I am using the [Authorize] attribute on my WebAPI controller action and it's always coming back unauthorized.
Here is my action
[Authorize(Roles = "Admin")]
public IQueryable<Country> GetCountries()
{
return db.Countries;
}
Here is where I am setting the Authorization in a Global MessageHandler. This is for testing I'm putting in a test user.
public class AuthenticationHandler1 : DelegatingHandler
{
protected override Task<HttpResponseMessage> SendAsync(
HttpRequestMessage request, CancellationToken cancellationToken)
{
if (!HttpContext.Current.User.Identity.IsAuthenticated)
{
HttpContext.Current.User = TestClaimsPrincipal();
}
return base.SendAsync(request, cancellationToken);
}
private ClaimsPrincipal TestClaimsPrincipal()
{
var identity = new ClaimsIdentity(HttpContext.Current.User.Identity.AuthenticationType);
identity.AddClaim(new Claim(ClaimTypes.Name, "some.user"));
identity.AddClaim(new Claim(ClaimTypes.Role, "Admin"));
identity.AddClaim(new Claim(ClaimTypes.Role, "Supervisor"));
var testIdentity = new ClaimsIdentity(identity);
var myPrincipal = new ClaimsPrincipal(testIdentity);
return myPrincipal;
}
}
Registered in Global.asax.cs in Application_Start
GlobalConfiguration.Configuration.MessageHandlers.Add(new MyProject.AuthenticationHandler1());
It keeps showing this for a message
{"Message":"Authorization has been denied for this request."}
I made a Custom Authorization Attribute and it works.
public class AuthorizationAttribute : System.Web.Http.AuthorizeAttribute
{
public string Roles { get; set; }
protected override bool IsAuthorized(HttpActionContext actionContext)
{
ClaimsPrincipal currentPrincipal = HttpContext.Current.User as ClaimsPrincipal;
if (currentPrincipal != null && CheckRoles(currentPrincipal))
{
return true;
}
else
{
actionContext.Response =
new HttpResponseMessage(
System.Net.HttpStatusCode.Unauthorized)
{
ReasonPhrase = "Some message"
};
return false;
}
}
private bool CheckRoles(ClaimsPrincipal principal)
{
string[] roles = RolesSplit;
if (roles.Length == 0) return true;
return roles.Any(principal.IsInRole);
}
protected string[] RolesSplit
{
get { return SplitStrings(Roles); }
}
protected static string[] SplitStrings(string input)
{
if(string.IsNullOrWhiteSpace(input)) return new string[0];
var result = input.Split(',').Where(s=>!String.IsNullOrWhiteSpace(s.Trim()));
return result.Select(s => s.Trim()).ToArray();
}
}
Use it like this
[AuthorizationAttribute(Roles = "SomeRole,Admin")]
public IQueryable<Country> GetCountries()
{
}
Related
I'm learning ASP .NET and I'd want to make a simple registration/login page.
I've created my public class AccountController : Controller in this way:
public class AccountController : Controller
{
private readonly UserManager<ApplicationUser> _userManager;
private readonly SignInManager<ApplicationUser> _signInManager;
private readonly IEmailSender _emailSender;
private readonly ILogger _logger;
public AccountController(
UserManager<ApplicationUser> userManager,
SignInManager<ApplicationUser> signInManager,
IEmailSender emailSender,
ILogger<AccountController> logger)
{
_userManager = userManager;
_signInManager = signInManager;
_emailSender = emailSender;
_logger = logger;
}
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Login(LoginViewModel model, string returnUrl = null)
{
ViewData["ReturnUrl"] = returnUrl;
if (ModelState.IsValid)
{
// This doesn't count login failures towards account lockout
// To enable password failures to trigger account lockout, set lockoutOnFailure: true
var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, lockoutOnFailure: false);
if (result.Succeeded)
{
_logger.LogInformation("Utente loggato.");
return RedirectToLocal(returnUrl);
}
if (result.RequiresTwoFactor)
{
return RedirectToAction(nameof(LoginWith2fa), new { returnUrl, model.RememberMe });
}
if (result.IsLockedOut)
{
_logger.LogWarning("User bloccato.");
