionRules)  
     {  
       return GetResultOnAuthorization(resultOnCondition, ComparisonType.All, permissionRules);  
     }  
   }

How to use?

 
     public ActionResult ManageBlog()  
     {  
       return GetResultOnAuthorization(() =>  
       {  
         // Codes
         return View();  
       }, PermissionRule.CanEditBlog);  
       // If having any other condition  
     }

Area level authorization, if required.
I am not going have exact code for same but retrieving area is simple enough through HttpContext. Our AppAuthorizeAttribute can be extended to restrict based on area.

httpContext.Request.RequestContext.RouteData.Values["area"]

The above code can extract area name from HttpContext and can be matched against PermissionRule enum where the name could be prefixed with area.




Labels:

Comments

Post a Comment

Popular posts from this blog

Using Redis distributed cache in dotnet core with helper extension methods

Redis cache is out process cache provider for a distributed environment. It is popular in Azure Cloud solution, but it also has a standalone application to operate upon in case of small enterprises application. How to install Redis Cache on a local machine? Redis can be used as a local cache server too on our local machines. At first install, Chocolatey https://chocolatey.org/ , to make installation of Redis easy. Also, the version under Chocolatey supports more commands and compatible with Official Cache package from Microsoft. After Chocolatey installation hit choco install redis-64 . Once the installation is done, we can start the server by running redis-server . Distributed Cache package and registration dotnet core provides IDistributedCache interface which can be overrided with our own implementation. That is one of the beauties of dotnet core, having DI implementation at heart of framework. There is already nuget package available to override IDistributedCache i...
3 comments
Read more

Trim text in MVC Core through Model Binder

Trimming text can be done on client side codes, but I believe it is most suitable on MVC Model Binder since it would be at one place on infrastructure level which would be free from any manual intervention of developer. This would allow every post request to be processed and converted to a trimmed string. Let us start by creating Model binder using Microsoft.AspNetCore.Mvc.ModelBinding; using System; using System.Threading.Tasks; public class TrimmingModelBinder : IModelBinder { private readonly IModelBinder FallbackBinder; public TrimmingModelBinder(IModelBinder fallbackBinder) { FallbackBinder = fallbackBinder ?? throw new ArgumentNullException(nameof(fallbackBinder)); } public Task BindModelAsync(ModelBindingContext bindingContext) { if (bindingContext == null) { throw new ArgumentNullException(nameof(bindingContext)); } var valueProviderResult = bindingContext.ValueProvider.GetValue(bin...
2 comments
Read more

Elegantly dealing with TimeZones in MVC Core / WebApi

In any new application handling TimeZone/DateTime is mostly least priority and generally, if someone is concerned then it would be handled by using DateTime.UtcNow on codes while creating current dates and converting incoming Date to UTC to save on servers. Basically, the process is followed by saving DateTime to UTC format in a database and keep converting data to native format based on user region or single region in the application's presentation layer. The above is tedious work and have to be followed religiously. If any developer misses out the manual conversion, then that area of code/view would not work. With newer frameworks, there are flexible ways to deal/intercept incoming or outgoing calls to simplify conversion of TimeZones. These are steps/process to achieve it. 1. Central code for storing user's state about TimeZone. Also, central code for conversion logic based on TimeZones. 2. Dependency injection for the above class to ...
4 comments
Read more

Interface based model binding to populate properties value automatically

Interface is great way to make consistency and re-useability of codes. In this tutorial, I am going to show the power of interface to populate view/domain models automatically and interchange values between models. Technologies or techniques used in this approach: - MVC. - Interface for models. - MVC model binder for associated model with interface. Through this model binder we will populate values. - T4 template to generate code to register model binder with all models associated with interface. - Generic extension method to interchange values. It might sounding bit complex to achieve small thing. Just hold on with me and see unfolding. This will result in easier maintenance and less repetitive code. First let's start with creation of Interface that need to be populate automatically. This interface would be implemented on models and values will be auto-populated on binder. /// <summary> /// Interface for storing entry related values /// </summar...
Post a Comment
Read more

OpenId Authentication with AspNet Identity Core

This is a very simple trick to make AspNet Identity work with OpenId Authentication. More of all both approach is completely separate to each other, there is no any connecting point. I am using  Microsoft.AspNetCore.Authentication.OpenIdConnect  package to configure but it should work with any other. Configuring under Startup.cs with IAppBuilder app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationScheme = CookieAuthenticationDefaults.AuthenticationScheme, LoginPath = new PathString("/Account/Login"), CookieName = "MyProjectName", }) .UseIdentity() .UseOpenIdConnectAuthentication(new OpenIdConnectOptions { ClientId = "<AzureAdClientId>", Authority = String.Format("https://login.microsoftonline.com/{0}", "<AzureAdTenant>"), ResponseType = OpenIdConnectResponseType.IdToken, PostLogoutRedirectUri = "<my website url>", ...
Post a Comment
Read more

