How to restrict access to certain actions in controller in ASP.net MVC

Question

I am new to ASP.net MVC and created my first web application using it. In my application I am using database authentication. I have created Login action in controller which checks entered username and password exist in DB or not, If it exist then put required values in Session and redirect user to pages as per his rights else redirect user to login page. Like this

public ActionResult Login()
{
   if(uservalid)
   {
      //set session values and redirect to dashboard
   }
   else
   {
      //redirect to login
   }
}

In my application there are some functionality that can only be accessed when user is logged-in. I want to check whether user is logged-in or not before user try to access these functionality and if he is not logged-in or not have rights then redirect to login page or show some error message.

public ActionResult SomeAction()
{
   //Available only when user is logged-in
}

So how do I check whether user is logged-in or not and give access to action. I read about Authorize attribute but don't know how to use it as I am using database authentication.

score 5 · Answer 1 · answered Nov 21 '13 at 14:30

I apply [Authorize] as well as my own customattribute for restricting the action based on permission. The code is below

 [Authorize]
 [FeatureAuthentication(AllowFeature=FeatureConst.ShowDashboard)]
 public ActionResult Index()
    {

    }

Filter code

public class FeatureAuthenticationAttribute : FilterAttribute, IAuthorizationFilter
 {
    public FeatureConst AllowFeature { get; set; }

    public void OnAuthorization(AuthorizationContext filterContext)
    {
        //var featureConst = (FeatureConst)filterContext.RouteData.Values["AllowFeature"];

        var filterAttribute = filterContext.ActionDescriptor.GetFilterAttributes(true)
                                .Where(a => a.GetType() == typeof(FeatureAuthenticationAttribute));
        if (filterAttribute != null)
        {
            foreach (FeatureAuthenticationAttribute attr in filterAttribute)
            {
                AllowFeature = attr.AllowFeature;
            }

            User currentLoggedInUser = (User)filterContext.HttpContext.Session["CurrentUser"];
            bool allowed = ACLAccessHelper.IsAccessible(AllowFeature.ToString(), currentLoggedInUser);
            // do your logic...
            if (!allowed)
            {
                string unAuthorizedUrl = new UrlHelper(filterContext.RequestContext).RouteUrl(new { controller = "home", action = "UnAuthorized" });
                filterContext.HttpContext.Response.Redirect(unAuthorizedUrl);
            }
        }
    }
 }

score 5 · Accepted Answer · answered Nov 21 '13 at 14:32

If you are using FormsAuthentication you don't need to use ASP.NET session to track the currently authenticated user.

I read about Authorize attribute but don't know how to use it as I am using database authentication.

Assuming you went with FormsAuthentication, once you have validated the credentials of the user you should set a forms authentication cookie:

public ActionResult Login()
{
   if(uservalid)
   {
      FormsAuthentication.SetAuthCookie("username", false);
      return RedirectToAction("SomeProtectedAction");
   }
   else
   {
      //redirect to login
   }
}

and then:

[Authorize]
public ActionResult SomeAction()
{
   string currentlyLoggedInUser = User.Identity.Name;
}

By the way if you create a new ASP.NET MVC application using the internet template in Visual Studio you might take a look at the AccountController which is responsible for authenticating users and setting forms authentication cookies. Of course you could throw all the Entity Framework crap out of it and implement your own credentials validation against your own database tables.

You said: "you could throw all the Entity Framework crap out of it and implement your own credentials validation against your own database tables".. Is there an example how to do that with Oracle database? I couldn't find one! — Nina, Sep 25 '19 at 06:50

score 2 · Answer 3 · answered Nov 21 '13 at 14:33

you should create a basecontroller and inherit other controlers from base controller and then check whether the session is null or not to authenticate users.

 public class BaseController : Controller
 {
        protected override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            if (Session["User"]== null)
            {
               filterContext.HttpContext.Response.Redirect("/somepage");
        }

 }

public class SomeController : BaseController
{

}

score 0 · Answer 4 · edited May 23 '17 at 12:33

0

There are multiple ways of doing it but the preferred way would be to use the Annotation. Here is a post for it How to get custom annotation attributes for a controller action in ASP.NET MVC 4?

If you are getting started I would suggest to follow the tutorial on http://www.asp.net/mvc

edited May 23 '17 at 12:33

Community

1
1

answered Nov 21 '13 at 14:33

Jinal Shah

325
3
15

I added the answer for the custom attribute checks the permission :) check whether it is useful – Murali Murugesan Nov 21 '13 at 14:37
It is useful but that depends on the case in which CodeWarrior is going to use the annotation. – Jinal Shah Nov 21 '13 at 21:48

How to restrict access to certain actions in controller in ASP.net MVC

4 Answers4

Linked