2

I spent two weeks searching for solution which allows me to make permission-based authentication. I have database schema like this

User <- Role <--> Permissions

Users has only one role which is connected with permissions using many to many relationship

I already wrote my models for these entities.

I start with Asp.Net Identity, but its default schema isn't designed for permission-based authentication.

I also tried to use Cookie Middleware but i can't override ClaimsPrincipal and use my model of user account

The only thing I can do at the moment is writting from the beginning a simple authentication library that uses the session, but it's bad idea due to security issues

Documentation of new version of Asp.Net mvc isn't finished yet, but maybe someone know how to help me ? :/

Kuba
  • 1,415
  • 1
  • 18
  • 29
  • Take a look to _AuthorizeAttribute_ and to this question to make a custom attribute with your rules: http://stackoverflow.com/questions/746998/override-authorize-attribute-in-asp-net-mvc – ADreNaLiNe-DJ Feb 16 '16 at 12:44
  • 1
    @ADreNaLiNe-DJ That's for previous versions of MVC. It is *not* applicable. – blowdart Feb 16 '16 at 15:12
  • I didn't know. but there's already a question about authentication for MVC6: http://stackoverflow.com/questions/31464359/custom-authorizeattribute-in-asp-net-5-mvc-6 – ADreNaLiNe-DJ Feb 16 '16 at 15:21
  • @ADreNaLiNe-DJ T Which doesn't address the issue either. – blowdart Feb 16 '16 at 17:40

1 Answers1

0

There are two options.

  1. You map the permissions to claims. Roles are really just a grouping in your scenario and not something you would authorize upon. So when create the user claims principal you'd add claims for each permission, then validate them in your authorization policies.
  2. You create role claims, and then inside the authorize policies you would go to your database and pull the permissions out of there and see if the role fulfills the policy. Authorization requirements handlers can take DI registered classes, so you'd register your PermissionsProvider on application startup, and then reference it in the constructor for your handler.

You can leverage the cookie authentication system identity uses without having to roll your own, getting the signed validation for free. All you would need to do, at a minimum is implement login, logout and a forbidden page.

blowdart
  • 55,577
  • 12
  • 114
  • 149