Skip to main content

Custom authorization based on dotnet core policy with Attribute filter

Around 2.5 years back I had written about custom authorization on MVC  Custom authorization on class, action/function, code, area level under Asp.Net MVC application, there are few approaches which are changed in Core version for authorization. Like Authorization filter approach is discouraged since it cannot be unit tested. I believe this is right step but also global or basic authentication could still be driven by Attribute due to enhancing simplicity on codes by focusing on the primary objective rather than writing authorization check everywhere.

The whole approach and usage remain same from the original Post, in this, we would be just looking into making it compatible with dotnet Core MVC. You would need to go through earlier Post to understand the approach that was taken for authorization of a user.

Also, can go through official post: https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies to understand new approach.

More of all we need to create Requirement i:e PermissionAuthorizationRequirement, Handler for authentication and AppAuthorizeAttribute attribute.

Creating policy requirement

This can accept comparison type and PermissionRule that may be required for authorization.

   /// <summary>  
   /// Permission authorization requirement.  
   /// </summary>  
   /// <seealso cref="IAuthorizationRequirement" />  
   public class PermissionAuthorizationRequirement  
     : Microsoft.AspNetCore.Authorization.IAuthorizationRequirement  
   {  
     /// <summary>  
     /// Gets or sets the comparison mode.  
     /// </summary>  
     /// <value>  
     /// The comparison mode.  
     /// </value>  
     public ComparisonType ComparisonMode { get; set; }  
     /// <summary>  
     /// Initializes a new instance of the <see cref="PermissionAuthorizationRequirement"/> class.  
     /// </summary>  
     public PermissionAuthorizationRequirement()  
     {  
       ComparisonMode = ComparisonType.All;  
     }  
     /// <summary>  
     /// Initializes a new instance of the <see cref="PermissionAuthorizationRequirement" /> class.  
     /// </summary>  
     /// <param name="permissions">The permissions.</param>  
     /// <param name="comparisonType">Type of the comparison.</param>  
     public PermissionAuthorizationRequirement(PermissionRule[] permissions, ComparisonType comparisonType)  
     {  
       Permissions = permissions;  
       ComparisonMode = comparisonType;  
     }  
     /// <summary>  
     /// Gets the permissions.  
     /// </summary>  
     /// <value>  
     /// The permissions.  
     /// </value>  
     public PermissionRule[] Permissions { get; private set; }  
   }

Handler for authorization check of user

This would authorize the user based on saved permissions from DB and required permission to access the requested resource.

 using System.Linq;  
 /// <summary>  
 /// Permission authorization handler.  
 /// </summary>  
 /// <seealso cref="Microsoft.AspNetCore.Authorization.AuthorizationHandler{PermissionsAuthorizationRequirement}" />  
 public class PermissionAuthorizationHandler  
 : Microsoft.AspNetCore.Authorization.AuthorizationHandler<PermissionAuthorizationRequirement>  
 {  
   public PermissionAuthorizationHandler(ISecurityUserRepository securityUserRepository)  
   {  
     // Dependency injection to get value from repository.  
     SecurityUserRepository = securityUserRepository;  
   }  
   /// <summary>  
   /// Gets the security user repository.  
   /// </summary>  
   /// <value>  
   /// The security user repository.  
   /// </value>  
   public ISecurityUserRepository SecurityUserRepository { get; }  
   /// <summary>  
   /// Makes a decision if authorization is allowed based on a specific requirement.  
   /// </summary>  
   /// <param name="context">The authorization context.</param>  
   /// <param name="requirement">The requirement to evaluate.</param>  
   /// <returns>Permission check for user based on Permission requirement.</returns>  
   /// <exception cref="ArgumentException">New comparison type need to be included</exception>  
   protected override async System.Threading.Tasks.Task HandleRequirementAsync(  
     Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext context,  
     PermissionAuthorizationRequirement requirement)  
   {  
     if (!context.User.Identity.IsAuthenticated)  
     {  
       return;  
     }  
     // Getting user id from claims  
     if (!int.TryParse(context.User.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier)?.Value, out int userId))  
     {  
       return;  
     }  
     // TODO: Implement caching for this  
     var userPermissions = await SecurityUserRepository.GetUserPermissions(userId);  
     var hasPermission = false;  
     switch (requirement.ComparisonMode)  
     {  
       case ComparisonType.All:  
         {  
           hasPermission = requirement.Permissions.All(reqPerm => userPermissions.Any(usrPerm => usrPerm == reqPerm));  
           break;  
         }  
       case ComparisonType.Any:  
         {  
           hasPermission = requirement.Permissions.Any(reqPerm => userPermissions.Any(usrPerm => usrPerm == reqPerm));  
           break;  
         }  
       default:  
         {  
           throw new System.ArgumentException("New comparison type need to be included");  
         }  
     }  
     if (hasPermission)  
     {  
       context.Succeed(requirement);  
     }  
   }  
 }

