0

How do I go about Authorization in MVC 2?

I want to use AD groups/roles rather than the default that is provided. That seems to be "AspNetSqlMembershipProvider".

Anyway I put :

[Authorize(Users = "username")]
        public ActionResult About()
        {
            ViewData["Welcome"] = "Welcome About";

            return View();
        }

And then loading the page gives me: The connection name 'ApplicationServices' was not found in the applications configuration or the connection string is empty.

Line 34:       <providers>
Line 35:         <clear />
Line 36:         <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
Line 37:       </providers>
Line 38:     </membership>

I read this stackoverflow, but after creating a custom class AuthorizationAttribute extending ActionFilterAttribute ContextCache, IoC and a number of other things could not resolve, and not really sure where to go from there. I also read this stackoverflow and it suggests going about it differently, starting to get confused.

How do I go about using AD groups rather than AspNetSqlMembershipProvider in MVC app ?

Bonus question: Say I have a "Edit" button a page. Can I add logic to decide whether to render this button based on the Authorization ?

Thank you for your help.

Edit: some further information.

I do not intend to block or allow ALL access to this site.

I intend to have 3 basic user groups differentiating level of access, i.e. Super Admin, Admin, Basic Access.

There will be no log in form, when the user hits the site we will check which group the user is a member of- then the page renders based on that.

So for example, user 'bob' in 'Basic Access' group will hit the page and buttons/actions like "Edit", "Delete" are disabled, so basically a read only group. But user 'jim' in group 'Super Admin', has all actions/buttons available to him. How could I achieve this ?

Community
  • 1
  • 1
baron
  • 11,011
  • 20
  • 54
  • 88

3 Answers3

1

You should look into Windows Authentication

Still use the Authorize attribute on your controllers/actions, but configure your site to use Windows Authentication instead.

Bonus answer: To check authentication and authorization in code, you can use one of the following from a controller:

this.User.Identity.IsAuthenticated
this.User.Identity.Name
this.User.IsInRole("roleName")
devdigital
  • 34,151
  • 9
  • 98
  • 120
  • It's more putting this code in the view to render or not render certain controls, i.e. a Delete button for the user in the basic access group... – baron Aug 05 '11 at 00:09
  • Thank you - that link has helped a lot. Do you know how I go about customizing the "Not Authorized" page? "By default, when using the ASP.NET Development Server, you simply get a blank page. The page is served with a 401 Not Authorized HTTP Response Status." – baron Aug 05 '11 at 00:24
  • Yes, you can write your own Authorize attribute, deriving from the standard one, and override the HandleUnauthorizedRequest method. See http://paulallen.com.jm/blog/aspnet-mvc-redirect-unauthorized-access-page-401-page for details. – devdigital Aug 05 '11 at 09:23
1

The answers to use Windows authentication work great, with the following caveats.

First, the server must be joined to your Domain. And it has to have free AD access if there are any firewalls in place.

Second, you have to be ok with having a popup dialog for login, rather than using a form based login.

If you need AD with forms login, then there's more work involved. Can you be more specific about your needs?

Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291
  • I don't want any forms login. The server is in the domain and has AD access. Pop up is fine - I assume you mean a pop up prompt for creds when they open the browser. Although I assume they prob won't get the popup if they are running the browser under the context of the user authorized. So there will be no log on form to the site. The user just hits it then we will check and allow certain actions activities based on which group they are a member of i.e. Super admin, admin, basic user... – baron Aug 05 '11 at 00:08
  • @baron - If you are using Internet Explorer, and both the user and server are in the same domain, then under most circumstances yes, you will not get a login box and authentication can happen seamlessly. However, this won't work with other browsers and they will get the popup. – Erik Funkenbusch Aug 05 '11 at 05:04
0

well, you can restrict access to the site via webconfig.

    <authentication mode="Windows" />
    <authorization>
        <allow roles="[YOURADSERVER]\[YOUR AD GROUP]"/>
        <deny users="*"/>
    </authorization>

this will block any others not listed in the given ad groups.

in IIS you will need to disable anon access and enable windows auth

nologo
  • 5,918
  • 3
  • 36
  • 50
  • This is the all or nothing approach? My requirements are more complex than that. Certain actions/activities/buttons should not be available to certain users - and this distinction is made through AD groups. – baron Aug 05 '11 at 00:04