Skip to main content

Custom authorization based on dotnet core policy with Attribute filter

Around 2.5 years back I had written about custom authorization on MVC  Custom authorization on class, action/function, code, area level under Asp.Net MVC application, there are few approaches which are changed in Core version for authorization. Like Authorization filter approach is discouraged since it cannot be unit tested. I believe this is right step but also global or basic authentication could still be driven by Attribute due to enhancing simplicity on codes by focusing on the primary objective rather than writing authorization check everywhere.

The whole approach and usage remain same from the original Post, in this, we would be just looking into making it compatible with dotnet Core MVC. You would need to go through earlier Post to understand the approach that was taken for authorization of a user.

Also, can go through official post: https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies to understand new approach.

More of all we need to create Requirement i:e PermissionAuthorizationRequirement, Handler for authentication and AppAuthorizeAttribute attribute.

Creating policy requirement

This can accept comparison type and PermissionRule that may be required for authorization.

   /// <summary>  
   /// Permission authorization requirement.  
   /// </summary>  
   /// <seealso cref="IAuthorizationRequirement" />  
   public class PermissionAuthorizationRequirement  
     : Microsoft.AspNetCore.Authorization.IAuthorizationRequirement  
   {  
     /// <summary>  
     /// Gets or sets the comparison mode.  
     /// </summary>  
     /// <value>  
     /// The comparison mode.  
     /// </value>  
     public ComparisonType ComparisonMode { get; set; }  
     /// <summary>  
     /// Initializes a new instance of the <see cref="PermissionAuthorizationRequirement"/> class.  
     /// </summary>  
     public PermissionAuthorizationRequirement()  
     {  
       ComparisonMode = ComparisonType.All;  
     }  
     /// <summary>  
     /// Initializes a new instance of the <see cref="PermissionAuthorizationRequirement" /> class.  
     /// </summary>  
     /// <param name="permissions">The permissions.</param>  
     /// <param name="comparisonType">Type of the comparison.</param>  
     public PermissionAuthorizationRequirement(PermissionRule[] permissions, ComparisonType comparisonType)  
     {  
       Permissions = permissions;  
       ComparisonMode = comparisonType;  
     }  
     /// <summary>  
     /// Gets the permissions.  
     /// </summary>  
     /// <value>  
     /// The permissions.  
     /// </value>  
     public PermissionRule[] Permissions { get; private set; }  
   }  

Handler for authorization check of user

This would authorize the user based on saved permissions from DB and required permission to access the requested resource.

 using System.Linq;  
 /// <summary>  
 /// Permission authorization handler.  
 /// </summary>  
 /// <seealso cref="Microsoft.AspNetCore.Authorization.AuthorizationHandler{PermissionsAuthorizationRequirement}" />  
 public class PermissionAuthorizationHandler  
 : Microsoft.AspNetCore.Authorization.AuthorizationHandler<PermissionAuthorizationRequirement>  
 {  
   public PermissionAuthorizationHandler(ISecurityUserRepository securityUserRepository)  
   {  
     // Dependency injection to get value from repository.  
     SecurityUserRepository = securityUserRepository;  
   }  
   /// <summary>  
   /// Gets the security user repository.  
   /// </summary>  
   /// <value>  
   /// The security user repository.  
   /// </value>  
   public ISecurityUserRepository SecurityUserRepository { get; }  
   /// <summary>  
   /// Makes a decision if authorization is allowed based on a specific requirement.  
   /// </summary>  
   /// <param name="context">The authorization context.</param>  
   /// <param name="requirement">The requirement to evaluate.</param>  
   /// <returns>Permission check for user based on Permission requirement.</returns>  
   /// <exception cref="ArgumentException">New comparison type need to be included</exception>  
   protected override async System.Threading.Tasks.Task HandleRequirementAsync(  
     Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext context,  
     PermissionAuthorizationRequirement requirement)  
   {  
     if (!context.User.Identity.IsAuthenticated)  
     {  
       return;  
     }  
     // Getting user id from claims  
     if (!int.TryParse(context.User.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier)?.Value, out int userId))  
     {  
       return;  
     }  
     // TODO: Implement caching for this  
     var userPermissions = await SecurityUserRepository.GetUserPermissions(userId);  
     var hasPermission = false;  
     switch (requirement.ComparisonMode)  
     {  
       case ComparisonType.All:  
         {  
           hasPermission = requirement.Permissions.All(reqPerm => userPermissions.Any(usrPerm => usrPerm == reqPerm));  
           break;  
         }  
       case ComparisonType.Any:  
         {  
           hasPermission = requirement.Permissions.Any(reqPerm => userPermissions.Any(usrPerm => usrPerm == reqPerm));  
           break;  
         }  
       default:  
         {  
           throw new System.ArgumentException("New comparison type need to be included");  
         }  
     }  
     if (hasPermission)  
     {  
       context.Succeed(requirement);  
     }  
   }  
 }  