Getting started with Raspberry Pi

Raspberry Pi is a small, low powered motherboard contains 512 RAM, combined CPU and GPU. It has LAN, 2 USB, HDMI input, Audio Out, SD Card reader and S-Video connectors. We can have many Linux distribution OS on it. To configure, we just need to attach SD Card to it. SD Card could range from class 4 to class 10. In some cases Raspberry Pi could support less then class 4 cards too. It could be powered through mini USB mobile charger. Let's get started with installing OS on SD Card. There are various ways to install OS. Like we can download OSes through  http://www.raspberrypi.org/downloads  and follow the instructions given on it. There is something BerryBoot multi-boot loader through which we can have more then one OS on Raspberry Pi and boot OS according to our need.  http://www.berryterminal.com/doku.php/berryboot  instructions could be followed to install OS with very simple steps. You need to have internet connection on Raspberry Pi to install OS. It coul...
Post a Comment
Read more

Kendo MVC Grid DataSourceRequest with AutoMapper - Advance

The actual process to make DataSourceRequest compatible with AutoMapper was explained in my previous post  Kendo MVC Grid DataSourceRequest with AutoMapper , where we had created custom model binder attribute and in that property names were changed as data models. In this post we will be looking into using AutoMapper's Queryable extension to retrieve the results based on selected columns. When  Mapper.Map<RoleViewModel>(data)  is called it retrieves all column values from table. The Queryable extension provides a way to retrieve only selected columns from table. In this particular case based on properties of  RoleViewModel . The previous approach that we implemented is perfect as far as this article ( 3 Tips for Using Telerik Data Access and AutoMapper ) is concern about performance where it states: While this functionality allows you avoid writing explicit projection in to your LINQ query it has the same fatal flaw as doing so - it prevents the qu...
Post a Comment
Read more

Centralized model validation both for MVC/WebApi and SPA client-side validation using FluentValidation

Validation is one of the crucial parts of any application. It has to validate on both client side and server side requests. What are target features or implementation from this article? Model validation for any given model. Centralized/One code for validation on both server-side and client-side. Automatic validation of model without writing any extra codes on/under actions for validation.  NO EXTRA/ANY codes on client-side to validate any form. Compatible with SPA. Can be compatible with any client-side validation framework/library. Like Angular Reactive form validation or any jquery validation libraries. Tools used in the implementation? FluentValidation : I feel DataAnnotation validation are excellent and simple to use, but in case of complex validation or writing any custom validations are always tricker and need to write a lot of codes to achieve whereas FluentValidations are simple even in case of complex validation. Generally, we need to validate inc...
2 comments
Read more

Implementing/Automating audit logs in Telerik Data Access

Audit logs can be tedious task if done manually, also developer might miss to update audit log implementation on certain level. The codes would be repeated on all places if not centralized. There are many approach available to maintain change history of model/table. Like having single history table and manage all changes of all models in same table. We may maintain in same table with some flags and JSON data for change list. We will look for maintaining history table based on each required data models with minimum effort and performance. To reduce code, I am going to use T4 to generate history models automatically based on original model. Also we are going to take care of Artificial type values. Step 1 - Create a custom attribute to mark model that history need to be maintained. /// <summary> /// Attribute to maintain history table /// </summary> [AttributeUsage(AttributeTargets.Class)] public class ManageHistoryAttribute : Attribute ...
Post a Comment
Read more

Global exception handling and custom logging in AspNet Core with MongoDB

In this, we would be looking into logging and global exception handling in the AspNet Core application with proper registration of logger and global exception handling. Custom logging The first step is to create a data model that we want to save into DB. Error log Data model These are few properties to do logging which could be extended or reduced based on need. public class ErrorLog { /// <summary> /// Gets or sets the Error log identifier. /// </summary> /// <value> /// The Error log identifier. /// </value> [BsonRepresentation(BsonType.ObjectId)] public ObjectId Id { get; set; /// <summary> /// Gets or sets the date. /// </summary> /// <value> /// The date. /// </value> public DateTime Date { get; set; } /// <summary> /// Gets or sets the thread. /// </summary> ...
1 comment
Read more