I'm working on a web application where I want to implement authorization at the controller level using roles. I plan on having multiple controllers, with most controllers utilizing a specific role for authorization. My issue, though, is that I also want to have a role that can be used globally across all controllers and actions. How exactly can I do this?
I've seen a TON of articles on locking things down the opposite way. For example, I know you can go to the FilterConfig.cs file and add a line like this:
filter.add(new AuthorizeAttribute() {Roles = "Administrator" });
But I don't want to approach it this way! This makes it so that every action must have the Administrator role. On top of that, if I use this the only way to get what I want in the controller is then to do:
[OverrideAuthorization]
[Authorize(Roles = "MyControllerRole")]
Some controllers I don't want to use any authorization on, and others I only need to use authorization on a few actions. If I use the above global authorization, I'd have to put this override on every single controller!
Is there some kind of special global override authorization where I can tell my program: "regardless of what roles are used for this controller or action, if the user has the 'Administrator' role they can access this action"?
Related
I am developing a .NET MVC application, and currently using only Role Based Access Control. I am wrapping my controllers endpoints with [Authorize(Roles="Provider")] for example.
Now, I want to add the add permissions on resources as well, e.g. not only saying if a user can edit a document, but also to define which documents it can edit.
So I want it to look something like -
[Authorize(Roles="Provider")]
[Authorize("CanEditObject1")]
What is the best practice for doing so? What type of authorization is required here? Perhaps I need to mix some (Role Based Access + Policy Based Access)? Do I need to change my whole Authentication method or just add on top of it?
You will want to look into Policies. I too got schooled on this pretty fast when I tried submitting a PR for authorization tag helpers and never got back to it. In short define policies at your composition root and check those with Authorize attributes.
Row level access may require additional checking however unless you can establish membership levels.
Assuming that the authorization at the controller level is read-only, a more restrictive "Edit" role could be enforced at the controller's edit methods by using an authorization attribute on the edit methods. I would also conditionally hide links to edit methods in the view from end users without that role. Another option is to leverage claims that the authenticated user has to discriminate their access to certain resources.
I have an application that uses Spring MVC and Spring Security. We annotate controller methods with #PreAuthorize("hasRole([role]") annotations to ensure that user has given role in order to call any method.
So for example we might have a Edit method exposed at "/edit" which requires the user to have admin role. This works well with the PreAuthorize annotation.
In order to show Edit button on the UI, we end up duplicating the authorization information on UI. I would like to avoid this. Is there way in spring security that allows me to check if a user is authorized for a certain url (other than obviously calling that url :)
I would like to confirm that the the claims in the bearer token are up to date on each API call so that I be sure that the given user still have access to the given method.
For example, for a method decorated with [Authorize(Roles = "admin")] I want to make sure that the user is an admin when the call is executed, not if the user was an admin when the token was issues.
After some looking around I am planning to
write a public class VerifyTokenAttribute : System.Web.Http.AuthorizeAttribute apply it globally and inside OnAuthorization check if the action is decorated with Authorize and if so, get the user info from the database and confirm that the roles match.
Is there a better way?
I planned on doing basically the same thing. In my case, there exists the definition of "system features" where a Role in the system can perform a number of system features. The features a role can perform can vary, and the administrator can change them any time.
So basically, on each request I should grab all the roles a user has, and for each one all the system features it can execute. I thought about something like creating an attribute that would look like this: [CustomAuthorize("Feature_Name")] and applying it to the controller (or action) level. Then, I would need to check if "Feature_Name" is a feature the current user can perform based on their roles.
Off course, that would require access to the database each time.
A possible enhancement would be to cache this information in a cache server, and the cache would be invalidated each time the admin changes the users privilleges. Something like that.
So, as Mayu said: Is there a better way?
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
ASP.NET MVC3 Role and Permission Management -> With Runtime Permission Assignment
Say I have an ActionResult Members in a controller that should only allow members to access it. Normally I would just put a [Authorize(Roles = "Members")] attribute on the action to only allow authenticated users in the Members role to access it.
Is there a way I can allow admins (or whatever) to change it in the future to lets say [Authorize(Roles = "Members, PotentialMembers ")] (this would allow users in the roles Members and PotentialMembers to access this action?
Thanks
You can't, unfortunately, do this with the default attribute. You could, however, write your own attribute by inheriting from Authorize (or you can readily get the source for Authorize on the web).
From there, you would have to devise a mechanism for a) storing the allowed roles per controller through some kind of interface, and b) using those mappings in your custom filter attribute to allow/deny access.
If you were to do this, I would recommend loading the mapping at application start up and using an in-memory manager to signal configuration changes.
No, you can't do this with the AuthorizeAttribute. The roles you pass into it are hard compiled into the application.
There are other ways to go about it, though. You could write your own authorization filter. Or you could just create a base class that overrides OnAuthorization or similar.
I'm in need of a RoleProvider with the following functionality:
Dynamic Assignment of Roles to Tasks
Authentication / Authorizaiton of IPrincipals based on the dynamically allocated tasks in the system they have privilege to access
Reporting showing who is currently logged in, and other common usage statistics.
I'm pretty sure I'm going to have to roll my own, but wanted to make sure I didn't miss out on something OSS or even from MS.
I'm also using ASP.NET MVC and so my basic plan is to write a custom attribute like: [Authorize(Task=Tasks.DeleteClient)]
and place it over the methods that need authorization.
Rather than authorizing against the Role, I'll authorize the task against the role based on whatever settings the user has configured in the DB.
Thoughts?
You might want to check out NetSqlAzMan. It allows you to define tasks and assign them to roles and then authenticate and authorise your IPrincipal objects.
You may need to roll your own security attribute but NetSqlAzMan should help make that a reasonably easy task.
We had a similar issue with one of our systems. The first thing I'd do is create more AuthorizeAttribute classes for your specific tasks - e.g. DeleteClientAuthorize etc. You can then add specific logic into your classes.
As long as you can access the routines that trigger the change of roles for the current user you should be OK. Just call Membership.DeleteCookie() and this will force the next authorisation request to re-query your data store. It's at that point that you can determine what roles are required now.