return RedirectToAction(nameof(Lockout));
}
else
{
ModelState.AddModelError(string.Empty, "Tentativo di login fallito.");
return View(model);
}
}
// If we got this far, something failed, redisplay form
return View(model);
}
public IActionResult Register(string returnUrl = null)
{
ViewData["ReturnUrl"] = returnUrl;
return View();
}
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Register(RegisterViewModel model, string returnUrl = null)
{
ViewData["ReturnUrl"] = returnUrl;
if (ModelState.IsValid)
{
var user = new ApplicationUser { UserName = model.Email, Email = model.Email };
var result = await _userManager.CreateAsync(user, model.Password);
if (result.Succeeded)
{
_logger.LogInformation("L'utente ha creato un nuovo account con una nuova password.");
var code = await _userManager.GenerateEmailConfirmationTokenAsync(user);
var callbackUrl = Url.EmailConfirmationLink(user.Id, code, Request.Scheme);
await _emailSender.SendEmailConfirmationAsync(model.Email, callbackUrl);
//diallowed signin for self registration, email should be confirmed first
//await _signInManager.SignInAsync(user, isPersistent: false);
_logger.LogInformation("L'utente ha creato un nuovo account con una nuova password.");
return RedirectToConfirmEmailNotification();
}
AddErrors(result);
}
return View(model);
}
public async Task<IActionResult> ConfirmEmail(string userId, string code)
{
if (userId == null || code == null)
{
return RedirectToAction(nameof(HomeController.Index), "Home");
}
var user = await _userManager.FindByIdAsync(userId);
if (user == null)
{
throw new ApplicationException($"Unable to load user with ID '{userId}'.");
}
var result = await _userManager.ConfirmEmailAsync(user, code);
return View(result.Succeeded ? "ConfirmEmail" : "Error");
}
}
Then I created Startup class and I've written the following method:
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseBrowserLink();
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
app.UseAuthentication();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Landing}/{action=Index}/{id?}");
});
}
When I register a new user I can see it into the database but I don't receive any mail and I can't log in with the new user if I try.
I've watched some tutorials on YouTube about it and read the Microsoft documentation. To me it seems correct compared with what I've done, but surely I have to modify something and I don't notice it.
EDIT: this is what I've done for EmailSender and NetcoreService class:
public class EmailSender : IEmailSender
{
private SendGridOptions _sendGridOptions { get; }
private INetcoreService _netcoreService { get; }
private SmtpOptions _smtpOptions { get; }
public EmailSender(IOptions<SendGridOptions> sendGridOptions,
INetcoreService netcoreService,
IOptions<SmtpOptions> smtpOptions)
{
_sendGridOptions = sendGridOptions.Value;
_netcoreService = netcoreService;
_smtpOptions = smtpOptions.Value;
}
public Task SendEmailAsync(string email, string subject, string message)
{
//send email using sendgrid via netcoreService
_netcoreService.SendEmailBySendGridAsync(_sendGridOptions.SendGridKey,
_sendGridOptions.FromEmail,
_sendGridOptions.FromFullName,
subject,
message,
email).Wait();
return Task.CompletedTask;
}
}
NetcoreService class:
public async Task SendEmailBySendGridAsync(string apiKey, string fromEmail, string fromFullName, string subject, string message, string email)
{
var client = new SendGridClient(apiKey);
var msg = new SendGridMessage()
{
From = new EmailAddress(fromEmail, fromFullName),
Subject = subject,
PlainTextContent = message,
HtmlContent = message
};
msg.AddTo(new EmailAddress(email, email));
await client.SendEmailAsync(msg);
}
I'm trying to assign a token to my header in the request and when the action has finished to save a new token. Problem is that it assigns it to the HttpContext.Request.Headers and not to the client that is calling the API.
