Site Security/Access management for asp.net mvc application

StackOverflow https://stackoverflow.com/questions/2512552

Question

I am trying to find a good pattern to use for user access validation.

Basically on a webforms application I had a framework which used user roles to define access, ie, users were assigned into roles, and "pages" were granted access to a page. I had a table in the database with all the pages listed in it. Pages could have child pages that got their access inherited from the parent.

When defining access, I assigned the roles access to the pages. Users in the role then had access to the pages. It is fairly simple to manage as well. The way I implemented this was on a base class that every page inherited. On pageload/init I would check the page url and validate access and act appropriately.

However I am now working on a MVC application and need to implement something similar, however I can't find a good way to make my previous solution work. Purely because I don't have static pages as url paths. Also I am not sure how best to approach this as I now have controllers rather then aspx pages.

I have looked at the MVCSitemapprovider, but that does not work off a database, it needs a sitemap file. I need control of changing user persmissions on the fly.

Any thoughts/suggestions/pointers would be greatly appreciated.

Was it helpful?

Solution

Your technique is easily accomplished by creating your own ActionFilter: http://msdn.microsoft.com/en-us/library/dd410056.aspx

You can then apply this attribute to controllers or action methods and roll your own page security very easily.

public class MinmalSecurity : ActionFilterAttribute
{
    private string _roles;
    public MinmalSecurity(string roles)
    {
        _roles = roles;
    }

    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        //go to database,find permissions, redirect or proceed as nescessary

        base.OnActionExecuting(filterContext);
    }
}

OTHER TIPS

When you create an MVC application, not the blank website, there is a basic ASP.NET Membership provider included. That will do everything you are looking for, with little to no coding.

Here is MSDN: http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx

Here is a CodePlex project that expands the functionality more than what was built in: http://mvcmembership.codeplex.com/

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top