Attribute filter for invoking implementation

This would allow us to pass permission rule and optional ComparisionType for authorization of a user.

 using Microsoft.AspNetCore.Authorization;  
 using Microsoft.AspNetCore.Mvc;  
 using Microsoft.AspNetCore.Mvc.Filters;  
 using System;  
 using System.Threading.Tasks;  
 /// <summary>  
 /// Application authorization  
 /// </summary>  
 /// <seealso cref="TypeFilterAttribute" />  
 public sealed class AppAuthorizeAttribute  
   : TypeFilterAttribute  
 {  
   /// <summary>  
   /// Initializes a new instance of the <see cref="AppAuthorizeAttribute"/> class.  
   /// </summary>  
   /// <param name="permissions">The permissions.</param>  
   public AppAuthorizeAttribute(params PermissionRule[] permissions)  
     : base(typeof(AppAuthorizeExecuteAttribute))  
   {  
     Arguments = new[] { new PermissionAuthorizationRequirement(permissions, ComparisonType.All) };  
   }  
   /// <summary>  
   /// Initializes a new instance of the <see cref="AppAuthorizeAttribute"/> class.  
   /// </summary>  
   /// <param name="comparisonType">Type of the comparison.</param>  
   /// <param name="permissions">The permissions.</param>  
   public AppAuthorizeAttribute(ComparisonType comparisonType = ComparisonType.All, params PermissionRule[] permissions)  
     : base(typeof(AppAuthorizeExecuteAttribute))  
   {  
     Arguments = new[] { new PermissionAuthorizationRequirement(permissions, comparisonType) };  
   }  
   /// <summary>  
   /// App authorize execution.  
   /// </summary>  
   /// <seealso cref="Attribute" />  
   /// <seealso cref="IAsyncResourceFilter" />  
   private sealed class AppAuthorizeExecuteAttribute  
     : Attribute, IAsyncResourceFilter  
   {  
     /// <summary>  
     /// The authorization service  
     /// </summary>  
     private readonly IAuthorizationService AuthorizationService;  
     /// <summary>  
     /// The required permissions  
     /// </summary>  
     private readonly PermissionAuthorizationRequirement RequiredPermissions;  
     /// <summary>  
     /// Initializes a new instance of the <see cref="AppAuthorizeExecuteAttribute" /> class.  
     /// </summary>  
     /// <param name="requiredPermissions">The required permissions.</param>  
     /// <param name="authorizationService">The authorization service.</param>  
     public AppAuthorizeExecuteAttribute(  
           PermissionAuthorizationRequirement requiredPermissions,  
           IAuthorizationService authorizationService)  
     {  
       RequiredPermissions = requiredPermissions;  
       AuthorizationService = authorizationService;  
     }  
     /// <summary>  
     /// Called asynchronously before the rest of the pipeline.  
     /// </summary>  
     /// <param name="context">The <see cref="T:Microsoft.AspNetCore.Mvc.Filters.ResourceExecutingContext" />.</param>  
     /// <param name="next">The <see cref="T:Microsoft.AspNetCore.Mvc.Filters.ResourceExecutionDelegate" />. Invoked to execute the next resource filter or the remainder  
     /// of the pipeline.</param>  
     /// <returns>  
     /// A <see cref="T:System.Threading.Tasks.Task" /> which will complete when the remainder of the pipeline completes.  
     /// </returns>  
     public async Task OnResourceExecutionAsync(ResourceExecutingContext context, ResourceExecutionDelegate next)  
     {  
       var authResult = await AuthorizationService.AuthorizeAsync(  
               context.HttpContext.User,  
               null,  
               new PermissionAuthorizationRequirement(RequiredPermissions.Permissions, RequiredPermissions.ComparisonMode));  
       if (!authResult.Succeeded)  
       {  
         context.Result = new ChallengeResult();  
         return;  
       }  
       await next?.Invoke();  
     }  
   }  
 }

Registering handler and requirement in MVC

There could be multiple requirements that could be added to it, but for our global one, we need only one.

 service.AddScoped<IAuthorizationHandler, PermissionAuthorizationHandler>();  
 service.AddAuthorization(options =>  
 {  
   options.AddPolicy("PermissionAuthorization", policy =>  
     policy.Requirements.Add(new PermissionAuthorizationRequirement()));  
 });

Usage

Applying authorization to action is much more straightforward.

 [AppAuthorize(ComparisonType.Any, PermissionRule.CanAddBlog, PermissionRule.CanEditBlog)]  
 public ActionResult ViewBlog()  
 {  
 }

Authorization on code level

This is code on custom BaseController to authorize specific area of codes. This is same as the previous post just that new dotnet core custom policy is used.