ActionFilter
public class TokenFilter: ActionFilterAttribute {
private static string _token {
get;
set;
}
public override void OnActionExecuting(ActionExecutingContext filterContext) {
base.OnActionExecuting(filterContext);
if (_token != null) {
filterContext.HttpContext.Request.Headers.Add("AuthToken", "Token " + _token);
}
}
public override void OnActionExecuted(ActionExecutedContext filterContext) {
base.OnActionExecuted(filterContext);
_token = filterContext.HttpContext.Request.Headers["AuthToken"];
_token = _token.Substring(_token.IndexOf(" "));
_token = _token.Remove(0, 1);
if (Client.DefaultRequestHeaders.Contains("AuthToken"))
}
}
Controller Action
[HttpPost]
[TokenFilter]
public async Task < IActionResult > LogIn(User user) {
try {
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", Convert.ToBase64String(
Encoding.UTF8.GetBytes(user.Username + ":" + user.Password)));
HttpResponseMessage clientTask = await client.GetAsync("https://localhost:44324/api/Auth/LogIn");
if (clientTask.IsSuccessStatusCode) {
string txtBlock = await clientTask.Content.ReadAsStringAsync();
var tokenObject = JsonConvert.DeserializeObject < SessionAPI > (txtBlock);
client.DefaultRequestHeaders.Authorization = null;
client.DefaultRequestHeaders.Add("AuthToken", "Token " + tokenObject.Token);
return RedirectToAction("Index", "Home");
}
else return View("LogInIndex", user);
}
catch(Exception e) {
throw new Exception("An Error has occured" + e);
}
}
The main idea is to have a token that after LogIn is to be assigned to every request that is sent to the API untill Log Out. I know that i can use cookies but part of the assignment is not to use them. Currently i have the Token just being a static string for testing, but that eventually has to be moved somewhere dynamicly for every User.
EDIT
This is an example method that can be called after a successful Log In
[HttpGet]
[TokenFilter]
public async Task<IActionResult> ListAll()
{
try
{
//client.DefaultRequestHeaders.Add("AuthToken", "Token " + HttpContext.Request.RouteValues["token"]);
HttpResponseMessage clientTask = await client.GetAsync("https://localhost:44324/api/User/ListAll");
if (clientTask.IsSuccessStatusCode)
{
string txtBlock = await clientTask.Content.ReadAsStringAsync();
List<User> users = JsonConvert.DeserializeObject<List<User>>(txtBlock);
client.DefaultRequestHeaders.Authorization = null;
return View("ListAll", users);
}
else
return RedirectToAction("Index", "Home");
}
catch (Exception e)
{
throw new Exception("An Error has occured" + e);
}
}
You don't have to override OnActionExecuting
You can do this as follow
public class TokenFilter: ActionFilterAttribute
{
public override void OnActionExecuted(HttpActionExecutedContext filterContext)
{
if (_token != null)
{
filterContext.Response.Headers.Add("AuthToken", "Token " + _token);
}
}
}
I am uploading files using ng-file-upload and having some abnormal problem as the HttpContext.Current is null when using the IAuthenticationFilter. While everything working correctly when I comment the authentication filter in WebApiConfig.
Controller to Test
[HttpPost]
public IHttpActionResult Upload()
{
var current = HttpContext.Current;
if (current == null)
{
return Content(HttpStatusCode.BadRequest, Logger.Error("HttpContext.Current is null"));
}
if (current.Request != null && current.Request.Files != null)
{
var file = current.Request.Files.Count > 0 ? current.Request.Files[0] : null;
if (file != null)
{
file.SaveAs(#"C:\Temp\test.csv");
}
}
return Content(HttpStatusCode.BadRequest, Logger.Error("Should not reach here"));
}
IAuthenticationFilter
public class KeyAuthentication : Attribute, IAuthenticationFilter
{
// we only want to apply our authentication filter once on a controller or action method so return false:
public bool AllowMultiple
{
get { return false; }
}
// Authenticate the user by apiKey
public async Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken)
{
HttpRequestMessage request = context.Request;
string apiKey = ExtractApiKey(request);
bool IsValidCustomer = await ValidateKey(apiKey);
if (IsValidCustomer)
{
var currentPrincipal = new GenericPrincipal(new GenericIdentity(apiKey), null);
context.Principal = principal;
}
else
{
context.ErrorResult = new ErrorMessageResult("Missing API Key");
}
}
// We don't want to add challange as I am using keys authenticaiton
public Task ChallengeAsync(HttpAuthenticationChallengeContext context, CancellationToken cancellationToken)
{
return Task.FromResult(0);
}
}
Extract API Key
public static string ExtractApiKey(HttpRequestMessage request)
{
if (!request.Headers.TryGetValues("x-api-key", out IEnumerable<string> keys))
return string.Empty;
return keys.First();
}
The solution was to include "targetFramework=4.5" in the web.config as commented by #Alfredo and more details in https://stackoverflow.com/a/32338414/3973463
I'm working on a MVC project. I want to use custom authorization attribute. First of all I used an example in this blog post.