Attribute filter for invoking implementation

This would allow us to pass permission rule and optional ComparisionType for authorization of a user.

 using Microsoft.AspNetCore.Authorization;  
 using Microsoft.AspNetCore.Mvc;  
 using Microsoft.AspNetCore.Mvc.Filters;  
 using System;  
 using System.Threading.Tasks;  
 /// <summary>  
 /// Application authorization  
 /// </summary>  
 /// <seealso cref="TypeFilterAttribute" />  
 public sealed class AppAuthorizeAttribute  
   : TypeFilterAttribute  
 {  
   /// <summary>  
   /// Initializes a new instance of the <see cref="AppAuthorizeAttribute"/> class.  
   /// </summary>  
   /// <param name="permissions">The permissions.</param>  
   public AppAuthorizeAttribute(params PermissionRule[] permissions)  
     : base(typeof(AppAuthorizeExecuteAttribute))  
   {  
     Arguments = new[] { new PermissionAuthorizationRequirement(permissions, ComparisonType.All) };  
   }  
   /// <summary>  
   /// Initializes a new instance of the <see cref="AppAuthorizeAttribute"/> class.  
   /// </summary>  
   /// <param name="comparisonType">Type of the comparison.</param>  
   /// <param name="permissions">The permissions.</param>  
   public AppAuthorizeAttribute(ComparisonType comparisonType = ComparisonType.All, params PermissionRule[] permissions)  
     : base(typeof(AppAuthorizeExecuteAttribute))  
   {  
     Arguments = new[] { new PermissionAuthorizationRequirement(permissions, comparisonType) };  
   }  
   /// <summary>  
   /// App authorize execution.  
   /// </summary>  
   /// <seealso cref="Attribute" />  
   /// <seealso cref="IAsyncResourceFilter" />  
   private sealed class AppAuthorizeExecuteAttribute  
     : Attribute, IAsyncResourceFilter  
   {  
     /// <summary>  
     /// The authorization service  
     /// </summary>  
     private readonly IAuthorizationService AuthorizationService;  
     /// <summary>  
     /// The required permissions  
     /// </summary>  
     private readonly PermissionAuthorizationRequirement RequiredPermissions;  
     /// <summary>  
     /// Initializes a new instance of the <see cref="AppAuthorizeExecuteAttribute" /> class.  
     /// </summary>  
     /// <param name="requiredPermissions">The required permissions.</param>  
     /// <param name="authorizationService">The authorization service.</param>  
     public AppAuthorizeExecuteAttribute(  
           PermissionAuthorizationRequirement requiredPermissions,  
           IAuthorizationService authorizationService)  
     {  
       RequiredPermissions = requiredPermissions;  
       AuthorizationService = authorizationService;  
     }  
     /// <summary>  
     /// Called asynchronously before the rest of the pipeline.  
     /// </summary>  
     /// <param name="context">The <see cref="T:Microsoft.AspNetCore.Mvc.Filters.ResourceExecutingContext" />.</param>  
     /// <param name="next">The <see cref="T:Microsoft.AspNetCore.Mvc.Filters.ResourceExecutionDelegate" />. Invoked to execute the next resource filter or the remainder  
     /// of the pipeline.</param>  
     /// <returns>  
     /// A <see cref="T:System.Threading.Tasks.Task" /> which will complete when the remainder of the pipeline completes.  
     /// </returns>  
     public async Task OnResourceExecutionAsync(ResourceExecutingContext context, ResourceExecutionDelegate next)  
     {  
       var authResult = await AuthorizationService.AuthorizeAsync(  
               context.HttpContext.User,  
               null,  
               new PermissionAuthorizationRequirement(RequiredPermissions.Permissions, RequiredPermissions.ComparisonMode));  
       if (!authResult.Succeeded)  
       {  
         context.Result = new ChallengeResult();  
         return;  
       }  
       await next?.Invoke();  
     }  
   }  
 }  

Registering handler and requirement in MVC

There could be multiple requirements that could be added to it, but for our global one, we need only one.

 service.AddScoped<IAuthorizationHandler, PermissionAuthorizationHandler>();  
 service.AddAuthorization(options =>  
 {  
   options.AddPolicy("PermissionAuthorization", policy =>  
     policy.Requirements.Add(new PermissionAuthorizationRequirement()));  
 });  

Usage

Applying authorization to action is much more straightforward.

 [AppAuthorize(ComparisonType.Any, PermissionRule.CanAddBlog, PermissionRule.CanEditBlog)]  
 public ActionResult ViewBlog()  
 {  
 }  

Authorization on code level

This is code on custom BaseController to authorize specific area of codes. This is same as the previous post just that new dotnet core custom policy is used.