 /// <summary>  
 /// Executes passed function once authorization is successful.  
 /// </summary>  
 /// <param name="func">The function.</param>  
 /// <param name="comparisonType">Type of the comparison.</param>  
 /// <param name="permissions">The permissions.</param>  
 /// <returns>Result based on passed function if authorization is successful.</returns>  
 public async Task<IActionResult> OnSuccessAuthAsync(  
     Func<IActionResult> func,  
     ComparisonType comparisonType,  
     params PermissionRule[] permissions)  
 {  
   var authResult = await AuthorizationService.AuthorizeAsync(  
     User, null, new PermissionAuthorizationRequirement(permissions, comparisonType));  
   if (authResult.Succeeded)  
   {  
     return func?.Invoke();  
   }  
   return Json(authResult);  
 }  
 /// <summary>  
 /// Executes passed function once authorization is successful.  
 /// </summary>  
 /// <param name="func">The function.</param>  
 /// <param name="permissions">The permissions.</param>  
 /// <returns>Result based on passed function if authorization is successful.</returns>  
 public async Task<IActionResult> OnSuccessAuthAsync(  
   Func<IActionResult> func,  
   params PermissionRule[] permissions)  
 {  
   return await OnSuccessAuthAsync(func, ComparisonType.All, permissions);  
 }




Labels:

Comments

Post a Comment

Popular posts from this blog

Using Redis distributed cache in dotnet core with helper extension methods

Redis cache is out process cache provider for a distributed environment. It is popular in Azure Cloud solution, but it also has a standalone application to operate upon in case of small enterprises application. How to install Redis Cache on a local machine? Redis can be used as a local cache server too on our local machines. At first install, Chocolatey https://chocolatey.org/ , to make installation of Redis easy. Also, the version under Chocolatey supports more commands and compatible with Official Cache package from Microsoft. After Chocolatey installation hit choco install redis-64 . Once the installation is done, we can start the server by running redis-server . Distributed Cache package and registration dotnet core provides IDistributedCache interface which can be overrided with our own implementation. That is one of the beauties of dotnet core, having DI implementation at heart of framework. There is already nuget package available to override IDistributedCache i...
3 comments
Read more

Trim text in MVC Core through Model Binder

Trimming text can be done on client side codes, but I believe it is most suitable on MVC Model Binder since it would be at one place on infrastructure level which would be free from any manual intervention of developer. This would allow every post request to be processed and converted to a trimmed string. Let us start by creating Model binder using Microsoft.AspNetCore.Mvc.ModelBinding; using System; using System.Threading.Tasks; public class TrimmingModelBinder : IModelBinder { private readonly IModelBinder FallbackBinder; public TrimmingModelBinder(IModelBinder fallbackBinder) { FallbackBinder = fallbackBinder ?? throw new ArgumentNullException(nameof(fallbackBinder)); } public Task BindModelAsync(ModelBindingContext bindingContext) { if (bindingContext == null) { throw new ArgumentNullException(nameof(bindingContext)); } var valueProviderResult = bindingContext.ValueProvider.GetValue(bin...
2 comments
Read more

Kendo MVC Grid DataSourceRequest with AutoMapper - Advance

The actual process to make DataSourceRequest compatible with AutoMapper was explained in my previous post  Kendo MVC Grid DataSourceRequest with AutoMapper , where we had created custom model binder attribute and in that property names were changed as data models. In this post we will be looking into using AutoMapper's Queryable extension to retrieve the results based on selected columns. When  Mapper.Map<RoleViewModel>(data)  is called it retrieves all column values from table. The Queryable extension provides a way to retrieve only selected columns from table. In this particular case based on properties of  RoleViewModel . The previous approach that we implemented is perfect as far as this article ( 3 Tips for Using Telerik Data Access and AutoMapper ) is concern about performance where it states: While this functionality allows you avoid writing explicit projection in to your LINQ query it has the same fatal flaw as doing so - it prevents the qu...
Post a Comment
Read more

Getting started with Raspberry Pi

Raspberry Pi is a small, low powered motherboard contains 512 RAM, combined CPU and GPU. It has LAN, 2 USB, HDMI input, Audio Out, SD Card reader and S-Video connectors. We can have many Linux distribution OS on it. To configure, we just need to attach SD Card to it. SD Card could range from class 4 to class 10. In some cases Raspberry Pi could support less then class 4 cards too. It could be powered through mini USB mobile charger. Let's get started with installing OS on SD Card. There are various ways to install OS. Like we can download OSes through  http://www.raspberrypi.org/downloads  and follow the instructions given on it. There is something BerryBoot multi-boot loader through which we can have more then one OS on Raspberry Pi and boot OS according to our need.  http://www.berryterminal.com/doku.php/berryboot  instructions could be followed to install OS with very simple steps. You need to have internet connection on Raspberry Pi to install OS. It coul...
Post a Comment
Read more