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
public string RolesConfigKey { get; set; }
protected virtual CustomPrincipal CurrentUser => HttpContext.Current.User as CustomPrincipal;
public override void OnAuthorization(AuthorizationContext filterContext)
{
if (!filterContext.HttpContext.Request.IsAuthenticated) return;
var authorizedRoles = ConfigurationManager.AppSettings["RolesConfigKey"];
Roles = string.IsNullOrEmpty(Roles) ? authorizedRoles : Roles;
if (string.IsNullOrEmpty(Roles)) return;
if (CurrentUser == null) return;
if (!CurrentUser.IsInRole(Roles)) base.OnAuthorization(filterContext);
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (!filterContext.HttpContext.Request.IsAuthenticated) return;
}
}
I use this custom principal in my base controller.
public class CustomPrincipal : IPrincipal
{
public CustomPrincipal(string userName) { this.Identity = new GenericIdentity(userName); }
public bool IsInRole(string userRoles)
{
var result = true;
var userRolesArr = userRoles.Split(',');
foreach (var r in Roles)
{
if (userRolesArr.Contains(r)) continue;
result = false;
break;
}
return result;
}
public IIdentity Identity { get; }
public string UserId { get; set; }
public string FirstName { get; set; }
public string LastName { get; set; }
public string[] Roles { get; set; }
}
In my routeconfig my default route is /Account/Index where users login operations in. And this is account controllers Index action.
[HttpPost, ValidateAntiForgeryToken]
public ActionResult Index(AccountViewModel accountModel)
{
var returnUrl = string.Empty;
if (!ModelState.IsValid) { return UnsuccessfulLoginResult(accountModel.UserName, ErrorMessages.WrongAccountInfo); }
var account = _accountService.CheckUser(accountModel.UserName, accountModel.Password);
if (account == null) return UnsuccessfulLoginResult(accountModel.UserName, ErrorMessages.WrongAccountInfo);
var roles = account.Roles.Select(r => r.RoleName).ToArray();
var principalModel = new CustomPrincipalModel
{
UserId = account.UserId,
FirstName = "FirstName",
LastName = "LastName",
Roles = roles
};
var userData = JsonConvert.SerializeObject(principalModel);
var ticket = new FormsAuthenticationTicket(1, account.UserId, DateTime.Now, DateTime.Now.AddMinutes(30), false, userData);
var encryptedTicket = FormsAuthentication.Encrypt(ticket);
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
Response.Cookies.Add(cookie);
SetCulture(account.DefaultCulture);
if (!Array.Exists(roles, role => role == "admin" || role == "user")) return UnsuccessfulLoginResult(accountModel.UserName, ErrorMessages.WrongAccountInfo);
if (roles.Contains("admin")) { returnUrl = Url.Action("Index", "Admin"); }
if (roles.Contains("user")) { returnUrl = Url.Action("Index", "Upload"); }
return SuccessfulLoginResult(accountModel.UserName, returnUrl);
}
As you can see when user is in admin role this action redirects user /Admin/Index otherwise /Upload/Index. But after I logged in a user has user role and typed /Admin/Index , authorization filters not working and user can access admin page.
Although I have added to UploadController and AdminController this attribute this error is occuring. How can I fix this ?
[CustomAuthorize(Roles = "user")]
public class UploadController : BaseController
[CustomAuthorize(Roles = "admin")]
public class AdminController : BaseController
You need to add claims for your user, add this part to your method:
. . .
var roles = account.Roles.Select(r => r.RoleName).ToArray();
ClaimsIdentity identity = new ClaimsIdentity(DefaultAuthenticationTypes.ApplicationCookie);
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, accountModel.UserName));
roles.ToList().ForEach((role) => identity.AddClaim(new Claim(ClaimTypes.Role, role)));
identity.AddClaim(new Claim(ClaimTypes.Name, userCode.ToString()));
. . .
