I am adding ASP.NET MVC to an existing WebForms application. For the time being, I don’t care about authentication/logging in, since this part is handled by existing code (Forms authentication).
In the existing WebForms application, we have a fully custom permission-based authorization per page. So each user has a set of rights, listing the pages he is allowed to access.
Now I need to decide how I can use the same permission system to restrict access to specific MVC controllers and actions.
As I understand, for ASP.NET MVC there is a standard AuthorizeAttribute where I can specify roles. I also found some articles which suggest specifying permissions instead of roles – then it’s possible to do something like this:
[CustomAuthorize(Roles = "View products, Edit products")]
By extending AuthorizeAttribute, I can also define how I store and access permissions.
This solution would be acceptable for me (although changing the semantics of roles smells a bit).
But before committing to it, I’d like to see what other options there are. And that’s where I am stuck – I haven’t found a full-blown overview of different approaches on authorization in ASP.NET MVC. I would also like to know how all the security concepts (like Forms Authentication, Membership Providers, Authorization Attribute, IPrincipal, etc.) are related to each other and how they are supposed to work together.
First thing you have to understand is that much like Webforms, there is a pipeline in MVC. Each request goes through a number of methods, and there are extension points along the way that you can “hook into” and do things.
All the AuthorizeAttribute does is hook into the OnAuthorization extension point, and decide whether to give someone access or not based on criteria you have supplied to it (usernames, roles, etc..).
Here’s an example: http://geekswithblogs.net/brians/archive/2010/07/08/implementing-a-custom-asp.net-mvc-authorization-filter.aspx
You can create your own custom authorization attribute, and do exactly the same thing with your own criteria. You don’t need to re-purpose the Roles parameter, you can create all your own if you want.
This is the method that MVC prefers. One other nice thing is that if you also make it a filter, then you can add it to the global filters and have it apply to everything if you want.
You basically have two other reasonable choices. Implement a handler in global.asax in Application_AuthenticateRequest (not recommended) or create a common BaseController that you override OnAuthorize (the Attribute hooks the same thing, but in a different place).
Lots of people try to do authentication using Session variables, and that’s just the worst thing to do.
Since we don’t know anything about your authentication and permission system, all we can do is provide general advice.