OpenId Authentication with AspNet Identity Core

This is a very simple trick to make AspNet Identity work with OpenId Authentication. More of all both approach is completely separate to each other, there is no any connecting point. I am using  Microsoft.AspNetCore.Authentication.OpenIdConnect  package to configure but it should work with any other. Configuring under Startup.cs with IAppBuilder app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationScheme = CookieAuthenticationDefaults.AuthenticationScheme, LoginPath = new PathString("/Account/Login"), CookieName = "MyProjectName", }) .UseIdentity() .UseOpenIdConnectAuthentication(new OpenIdConnectOptions { ClientId = "<AzureAdClientId>", Authority = String.Format("https://login.microsoftonline.com/{0}", "<AzureAdTenant>"), ResponseType = OpenIdConnectResponseType.IdToken, PostLogoutRedirectUri = "<my website url>", ...
Post a Comment
Read more

Elegantly dealing with TimeZones in MVC Core / WebApi

In any new application handling TimeZone/DateTime is mostly least priority and generally, if someone is concerned then it would be handled by using DateTime.UtcNow on codes while creating current dates and converting incoming Date to UTC to save on servers. Basically, the process is followed by saving DateTime to UTC format in a database and keep converting data to native format based on user region or single region in the application's presentation layer. The above is tedious work and have to be followed religiously. If any developer misses out the manual conversion, then that area of code/view would not work. With newer frameworks, there are flexible ways to deal/intercept incoming or outgoing calls to simplify conversion of TimeZones. These are steps/process to achieve it. 1. Central code for storing user's state about TimeZone. Also, central code for conversion logic based on TimeZones. 2. Dependency injection for the above class to ...
4 comments
Read more

Centralized model validation both for MVC/WebApi and SPA client-side validation using FluentValidation

Validation is one of the crucial parts of any application. It has to validate on both client side and server side requests. What are target features or implementation from this article? Model validation for any given model. Centralized/One code for validation on both server-side and client-side. Automatic validation of model without writing any extra codes on/under actions for validation.  NO EXTRA/ANY codes on client-side to validate any form. Compatible with SPA. Can be compatible with any client-side validation framework/library. Like Angular Reactive form validation or any jquery validation libraries. Tools used in the implementation? FluentValidation : I feel DataAnnotation validation are excellent and simple to use, but in case of complex validation or writing any custom validations are always tricker and need to write a lot of codes to achieve whereas FluentValidations are simple even in case of complex validation. Generally, we need to validate inc...
2 comments
Read more

Interface based model binding to populate properties value automatically

Interface is great way to make consistency and re-useability of codes. In this tutorial, I am going to show the power of interface to populate view/domain models automatically and interchange values between models. Technologies or techniques used in this approach: - MVC. - Interface for models. - MVC model binder for associated model with interface. Through this model binder we will populate values. - T4 template to generate code to register model binder with all models associated with interface. - Generic extension method to interchange values. It might sounding bit complex to achieve small thing. Just hold on with me and see unfolding. This will result in easier maintenance and less repetitive code. First let's start with creation of Interface that need to be populate automatically. This interface would be implemented on models and values will be auto-populated on binder. /// <summary> /// Interface for storing entry related values /// </summar...
Post a Comment
Read more

Custom SPA engine, similar to MVC pattern by using TypeScript

Single Page Application, a fundamental requirement for SPA is to develop the application with XMLHttpRequest (XHR) or AJAX. That is only main requirement, other things come as add-on stuff. Advancements of SPA? In today's world, we do not want to be restricted with basic features or functionalities. We want everything like any new Phone comes in market with some new shiny feature. There are a lot of functionalities available with SPA libraries and could be extended with more extension to have richer and easier implementation. To be specific we shall refer it as frameworks, not libraries. Earlier days one-way, two-way data binding with templates were very minimum things to expect from frameworks. Now they talk about component structure, Virtual Dom, IOC, state management, performance etc. Why building own framework/library? What I believe and experienced is each SPA JS Frameworks has its own set of rules and structure that has to be followed. If we want to have our own dyn...
Post a Comment
Read more

Global exception handling and custom logging in AspNet Core with MongoDB

In this, we would be looking into logging and global exception handling in the AspNet Core application with proper registration of logger and global exception handling. Custom logging The first step is to create a data model that we want to save into DB. Error log Data model These are few properties to do logging which could be extended or reduced based on need. public class ErrorLog { /// <summary> /// Gets or sets the Error log identifier. /// </summary> /// <value> /// The Error log identifier. /// </value> [BsonRepresentation(BsonType.ObjectId)] public ObjectId Id { get; set; /// <summary> /// Gets or sets the date. /// </summary> /// <value> /// The date. /// </value> public DateTime Date { get; set; } /// <summary> /// Gets or sets the thread. /// </summary> ...
1 comment
Read more