Problem solved with these changes.
In my CustomAuthorizeAttribute changed this line
if (!filterContext.HttpContext.Request.IsAuthenticated) return;
to
if (!filterContext.HttpContext.Request.IsAuthenticated) base.OnAuthorization(filterContext);
And removed lines that I read allowed roles from web config. So my attributes final version like below
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
protected virtual CustomPrincipal CurrentUser => HttpContext.Current.User as CustomPrincipal;
public override void OnAuthorization(AuthorizationContext filterContext)
{
if (!filterContext.HttpContext.Request.IsAuthenticated) base.OnAuthorization(filterContext);
if (string.IsNullOrEmpty(Roles)) return;
if (CurrentUser == null) return;
if (!CurrentUser.IsInRole(Roles)) filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary(new { controller = "Error", action = "AccessDenied" }));
}
}
Then I added a controller named ErrorController and redirected to this page when user not in role.
With these changes I realized that I was unable to access my /Account/Index and added [AllowAnonymous] attribute to actions below.
[AllowAnonymous]
public ActionResult Index() { return View(); }
[HttpPost, ValidateAntiForgeryToken, AllowAnonymous]
public ActionResult Index(AccountViewModel accountModel)
I'm using Asp.net Identity Framework 2.1. I implement customized ApplicatoinUser, ApplicationRole, ApplicationUserRole, because I want to add support to multi-tenant, that is each user belongs to different companies, but I have 3 roles among all these companies, they are User, Admin and Approver.
My ApplicationUserRole derived from IdentityUserRole, and have one more property: CompanyId. This property will indicate the user's role in this particular company. My code for these customized classes attached in bottom.
My question is when I try to override ApplicationUserManager(Yes, it derived from UserManager too)'s AddToRoleAsync , IsInRoleAsync , I don't know how to deal with the new CompanyId, looks like the existing function doesn't receive these companyId(or tenantId).
Then when I'm trying to overload these functions with companyId included, I can't find the db context either in ApplicatoinUserManager nor its base class.
Am I on the right track of adding tenantId/companyId to the application Role?
I've referenced this answer: SO linkes, and this blog.ASP.NET Web Api and Identity 2.0 - Customizing Identity Models and Implementing Role-Based Authorization
My IdentityModels:
public class ApplicationUserLogin : IdentityUserLogin<string> { }
public class ApplicationUserClaim : IdentityUserClaim<string>
{
}
public class ApplicationUserRole : IdentityUserRole<string>
{
public string CompanyId { get; set; }
}
// You can add profile data for the user by adding more properties to your ApplicationUser class, please visit http://go.microsoft.com/fwlink/?LinkID=317594 to learn more.
public class ApplicationUser : IdentityUser<string, ApplicationUserLogin, ApplicationUserRole, ApplicationUserClaim>//, IAppUser
{
public ApplicationUser()
{
this.Id = Guid.NewGuid().ToString();
}
public virtual string CompanyId { get; set; }
public virtual List<CompanyEntity> Company { get; set; }
public DateTime CreatedOn { get; set; }
public async Task<ClaimsIdentity> GenerateUserIdentityAsync(ApplicationUserManager manager, string authenticationType)
{
// Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
var userIdentity = await manager.CreateIdentityAsync(this, authenticationType);
// Add custom user claims here
return userIdentity;
}
}
// Must be expressed in terms of our custom UserRole:
public class ApplicationRole : IdentityRole<string, ApplicationUserRole>
{
public ApplicationRole() {}
public ApplicationRole(string name) : this()
{
this.Name = name;
}
// Add any custom Role properties/code here
