Doubt
I have a project where the entire business rule is encapsulated in a set of DLLs with 3-tier architecture.
I wonder, what is the best approach for authorization control in these dll's. Is it possible to use Identity? Is there a design pattern or some other best approach to solve this problem?
Considering that a user can have a profile with access to certain functionalities (methods or classes).
Initially, I implemented a feature table and a profile table that contains these features. In the application, an Attribute above methods or classes indicates which functionality can access the code.
To verify that the user can access the code, it is checked whether the user's profile has the functionality described in Attribute . However, I'm not sure that this form is the most elegant for the situation.
Architecture
The solution architecture is implemented according to the Onion architecture. The Service layer encapsulates the entire system business rule and has access to Domain and Repositories .
The Web project (MVC) and Web Api have access to DLL Services, and access control is now in place. To prevent these and other external projects that want to access Services from implementing each of their authorization controls, an access control has been created as described below.
Current Code
AttributeUsage(AttributeTargets.Method)]
public class ControleAcessoAttribute : Attribute
{
private string[] funcionalidades;
private UsuarioAutenticado usuario;
public ControleAcessoAttribute(params string[] funcionalidades)
{
this.funcionalidades = funcionalidades;
this.usuario = UsuarioAutenticado.GetInstance();
VerificarAcesso();
}
public void VerificarAcesso()
{
var isAutorizado = VerificarFuncionalidades();
if(!isAutorizado)
{
throw new NegocioException("O usuário autenticado não possui permissão para acessar esta funcionalidade.");
}
}
public bool VerificarFuncionalidades()
{
foreach (var item in usuario.Perfil.Funcoes)
{
for (int i = 0; i < funcionalidades.Length; i++)
{
if(item.Descricao.Contains(funcionalidades[i]))
return true;
}
}
return false;
}
Usage method
public class Foo
{
[ControleAcesso("Bar","Foo")]
public void Bar()
{
//Some code here
}
}
Another problem
Another problem I am facing is in knowing which is the authenticated user in the applications, since the web project can implement Session and others do not. Should this authentication be the DLL's responsibility? Is it better to save the authentication to the database?