0

I'm building a Asp.net MVC3 aplication (with Razor) and I have a Data Base that have information about users and roles.

This is simplified scheme of my DB.

User(IDUser, Login, Password);
Role(IDRole, Name);
UserInRole(IDUser, IDRole); //Many to Many

Looks like this:

db schema screnshot

I read about use AuthorizeAttribute, to control pages for loged users, and with specific roles and I research about use My DB to control users and roles. So my questions is:

  1. Is possible use my DB to manage users and roles and use [Authorize] in my actions? [If yes how i do that?]
  2. Is possible use session in the place of cookie to manage login and use the Authorization native Asp.net MVC3? [if yes, how i do that? if no how use session otherwise?]

If possible please post code examples.

Improve this question

2 Answers 2

Reset to default
1

Not sure if I understood correctly, but you want to use the [Authorize] attribute to work with your custom users database?

If that's the case, there are somethings to check:

To simply allow/deny based whether the user is authorized or not, the stock [Authorize] attribute will work just fine. The custom logic goes in your Login action, where you will check the database with the given credentials and issue the cookie accordingly. Something like:

    public ActionResult Login(string username, string password)
    {
        bool isValid = //check the database with the given username and password

        if(isValid)
        {
            FormsAuthentication.SetAuthCookie(username, false);

            return RedirectToAction("...");
        }else
        {
            return View();
        }
    }

If you want to also control access based on roles, I would say there are 2 immediate ways:

  • Implement a custom Membership and Role providers, something I don't like as I find them pretty useless, and always end up redoing the logic in my respositories

  • Implement a custom AuthorizeAttribute, like

    public class CustomAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        //Check based on these 2 properties:
        //  this.Roles
        //  this.Users
        //against httpContext.User

        //return true or false to indicate access or deny 
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks it was very hopefull. But i have one more question FormsAuthentication works with Session or Cookie?
0

Thanks Pedro. Based in your post I build this to use SESSION:

public class CustomAutorizeAttribute : AuthorizeAttribute
{
    public List<string> Roles { get; set; }

    public CustomAutorizeAttribute()
    {
    }

    public CustomAutorizeAttribute(params string[] Roles)
    {
        this.Roles = new List<string>();
        this.Roles.AddRange(Roles);
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        User user = (User)httpContext.Session["user"];

        if (user != null)
        {
            if (Roles != null)
            {
                foreach (var role in user.Roles)
                {
                    if (Roles.Exists(e => e == role)) return true;
                }
                return false; // User don't have any hole
            }
            else
            {
                return true; // The Attribute is used without roles.
            }
        }
        else return false; // Not logged.
    }
}

Post here to hope others.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.