public string Description { get; set; }
}
// Most likely won't need to customize these either, but they were needed because we implemented
// custom versions of all the other types:
public class ApplicationUserStore: UserStore<ApplicationUser, ApplicationRole, string,ApplicationUserLogin, ApplicationUserRole,ApplicationUserClaim>, IUserStore<ApplicationUser, string>, IDisposable
{
public ApplicationUserStore()
: this(new IdentityDbContext())
{
base.DisposeContext = true;
}
public ApplicationUserStore(DbContext context)
: base(context)
{
}
}
public class ApplicationRoleStore
: RoleStore<ApplicationRole, string, ApplicationUserRole>,
IQueryableRoleStore<ApplicationRole, string>,
IRoleStore<ApplicationRole, string>, IDisposable
{
public ApplicationRoleStore()
: base(new IdentityDbContext())
{
base.DisposeContext = true;
}
public ApplicationRoleStore(DbContext context)
: base(context)
{
}
}
My IdentityConfig:
public class ApplicationUserManager
: UserManager<ApplicationUser, string>
{
public ApplicationUserManager(IUserStore<ApplicationUser, string> store)
: base(store) { }
public static ApplicationUserManager Create(
IdentityFactoryOptions<ApplicationUserManager> options,
IOwinContext context)
{
var manager = new ApplicationUserManager(
new UserStore<ApplicationUser, ApplicationRole, string,
ApplicationUserLogin, ApplicationUserRole,
ApplicationUserClaim>(context.Get<ApplicationDbContext>()));
// Configure validation logic for usernames
manager.UserValidator = new UserValidator<ApplicationUser>(manager)
{
AllowOnlyAlphanumericUserNames = false,
RequireUniqueEmail = false
};
// Configure validation logic for passwords
manager.PasswordValidator = new PasswordValidator
{
RequiredLength = 6,
//RequireNonLetterOrDigit = true,
//RequireDigit = true,
//RequireLowercase = true,
//RequireUppercase = true,
};
var dataProtectionProvider = options.DataProtectionProvider;
if (dataProtectionProvider != null)
{
manager.UserTokenProvider =
new DataProtectorTokenProvider<ApplicationUser>(
dataProtectionProvider.Create("ASP.NET Identity"));
}
// add sms and email service provider
manager.SmsService = new EMaySmsServiceProvider();
manager.EmailService = new ConcordyaEmailServiceProvider();
return manager;
}
public string GetCurrentCompanyId(string userName)
{
var user = this.FindByName(userName);
if (user == null)
return string.Empty;
var currentCompany = string.Empty;
if (user.Claims.Count > 0)
{
currentCompany = user.Claims.Where(c => c.ClaimType == ConcordyaPayee.Core.Common.ConcordyaClaimTypes.CurrentCompanyId).FirstOrDefault().ClaimValue;
}
else
{
currentCompany = user.CurrentCompanyId;
}
return currentCompany;
}
public override Task<IdentityResult> AddToRoleAsync(string userId, string role, string companyId)
{
return base.AddToRoleAsync(userId, role);
}
#region overrides for unit tests
public override Task<bool> CheckPasswordAsync(ApplicationUser user, string password)
{
return base.CheckPasswordAsync(user, password);
}
public override Task<ApplicationUser> FindByNameAsync(string userName)
{
return base.FindByNameAsync(userName);
}
#endregion
}
public class ApplicationRoleManager : RoleManager<ApplicationRole>
{
public ApplicationRoleManager(IRoleStore<ApplicationRole, string> roleStore)
: base(roleStore)
{
}
public static ApplicationRoleManager Create(
IdentityFactoryOptions<ApplicationRoleManager> options,
IOwinContext context)
{
return new ApplicationRoleManager(
new ApplicationRoleStore(context.Get<ApplicationDbContext>()));
}
}
First of all, I would like to say thanks for taking it this far. It gave me a great start for my multi-tenant roles solution. I'm not sure if I'm 100% right, but this works for me.
Firstly, you cannot override any of the "RoleAsync" methods, but you can overload them. Secondly, the UserStore has a property called "Context" which can be set to your DbContext.
