Home/ Questions/Q 3873496
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T22:02:36+00:00

I have a web project using asp.net mvc3. Now clients ask for a security

  • 0

I have a web project using asp.net mvc3. Now clients ask for a security management feature. Here’s some context of this project:

  1. A public web site using form authentication.
  2. Client wants to self-management the security.(including roles, users, actions on resources).
  3. User is a domain model of the project.
  4. Granularity of access controll should at least goes to action level (return an unauthorized page to user when user do an unauthorized action). But it is preferred to change view content based on user’s authorization (dynamically show only authorized elements on view page).

I’m not quite good at asp.net mvc . I don’t know whether the build-in memberprovider and roleprovider is OK for this requirement. But I prefer to build up my own model provider for (resource categories, actions, roles, group etc.) for totally control. But there seems to be other factors to concern like cache, performance or something else.

Can someone give me some advices on how to implementing this feature and how to apply it into my project? Better some sample projects.

Thanks a lot

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The approach I take pretty much boils down to an Access Control List that is a series of keys to represent the type of access and a series of bit values for the type of action (Read, Insert, Modify, and Delete).

    The whole site is populated via a REST style API utilizing ajax and json. Each piece of functionality is wrapped with a series of permission tests (I cache the Access Control List).

    Example scenario:
    User (Admin) is accessing a list of users.

    This would call for the following Access keys and actions to be evaluated for the code being executed:

    • Page load:
      • “/Users/List”
        • Read
    • REST API Access:
      • “/Users/Owner”
        • Read
      • “/Users/NotOwner”
        • Read

    Obviously these conditions are compared to the logged in user’s assigned role and the Access Control permission associated to that role.

    With thee access list and permissions stored in the database a user can alter what access item and action is assigned to which roles.

    Because you’re going to give the users the ability to modify these associations it would be very beneficial to add a description for each Access Control item.

    Good luck!

    • 0