2

I have a bunch of controllers and related views that need to have role based authentication applied on them. I am thinking of having a base controller with the [authorize] property definition on it so that I can have all controllers that inherit from that base class be available only after login. I have tested this to be working. I am not sure if this is the best practice or if there will be any pit falls going ahead in this approach.

In the future I will need to have certain pages be accessible to only users within a particular role. The list of roles will be from a database table. so instead of changing all the related controllers I just make that change in the base controller that it inherits from. Is this the right way to go about doing it?

Thanks for your time.

Improve this question

2 Answers 2

Reset to default
7

You can combine any number of Authorize attributes.

i.e. You can have a Authorize attribute on your base controller and a more specific one on another controller (for instance specifying a role) and a most specific one on a controller action (specifying a role or a user)

[Authorize]
public class BaseController : Controller
{}

[Authorize(Roles="Administrator")]
public class AdminController : BaseController
{
    [Authorize(Roles="SuperUser")]
    public ActionResult SuperSecret()
    {}
}

It will check all attributes and only revoke access if any of the attributes fail.

In the future I will need to have certain pages be accessible to only users within a particular role.

That's how role based authentication works.

The list of roles will be from a database table.

Load the roles into a custom IPrincipal in the method OnPostAuthenticate in global.asax.

so instead of changing all the related controllers I just make that change in the base controller that it inherits from.

I don't follow you on this requirement. Do you want to avoid specifying roles on your controllers?

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

The topic starter wanted to avoid attaching a list of roles to every controller of his, but to specify the roles grouping somewhere else. Otherwise your suggestion is perfect (and a default one for the authorization scenario)
Hi is there an example of using the custom IPrincipal that you speak of in the OnPostAuthenticate method in global.asax. As far as I know the iPrincipal stores a HttpContext.Current.User object. How do I assign roles from my AppRoles table to it?
There are several examples here at SO. Search for custom principal onpostauthenticate or read about IPrincipal in MSDN
I checked this out over the weekend... kitsula.com/Article/Custom-Role-Provider-for-MVC ... what do you think of this approach? It basically overrides the asp.net Roleprovider class. I tried calling two different secure pages.. but the call to the GetRolesForUser(..) method in my CustomRoleProvider : RoleProvider class was called only once. So that means just one call to the database to get UserRoles ... Could there be something wrong with this approach that I am not seeing now, that made you decide to go with IPrincipal instead?
1

It's all right to use a base controller class for your controllers.

However, I don't think you should tie your controllers' inheritance to your roles hierarchy. It doesn't seem clean to me.

I'd implement an inheritance tree of attributes, like:

class NormalUserRolesAttribute: AuthorizeAttribute
class AdvancedUserRolesAttribute: AuthorizeAttribute
class AdminUserRolesAttribute: AuthorizeAttribute

with slightly different OnAuthorization behavior and then mark your controllers with those attributes.

Improve this answer

6 Comments

Can you explain what advantages that gives in contrast to [Authorize(Roles = "AdvancedUser")]? Seems to me that you just complicate things.
Please see my comment to your answer :)
Still. Your attributes does the same thing as my suggestion. I just recommend loading the roles into a IPrincipal since it's used by all security features in .NET
My approach allows you to avoid distributing [Authorize(Roles="admin1,admin2,admin3,superadmin,hyperadmin,backdoor")] across the entire project, and keep the roles list in some one place (inside the AdminRolesAttribute definition), that's all
It's just role inheritance. Create a role called SuperAdmins which includes all users from role Admin1, Admin2 etc. And use Authorize(Roles="SuperAdmins")]. The code belongs in a IAuthorizationService and not in several authorization attributes.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.