Site Security/Access management for asp.net mvc application
-
22-09-2019 - |
Question
I am trying to find a good pattern to use for user access validation.
Basically on a webforms application I had a framework which used user roles to define access, ie, users were assigned into roles, and "pages" were granted access to a page. I had a table in the database with all the pages listed in it. Pages could have child pages that got their access inherited from the parent.
When defining access, I assigned the roles access to the pages. Users in the role then had access to the pages. It is fairly simple to manage as well. The way I implemented this was on a base class that every page inherited. On pageload/init I would check the page url and validate access and act appropriately.
However I am now working on a MVC application and need to implement something similar, however I can't find a good way to make my previous solution work. Purely because I don't have static pages as url paths. Also I am not sure how best to approach this as I now have controllers rather then aspx pages.
I have looked at the MVCSitemapprovider, but that does not work off a database, it needs a sitemap file. I need control of changing user persmissions on the fly.
Any thoughts/suggestions/pointers would be greatly appreciated.
Solution
Your technique is easily accomplished by creating your own ActionFilter: http://msdn.microsoft.com/en-us/library/dd410056.aspx
You can then apply this attribute to controllers or action methods and roll your own page security very easily.
public class MinmalSecurity : ActionFilterAttribute
{
private string _roles;
public MinmalSecurity(string roles)
{
_roles = roles;
}
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
//go to database,find permissions, redirect or proceed as nescessary
base.OnActionExecuting(filterContext);
}
}
OTHER TIPS
When you create an MVC application, not the blank website, there is a basic ASP.NET Membership provider included. That will do everything you are looking for, with little to no coding.
Here is MSDN: http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
Here is a CodePlex project that expands the functionality more than what was built in: http://mvcmembership.codeplex.com/