 /// <summary>  
 /// Executes passed function once authorization is successful.  
 /// </summary>  
 /// <param name="func">The function.</param>  
 /// <param name="comparisonType">Type of the comparison.</param>  
 /// <param name="permissions">The permissions.</param>  
 /// <returns>Result based on passed function if authorization is successful.</returns>  
 public async Task<IActionResult> OnSuccessAuthAsync(  
     Func<IActionResult> func,  
     ComparisonType comparisonType,  
     params PermissionRule[] permissions)  
 {  
   var authResult = await AuthorizationService.AuthorizeAsync(  
     User, null, new PermissionAuthorizationRequirement(permissions, comparisonType));  
   if (authResult.Succeeded)  
   {  
     return func?.Invoke();  
   }  
   return Json(authResult);  
 }  
 /// <summary>  
 /// Executes passed function once authorization is successful.  
 /// </summary>  
 /// <param name="func">The function.</param>  
 /// <param name="permissions">The permissions.</param>  
 /// <returns>Result based on passed function if authorization is successful.</returns>  
 public async Task<IActionResult> OnSuccessAuthAsync(  
   Func<IActionResult> func,  
   params PermissionRule[] permissions)  
 {  
   return await OnSuccessAuthAsync(func, ComparisonType.All, permissions);  
 }  




Popular posts from this blog

Handling JSON DateTime format on Asp.Net Core

This is a very simple trick to handle JSON date format on AspNet Core by global settings. This can be applicable for the older version as well.

In a newer version by default, .Net depends upon Newtonsoft to process any JSON data. Newtonsoft depends upon Newtonsoft.Json.Converters.IsoDateTimeConverter class for processing date which in turns adds timezone for JSON data format.

There is a global setting available for same that can be adjusted according to requirement. So, for example, we want to set default formatting to US format, we just need this code.


services.AddMvc() .AddJsonOptions(options => { options.SerializerSettings.DateTimeZoneHandling = "MM/dd/yyyy HH:mm:ss"; });



Elegantly dealing with TimeZones in MVC Core / WebApi

In any new application handling TimeZone/DateTime is mostly least priority and generally, if someone is concerned then it would be handled by using DateTime.UtcNow on codes while creating current dates and converting incoming Date to UTC to save on servers.
Basically, the process is followed by saving DateTime to UTC format in a database and keep converting data to native format based on user region or single region in the application's presentation layer.
The above is tedious work and have to be followed religiously. If any developer misses out the manual conversion, then that area of code/view would not work.
With newer frameworks, there are flexible ways to deal/intercept incoming or outgoing calls to simplify conversion of TimeZones.
These are steps/process to achieve it. 1. Central code for storing user's state about TimeZone. Also, central code for conversion logic based on TimeZones. 2. Dependency injection for the above class to be able to use globally. 3. Creating Mo…

LDAP with ASP.Net Identity Core in MVC with project.json

Lightweight Directory Access Protocol (LDAP), the name itself explain it. An application protocol used over an IP network to access the distributed directory information service.

The first and foremost thing is to add references for consuming LDAP. This has to be done by adding reference from Global Assembly Cache (GAC) into project.json

"frameworks": { "net461": { "frameworkAssemblies": { "System.DirectoryServices": "4.0.0.0", "System.DirectoryServices.AccountManagement": "4.0.0.0" } } },
These System.DirectoryServices and System.DirectoryServices.AccountManagement references are used to consume LDAP functionality.

It is always better to have an abstraction for irrelevant items in consuming part. For an example, the application does not need to know about PrincipalContext or any other dependent items from those two references to make it extensible. So, we can begin with some bas…

Trim text in MVC Core through Model Binder

Trimming text can be done on client side codes, but I believe it is most suitable on MVC Model Binder since it would be at one place on infrastructure level which would be free from any manual intervention of developer. This would allow every post request to be processed and converted to a trimmed string.

Let us start by creating Model binder

using Microsoft.AspNetCore.Mvc.ModelBinding; using System; using System.Threading.Tasks; public class TrimmingModelBinder : IModelBinder { private readonly IModelBinder FallbackBinder; public TrimmingModelBinder(IModelBinder fallbackBinder) { FallbackBinder = fallbackBinder ?? throw new ArgumentNullException(nameof(fallbackBinder)); } public Task BindModelAsync(ModelBindingContext bindingContext) { if (bindingContext == null) { throw new ArgumentNullException(nameof(bindingContext)); } var valueProviderResult = bindingContext.ValueProvider.GetValue(bindingC…

Architecture solution composting Repository Pattern, Unit Of Work, Dependency Injection, Factory Pattern and others

Project architecture is like garden, we plant the things in certain order and eventually they grow in similar manner. If things are planted well then they will all look(work) great and easier to manage. If they grow as cumbersome it would difficult to maintain and with time more problems would be happening in maintenance.

