0

I am using Integrated Windows Authentication in my application so domain users alone can access the application.

After this step, I am doing some additional authentication to check whether that domain user is permitted to access the application (domain user will be added in a database table).

To achieve this, I am doing in the following way. Is this the best practice?? Please advise.

public class CCUKAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var isAuthorized =  base.AuthorizeCore(httpContext);

        var isUserAddedinDB = true; //Code to check whether user is added in DB

        return isUserAddedinDB;
    }
}

1 Answers1

0

What you are trying to do is first check authentication and then check for an authorization rule(can he access application). I guess this is a onetime check which happens only during the first time authentication process. In that case you better separate that logic into a different method (Separation of Concerns).

Generally in a MVC application if you need to do a custom Authorization check, I would recommend to do Authorization check by overriding "Authorize" attribute (example).

Dhanuka777
  • 8,331
  • 7
  • 70
  • 126
  • Different Method??? Can you please explain a bit more on this? and Authorization is the thing I am trying to do. But am already using `AuthorizeAtrribute` only. Please see my updated question. –  Apr 04 '16 at 10:14
  • What I am suggesting is that do this database check in Application_AuthenticateRequest in Global asax event which triggers after authentication. If that does not fit in to your scenario you will have to cache (e.g. store in session or Redis cache etc.). – Dhanuka777 Apr 04 '16 at 22:50
  • Refer this - http://stackoverflow.com/questions/10746245/context-user-is-null-in-application-authenticaterequest-via-windows-auth-in-asp – Dhanuka777 Apr 04 '16 at 22:51