Doubt regarding Security, Authentication and Authorization

Navigation
3

Hello, I'm having trouble building an architecture in the security-related part of the application. I need only logged-in and authorized users to have access to certain application functions. I know that I would normally use Roles-based authorization, but the problem is that in the business rules of this application are the users (Master) who will create the access profiles, so I do not have to pre-define in the filters what will be the roles that will have access to each controller / action of the application.

Would anyone have a solution to the scenario I described? The architecture will be built on Asp.Net MVC5 C #, with Entity Framework and AutoFac.

    
asked by anonymous 19.07.2015 / 01:33

2 answers

4

If I understand your problem correctly, your Roles can not be predefined. I also imagine that you will be able to have a way to add new Roles at will (as you said, a Master creating profiles).

In this case, you would use the database to write the Roles already created, including what route / controller / action is allowed for that Role . Also define an associative relationship between users and roles (basically speaking "these users have these roles ").

In your Controllers , instead of using [Authorize] , would implement a custom AuthorizeAttribute , and instead of confirming if the user has a Role based on one of the string s (this being the function of [Authorize] , would confirm if the user has a Role that lets this Controller / route / action. >

(Sorry for the Portuguese, and if it is not clear, please let me know!)

    
19.07.2015 / 01:49
1

You can create your own solution or use a ready one.

A good workaround is Fluent Security . It has a NuGet package and is very simple to install. Here is a little tutorial .

Another option is to implement your own authorization attribute (response from @brazilianldsjaguar). Here are several questions and answers that can help you . Just create your logic and place it inside the AuthorizeCore method of AuthorizeAttribute ".

This method returns True if the user is able to visit a certain part of the code and False otherwise.

    
19.07.2015 / 04:13
'dict' object has no attribute 'has_key' in Python3 Why every time I turn my Android phone from vertical it runs again?