-2

I am new in Mvc and I am struggling for last 4 days to find any good tutorial for custom authorization and authentication in asp.net MVC 3.

Problem is:-

We are having our own custom User Master table and also Custom Role Master Table.

Now I want to know How can we authenticate a particular User from Login Page with our Existing Custom User table and also assign rights i:e Role ID from Role master for that Logged In User with out Using Membership Stuff.

The Second thing I want when a User make any request for a Controller, I want to check whether the User's Session is Null or not and also want to check that the Role ID that Logged In User have , whether that Role ID have rights to access that Controller or not.

And also want to implement Role based Access Control . For ex:-

Role 1 can Edit Account of Role 2 and Role 3
Role 2 can Edit Account of Role 3 only .(Restricted to edit Role 1 Account)

One solution for that is to make different View and Controller but I don't that is the better Solution.

Please suggest!!!!

Thanks in Advance!!!!

RL89
  • 1,866
  • 5
  • 22
  • 39
  • possible duplicate of [Custom Authorize Attribute](http://stackoverflow.com/questions/5070339/custom-authorize-attribute) – James Aug 23 '12 at 09:42
  • What have you already tried? `FormsAuthentication`, for example? – Sergei Rogovtcev Aug 23 '12 at 09:46
  • 2
    Can you explain why you are not interested in writing custom `MembershipProvider`? – Mohayemin Aug 23 '12 at 09:46
  • I have not tried anything in MVC for authentication yet but tried to apply Authorize Action Attribute stuff but doesn't worked out with it.Can you Please help me? – RL89 Aug 23 '12 at 09:52

1 Answers1

0

I recently wrote a custom login solution for MVC. In my case I get an SSO ticket in the query string on the first request to the site. The ticket is verified by a web service call to the ticket service.

Once the identity is verified, I set a normal forms auth cookie to have the identity established on each subsequent call.

In my case I have a custom Identity class, inheriting from GenericIdentity. The additional info is passed in the forms auth ticket's user data section. I have an own Application_AuthenticateRequest function in global.asax.cs that unpacks the user data and sets the identity.

If you don't have any special data in your forms auth ticket I think that just setting the cookie on successful authentication is enough - the built in versions will take care of examining the ticket and setting the request's identity based on the auth ticket.

Anders Abel
  • 67,989
  • 17
  • 150
  • 217
  • Do u have any solution for this issue:- **Role 1 can Edit Account of Role 2 and Role 3 Role 2 can Edit Account of Role 3 only .(Restricted to edit Role 1 Account)** – RL89 Sep 01 '12 at 13:28
  • Use normal role based auth by checking `UserIsInRole`. You just have to make sure that the current roles are set as part of the thread/request identity. – Anders Abel Sep 01 '12 at 15:03
  • Thanx **Andres** but the problem is **Role2** is allowed to edit records, it means **Role2** must be having access for the same **Edit Controller** as for **Role1** that is **Administrator** Role but how can we restrict Role 2 to Edit Role 1 and any other role 2 excluding logged in Role. – RL89 Sep 01 '12 at 15:13
  • You can't use the normal `Authorize` attribute, it's not flexible enough. Write custom code that checks the conditions as you describe then, by first deciding what roles are allowed/denied for the current operation and then querying if the current user is/isn't in the required roles. – Anders Abel Sep 01 '12 at 15:45