0

I'm actually develop a website with ASP.Net MVC with NHibernate I need to manage permission for groups, page and some other things I want my roles, permissions, operation, groups, and all things like that in my database.

And like an old post I would like to know if Ayende Rhino Security toolkit is it still relevant, or if there are any other relevant generic toolkit ?

Community
  • 1
  • 1
Arnaud
  • 84
  • 1
  • 10

3 Answers3

0

For my new projects I've used the Identity system

http://www.asp.net/identity

The ASP.NET Identity system is designed to replace the previous ASP.NET Membership and Simple Membership systems. It includes profile support, OAuth integration, works with OWIN, and is included with the ASP.NET templates shipped with Visual Studio 2013.

In particular this tutorial helped me a lot the first time

http://benfoster.io/blog/aspnet-identity-stripped-bare-mvc-part-1

Rafa
  • 443
  • 5
  • 14
  • And I don't think using NHibernate would be a problem. – Rafa Apr 08 '16 at 17:33
  • I already integrated ASP.Net Identity system with my solution, but i need extended permission toolkit like Ayende Rhino Security wich can manage my group, permission, operation ... etc – Arnaud Apr 08 '16 at 18:58
  • Ok, so, I implemented to my last project some functionality where I have roles and AccessLevels, I used roles for class controllers and access level per controllers.1 user can have 1 role and multiple access levels. I have 1 access level called "General" which is assigned to everyone and another called "MoneyGuy" that only a specific group of people can have – Rafa Apr 08 '16 at 19:13
  • Thing is, I overrided some functionallity of the System.Security.Claims the AuthorizeCore and the OnAuthorization and it was actually pretty simple (no more than 10 lines of code), at the end my methods have something like this [BMClaimsAuthorize("AccessLevel", "General")] – Rafa Apr 08 '16 at 19:20
  • and yes every role and access level are stored in a database, I can send you the code if you think it can help – Rafa Apr 08 '16 at 19:23
  • Yes but linked roles to methods are on your attributes ? i want avoid doing this – Arnaud Apr 08 '16 at 19:33
  • For readability, you may consider refining your original question & answer with those subsequent updates you are doing through commenting. Then delete the comments which would be no more useful. (At some point, if deviating from original question, you may open a new question instead.) – Frédéric Apr 08 '16 at 21:38
0

You may also consider MembershipReboot. It goes still beyond Asp.Net Identity as far as I know, though it was initially done for overcoming Membership shortcomings.

About Rhino Security toolkit, I do not know in which state it is.

Frédéric
  • 9,364
  • 3
  • 62
  • 112
0

Here is an example of what I did

step 1 - creating the claims for user

var identity = new ClaimsIdentity(
    new[] {
            new Claim(ClaimTypes.Name, usr.Name),
            new Claim(ClaimTypes.Email, usr.Email),
            new Claim(ClaimTypes.Role, usr.Roles.FirstOrDefault().Role),
            new Claim("StuffXId", usr.StuffXId + ""),
            new Claim("StuffYId", usr.StuffYId + "")

    }
    , "BMMC"//"ApplicationCookie"
);

foreach(AccessLevels x in usr.AccessLevels)
    identity.AddClaim(new Claim("AccessLevel", x.Access));

step 2 - I created my class BMClaimsAuthorize

public class BMClaimsAuthorize : AuthorizeAttribute
{
    public string ClaimType { get; set; }
    public string Value { get; set; }

    public BMClaimsAuthorize() { }

    public BMClaimsAuthorize(string ClaimType, string Value)
    {
        this.ClaimType = ClaimType;
        this.Value = Value;
    }

    protected override bool AuthorizeCore(HttpContextBase context)
    {
        return context.User.Identity.IsAuthenticated
            && context.User.Identity is ClaimsIdentity
            && ((ClaimsIdentity)context.User.Identity).HasClaim(x =>
                x.Type == ClaimType && x.Value == Value);

    }

    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        base.OnAuthorization(filterContext);

        if (filterContext.Result is HttpUnauthorizedResult)
            filterContext.Result = new RedirectResult("~/Account/DeniedAccess");

    }

}

3 - using peject.BMTools (imported my library)

[BMClaimsAuthorize("AccessLevel", "General")]
public ActionResult Index()
{
    ViewBag.Name = CurrentUser.Name;
    ViewBag.Email = CurrentUser.Email;
    ViewBag.StuffX = CurrentUser.ValueOf("StuffXId");
    return View();
}

I created my own cotroller class (which inherits from controller) that helps me get the user claims easily

CurrentUser.Name

but that is another subject..

That is my actual code, I have 2 tables where users are mapped to a role and acceslevels

Role only tell if they are admins or not (kept as a table instead an user field in case I later on need multiple roles), they are on the top of controller clases where only adminds can access.

AccessLevel tell everything else (they filter by method). If you need something more complex, you can add more claims (as my AccessLevel claim) and edit the BMClaimsAuthorize and the AuthorizeCore method to meet your criteria.

For example make it accept an array of strings, so you send something like this

[BMClaimsAuthorize("AccessLevel", {"General","Admin","other"...})]

Hope this helps!

Rafa
  • 443
  • 5
  • 14
  • And yes, in my example, users can have many AccessLevels, this means they can be part of many groups – Rafa Apr 08 '16 at 22:23