There is no any fixed or known approach to decide project architecture and specially with Agile Methodology. In Agile Methodology, we cannot predict how our end products will look like similarly we cannot say a certain architecture will fit well for entire development lifespan for project. So, the best thing is to modify the architecture as per our application growth. I understand that it sounds good but will be far more problematic with actual development. If it is left as it is then more problems will arise with time. Just think about moving plant vs a full grown tree.

Coming to technical side, In this article, I will be explaining about the various techniques tha…

Configuring Ninject, Asp.Net Identity UserManager, DataProtectorTokenProvider with Owin

It can be bit tricky to configure both Ninject and Asp.Net Identity UserManager if some value is expected from DI to configure UserManager. We will look into configuring both and also use OwinContext to get UserManager.

As usual, all configuration need to be done on Startup.cs. It is just a convention but can be used with different name, the important thing is to decorate class with following attribute to make it Owin start-up:

[assembly: OwinStartup(typeof(MyProject.Web.Startup))]
Ninject configuration

Configuring Ninject kernel through method which would be used to register under Owin.

Startup.cs
public IKernel CreateKernel() { var kernel = new StandardKernel(); try { //kernel.Bind<IHttpModule>().To<HttpApplicationInitializationHttpModule>(); // TODO: Put any other injection which are required. return kernel; } catch { kernel.Dispose(); throw; }…

Kendo MVC Grid DataSourceRequest with AutoMapper - Advance

The actual process to make DataSourceRequest compatible with AutoMapper was explained in my previous post Kendo MVC Grid DataSourceRequest with AutoMapper, where we had created custom model binder attribute and in that property names were changed as data models.

In this post we will be looking into using AutoMapper's Queryable extension to retrieve the results based on selected columns. When Mapper.Map<RoleViewModel>(data) is called it retrieves all column values from table. The Queryable extension provides a way to retrieve only selected columns from table. In this particular case based on properties of RoleViewModel.
The previous approach that we implemented is perfect as far as this article (3 Tips for Using Telerik Data Access and AutoMapper) is concern about performance where it states: While this functionality allows you avoid writing explicit projection in to your LINQ query it has the same fatal flaw as doing so - it prevents the query result from being cached.
Since …

Kendo MVC Grid DataSourceRequest with AutoMapper

Kendo Grid does not work directly with AutoMapper but could be managed by simple trick using mapping through ToDataSourceResult. The solution works fine until different filters are applied.
The problems occurs because passed filters refer to view model properties where as database model properties are required after AutoMapper is implemented.
So, the plan is to intercept DataSourceRequest  and modify names based on database model. To do that we are going to create implementation of CustomModelBinderAttribute to catch calls and have our own implementation of DataSourceRequestAttribute from Kendo MVC. I will be using same source code from Kendo but will replace column names for different criteria for sort, filters, group etc.
Let's first look into how that will be implemented.
public ActionResult GetRoles([MyDataSourceRequest(GridId.RolesUserGrid)] DataSourceRequest request) { if (request == null) { throw new ArgumentNullException("reque…

Global exception handling and custom logging in AspNet Core with MongoDB

In this, we would be looking into logging and global exception handling in the AspNet Core application with proper registration of logger and global exception handling.

Custom logging
The first step is to create a data model that we want to save into DB.

Error log Data model
These are few properties to do logging which could be extended or reduced based on need.

public class ErrorLog { /// <summary> /// Gets or sets the Error log identifier. /// </summary> /// <value> /// The Error log identifier. /// </value> [BsonRepresentation(BsonType.ObjectId)] public ObjectId Id { get; set; /// <summary> /// Gets or sets the date. /// </summary> /// <value> /// The date. /// </value> public DateTime Date { get; set; } /// <summary> /// Gets or sets the thread. /// </summary> /// <v…

T4, Generating interface automatically based on provided classes

With new techniques and patterns interface plays a key role in application architecture. Interface makes application extendable like defining file upload interface and implementing based on file system, Azure Blob storage, Amazon S3. At starting we might be implementing based on Azure Blob but later we might move to Windows based file system and so on.

Ideally we create interface based on need and start implementing actual default implementation class. Many a times at starting of implementation there is one to one mapping between Interface and Class. Like from above example File upload interface and the initial or default class implementation that we design and with time it will get extended.
In this article, we will try to create interface based on default class implementation. This is not at all recommended in Test Driven Design (TDD) where we test the application before actual code implementation but I feel sometimes and in some situations it is okay do that and test straight afte…