1

I need to integrate a new Security API into several existing applications in my organization. Some applications use ASP.NET MVC and use the .NET AuthorizeAttribute class to decorate classes with security.

For example:

[Authorize(Roles="MY_CORP\Group1,MY_CORP\Group2")]
public class MyClass
{
    //
}

The code above is based on a Windows authentication configuration. I need to update this implementation to use the new Security API. The new Security API will retrieve a user like this:

var user = new SecurityApi().GetUser(userId);
var groups = user.Groups;

So ideally the updated decorator would look something like this, where GroupX and GroupY exist as user.Groups returned from the Security API:

[Authorize(Roles="GroupX, GroupY")]
public class MyClass
{
    //
}

Any idea how I would go about implementing this?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
user9393635
  • 1,369
  • 4
  • 13
  • 32
  • 1
    Have you checked this out? Not exactly what you want but I think it will get you there: https://stackoverflow.com/questions/41940905/asp-net-mvc-how-to-create-a-custom-role-provider – JuanR May 25 '18 at 19:39

1 Answers1

0

I use something along the lines of this:

public class RequireAuthAttribute : TypeFilterAttribute
{
    public RequireAuthAttribute(params Roles[] rolesRequirement) 
        : base(typeof(RequireAuthFilter))
    {
        Arguments = new object[] { rolesRequirement };
    }

    public enum Roles: ushort
    {
        CompanyOnly,
        AuthenticatedCustomer,
        AuthorizedCustomer,
        AuthorizedOwnerManager
    }
}

With:

public class RequireAuthFilter : IAsyncActionFilter
{
    private readonly Roles[] _rolesToAllow;

    public RequireAuthFilter(Roles[] rolesRequirement = default(Roles[]))
    {
        _rolesToAllow = rolesRequirement;
    }

    public async Task OnActionExecutionAsync(
    ActionExecutingContext context, 
    ActionExecutionDelegate next ) 
    {
        // Verify is Authenticated
        if (context.HttpContext.User.Identity.IsAuthenticated != true)
        {
            context.HttpContext.SetResponse(401, "User is not Authenticated");
            return;
        }

        var isCompanyAdmin = context.HttpContext.IsCompanyAdmin(); 
        // ^ HttpContext Extension method that looks at our JWT Token 
        // and determines if has required Cliams/Roles.

        if (isCompanyAdmin == true)
        {
            await next();
            return;
        } else {
            context.HttpContext.SetResponse(401, "Restricted to Company");
            return;
        }

        // Other custom logic for each role.
        // You will want to decide if comma represents AND or an OR 
        // when specifying roles.
    }
}

And use like this:

[RequireAuth(Roles.CompanyOnly, Roles.AuthorizedOwnerManager)]
public class MyClass
{
    //
}
ttugates
  • 5,818
  • 3
  • 44
  • 54
  • it looks like TypeFilterAttribute belongs to package Microsoft.AspNetCore.Mvc. I need to implement the solution in an app with a target framework of 4.5.2. Can the TypeFilterAttribute solution be used with a 4.5.2 solution? Or can you recommend an alternative approach for 4.5.2? – user9393635 May 29 '18 at 15:37
  • It will be a couple hours before I am able to get you the code.. But its doable with googling.. I ported this solution over to .Net Core around 6 months ago. Will post solution this evening after work. – ttugates May 29 '18 at 15:40