7

I am writing an example file storage system (example just for stackoverflow).

My current domain models look as such:

public class User
{
    public int ID { get; set; }
    public string LoginIdentifier { get; set; }
    public string Password { get; set; }
}

public class File
{
    public int ID { get; set; }
    public int UserID { get; set; }
    public string FileName { get; set; }
    public byte[] Data { get; set; }
}

The code I am writing to create the IPrincipal:

private static IPrincipal CreatePrincipal(User user)
{
    Debug.Assert(user != null);

    var identity = new GenericIdentity(user.LoginIdentifier, "Basic");

    // TODO: add claims
            identity.AddClaim(new Claim("Files", "Add"));

    return new GenericPrincipal(identity, new[] { "User" });
}

In my system, a user can add files, they can also retrieve, delete, and update them, however, the caveat to that is a user can only retrieve and modify their own files (where File.UserID should match the identity of the logged in user).

My Files controller looks as follows.

[Authorize]
public class FilesController : ApiController
{
    private readonly FileRepository _fileRepository = new FileRepository();

    public void Post(File file)
    {
        // not sure what to do here (...pseudo code...)
        if (!CheckClaim("Files", "Add"))
        {
            throw new HttpError(HttpStatusCode.Forbidden);
        }

        // ... add the file
        file.UserID = CurrentPrincipal.UserID; // more pseudo code...

        _fileRepository.Add(file);
    }

    public File Get(int id)
    {
        var file = _fileRepository.Get(id);

        // not sure what to do here (...pseudo code...)
        if (!CheckClaim("UserID", file.UserID))
        {
            throw new HttpError(HttpStatusCode.Forbidden);
        }

        return file;
    }
}

Maybe using Claims isn't the right tool for the job, but hopefully this illustrates the problem.

How should I wire up my controllers to ensure the currently logged in user has access to do specific actions and more specifically, certain resources?

Matthew
  • 24,703
  • 9
  • 76
  • 110

2 Answers2

5

I am not sure if claims are the right approach for what you are doing. What you really want to represent are permissions. A claim typically represent an identity attribute such as user name, email or roles it belong to, but not permissions. You could represent permissions with claims, but you might need tons of it depending on how big your application is. A typical approach is to map a role to a set of permissions (in your case, add files would be a permission). You can also create a custom Authorization filter deriving from the AuthorizeAttribute to check if the current principal has the right permissions to execute the action. That filter might receive the permissions required to execute the action as arguments.

Pablo Cibraro
  • 3,769
  • 3
  • 25
  • 17
  • in this instance, I think the claim would be the `UserID`. – Matthew May 02 '13 at 02:22
  • Yes, that makes sense. You can also have claims for representing user roles. Then you map a role to a set of permissions. For example, Admin => Add File, Remove File, etc – Pablo Cibraro May 02 '13 at 02:25
5

Pablo is right - claims describe identity. You use that identity to come to an authorization decision though. There is a separate abstraction for that called ClaimsAuthorizationManager.

Have a look here: http://leastprivilege.com/2012/10/26/using-claims-based-authorization-in-mvc-and-web-api/

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • 1
    I read this article before posting this question, the part I am concerned about (and what I didn't understand) is the `ClaimsAuthorization.CheckAccess(“Get”, “CustomerId”, id.ToString());` statement. Specifically, how would something like this be implemented (in my scenario)? – Matthew May 02 '13 at 15:35
  • You could pass "modify/whatever", "file" and file owner to the claims authZ manager. This would then check if the current principal matches the file owner. – leastprivilege May 03 '13 at 12:18