In Asp.Net MVC 3 what constitutes a authenticated user to the AuthorizeAttribute?
https://stackoverflow.com//questions/9668208
-
12-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I find that many things in Asp.Net is based on assumed knowledge. I for example do not know much about internet authentication and have a hard time finding anything about it on a beginner level.
One thing that is puzzling me is the AuthorizeAttribute. I understand how to use it and what it's supposed to do but I'm wondering if it will work under situations where you have a custom login system.
In the description on the AuthorizeAttribute page it says simply
When you mark an action method with AuthorizeAttribute, access to that action method is restricted to users who are both authenticated and authorized.
So what is a authenticated user, how do you set one user to be authenticated. If I create my own login system how do I set is so that a logged in user is authenticate enough for AuthorizeAttribute to allow him entry?
Solution
It checks the IsAuthorized of the IIdentity of IPrincipal.
In the Global.asax add a method to handle "AuthorizeRequest". then in that method do what ever you need to check the user is authorized (check a session, cookie, db etc)
Then set the HttpContext.Current.User to a GenericPrincipal that has an user that implements the IIdentity and has it's IsAuthorized set to true.
Something like this:
public class MvcApplication : HttpApplication
{
public MvcApplication()
{
this.AuthorizeRequest += this.AuthorizedRequestEvent;
}
private void AuthorizedRequestEvent(object sender, System.EventArgs e)
{
// do checking here with what ever you want
bool isAuthenicated = false;
// change this what what ever implements IIdentity
var user = new User();
user.IsAuthenticated = isAuthenicated ;
GenericPrincipal principal;
principal = new GenericPrincipal(user, new string[] { });
HttpContext.Current.User = principal;
}
}
OTHER TIPS
HttpContext.Current.User contains the User object that is the currently logged in user. While inside a Controller this can also be obtained from simply User.
If you need beginner level knowledge then you need to go buy a good book. A quick Amazon.com search shows a lot of support for Pro ASP.NET MVC 3 Framework so that's probably a good place to start. The value of a book like this is it will walk you through a front to back example of building a web app (including authentication).
As for security.. you do not want to build your own.. especially if you're a beginner. It's too easy to get something wrong and end up with a mess (been there.. done that). What you want to do is use the built in authentication. Again a book would be a great place to start but otherwise start with the built in template and follow this walkthrough. After you've done that start reading the code and using the class names as Google search points.
You lack the basic stuff on how the ASP.NET pipeline works.
http://msdn.microsoft.com/en-us/library/bb470252.aspx
In particular, somewhere early is the AuthenticateRequest event where plugged modules could possibly set the user to be authenticated. How they do so? By setting current HttpContext's User to something else than null where Identity.IsAuthenticated evaluates to true.
Since the User property of the context is not bound to any particular type (rather it can be any value whose type inherit from IPrincipal) any authentication provider is possible.
And the last thing - a lot of people stick with forms authentication module where the information is retrieved from the cookie.
