1

I need to integrate a new Security API into several existing applications in my organization. Some applications use ASP.NET MVC and use the .NET AuthorizeAttribute class to decorate classes with security.

For example:

[Authorize(Roles="MY_CORP\Group1,MY_CORP\Group2")]
public class MyClass
{
    //
}

The code above is based on a Windows authentication configuration. I need to update this implementation to use the new Security API. The new Security API will retrieve a user like this:

var user = new SecurityApi().GetUser(userId);
var groups = user.Groups;

So ideally the updated decorator would look something like this, where GroupX and GroupY exist as user.Groups returned from the Security API:

[Authorize(Roles="GroupX, GroupY")]
public class MyClass
{
    //
}

Any idea how I would go about implementing this?

Improve this question
1

1 Answer 1

Reset to default
0

I use something along the lines of this:

public class RequireAuthAttribute : TypeFilterAttribute
{
    public RequireAuthAttribute(params Roles[] rolesRequirement) 
        : base(typeof(RequireAuthFilter))
    {
        Arguments = new object[] { rolesRequirement };
    }

    public enum Roles: ushort
    {
        CompanyOnly,
        AuthenticatedCustomer,
        AuthorizedCustomer,
        AuthorizedOwnerManager
    }
}

With:

public class RequireAuthFilter : IAsyncActionFilter
{
    private readonly Roles[] _rolesToAllow;

    public RequireAuthFilter(Roles[] rolesRequirement = default(Roles[]))
    {
        _rolesToAllow = rolesRequirement;
    }

    public async Task OnActionExecutionAsync(
    ActionExecutingContext context, 
    ActionExecutionDelegate next ) 
    {
        // Verify is Authenticated
        if (context.HttpContext.User.Identity.IsAuthenticated != true)
        {
            context.HttpContext.SetResponse(401, "User is not Authenticated");
            return;
        }

        var isCompanyAdmin = context.HttpContext.IsCompanyAdmin(); 
        // ^ HttpContext Extension method that looks at our JWT Token 
        // and determines if has required Cliams/Roles.

        if (isCompanyAdmin == true)
        {
            await next();
            return;
        } else {
            context.HttpContext.SetResponse(401, "Restricted to Company");
            return;
        }

        // Other custom logic for each role.
        // You will want to decide if comma represents AND or an OR 
        // when specifying roles.
    }
}

And use like this:

[RequireAuth(Roles.CompanyOnly, Roles.AuthorizedOwnerManager)]
public class MyClass
{
    //
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

it looks like TypeFilterAttribute belongs to package Microsoft.AspNetCore.Mvc. I need to implement the solution in an app with a target framework of 4.5.2. Can the TypeFilterAttribute solution be used with a 4.5.2 solution? Or can you recommend an alternative approach for 4.5.2?
It will be a couple hours before I am able to get you the code.. But its doable with googling.. I ported this solution over to .Net Core around 6 months ago. Will post solution this evening after work.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.