0

I have the following cenario:

-> WebAPi wicth gives me a custom Permission Manager that has methods to check wheter user can access some resource or not.

-> After the login I call that WebAPI and store the PermissionManager.

-> On each action I would check using "[Authorize("ResouceName")]" against the PermissionManager.

I´ve read a lot of docs, but just can´t figure out how to correct implement this.

Challanges:

*What's best way to store the PermissionManager class? Cache?

*I´ve tried out the building it using IAuthorizationRequirement. But how to access the Policy name given in the "Autorize("ResourceName")"?

*Would be good not to store the users resources at Claims. Given that this application has a lot of resources and I´m using cookies to persist claims.

Any tips and suggestions would be apreciated.

Alan Araya
  • 701
  • 1
  • 12
  • 27
  • https://github.com/leastprivilege/AspNetCoreSecuritySamples – David Pine May 27 '16 at 16:29
  • Check out the documentation on how to implement Policy based authorization http://docs.asp.net/en/latest/security/authorization/dependencyinjection.html or here for an example on how to populate it from DB http://stackoverflow.com/a/36447358/455493 – Tseng May 27 '16 at 16:31
  • @Tseng in the stackoverflow awenser you suggest, how to pass the "IUserPermissionsRepository" if that repo comes from a WebAPI just after the user makes his login? – Alan Araya May 27 '16 at 18:26
  • As long as the repository (or `DbContex` if you don't use repositories) is registered in the ASP.NET Core Dependency Injection container, it will resolve automatically. – Tseng May 27 '16 at 23:50
  • Ok. But in my case the repository comes from another system witch control acess permissions. And it´s sent to me after user make his login. How to solve that? Because I can´t register at DI something that changes after app is runing. – Alan Araya May 29 '16 at 15:08

0 Answers0