I had to overload the "RoleAsyc" methods in both my UserStore and UserManager extended classes. Here is an example from each to get you going:
MyUserStore
public class MyUserStore : UserStore<MyUser, MyRole, String, IdentityUserLogin, MyUserRole, IdentityUserClaim> {
public MyUserStore(MyDbContext dbContext) : base(dbContext) { }
public Task AddToRoleAsync(MyUser user, MyCompany company, String roleName) {
MyRole role = null;
try
{
role = Context.Set<MyRole>().Where(mr => mr.Name == roleName).Single();
}
catch (Exception ex)
{
throw ex;
}
Context.Set<MyUserRole>().Add(new MyUserRole {
Company = company,
RoleId = role.Id,
UserId = user.Id
});
return Context.SaveChangesAsync();
}
}
MyUserManager
public class MyUserManager : UserManager<MyUser, String>
{
private MyUserStore _store = null;
public MyUserManager(MyUserStore store) : base(store)
{
_store = store;
}
public Task<IList<String>> GetRolesAsync(String userId, int companyId)
{
MyUser user = _store.Context.Set<MyUser>().Find(new object[] { userId });
MyCompany company = _store.Context.Set<MyCompany>().Find(new object[] { companyId });
if (null == user)
{
throw new Exception("User not found");
}
if (null == company)
{
throw new Exception("Company not found");
}
return _store.GetRolesAsync(user, company);
}
}
From here a couple scary things happen and I don't know a better way to manage them.
The User "IsInRole" method in the HttpContext will work but it will not be tenant-sensitive so you can no longer use it.
If you use the "Authorize" attribute, the same idea for "scary thing 1" applies, but here you can just extend it and make things happy for your system. Example below:
MyAuthorizeAttribute
public class MyAuthorizeAttribute : AuthorizeAttribute {
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (null == httpContext)
{
throw new ArgumentNullException("httpContext");
}
HttpSessionStateBase session = httpContext.Session;
IList<String> authorizedRoleNames = Roles.Split(',').Select(r => r.Trim()).ToList();
if (!httpContext.User.Identity.IsAuthenticated)
{
return false;
}
if (null == session["MyAuthorize.CachedUsername"])
{
session["MyAuthorize.CachedUsername"] = String.Empty;
}
if (null == session["MyAuthorize.CachedCompanyId"])
{
session["MyAuthorize.CachedCompanyId"] = -1;
}
if (null == session["MyAuthorize.CachedUserCompanyRoleNames"])
{
session["MyAuthorize.CachedUserCompanyRoleNames"] = new List<String>();
}
String cachedUsername = session["MyAuthorize.CachedUsername"].ToString();
int cachedCompanyId = (int)session["MyAuthorize.CachedCompanyId"];
IList<String> cachedUserAllRoleNames = (IList<String>)session["MyAuthorize.CachedUserAllRoleNames"];
IPrincipal currentUser = httpContext.User;
String currentUserName = currentUser.Identity.Name;
int currentCompanyId = (int)session["CurrentCompanyId"];//Get this your own way! I used the Session in the HttpContext.
using (MyDbContext db = MyDbContext.Create())
{
try
{
MyUser mUser = null;
ICollection<String> tmpRoleIds = new List<String>();
if (cachedUsername != currentUserName)
{
session["MyAuthorize.CachedUsername"] = cachedUsername = String.Empty;
//Reload everything
mUser = db.Users.Where(u => u.Username == currentUserName).Single();
session["MyAuthorize.CachedUsername"] = currentUserName;
session["MyAuthorize.CachedCompanyId"] = cachedCompanyId = -1; //Force Company Reload
cachedUserCompanyRoleNames.Clear();
}
if (cachedUserCompanyRoleNames.Count != db.Users.Where(u => u.Username == currentUserName).Single().Roles.Select(r => r.RoleId).ToList().Count)
{
cachedUserCompanyRoleNames.Clear();
if (0 < currentCompanyId)
{
if(null == mUser)
{
mUser = db.Users.Where(u => u.Username == cachedUsername).Single();
}
tmpRoleIds = mUser.Roles.Where(r => r.Company.Id == currentCompanyId).Select(r => r.RoleId).ToList();
session["MyAuthorize.CachedUserCompanyRoleNames"] = cachedUserCompanyRoleNames = db.Roles.Where(r => tmpRoleIds.Contains(r.Id)).Select(r => r.Name).ToList();
session["MyAuthorize.CachedCompanyId"] = cachedCompanyId = currentCompanyId;
}
}
if (cachedCompanyId != currentCompanyId)
{
cachedUserCompanyRoleNames.Clear();
//Reload company roles
if (0 < currentCompanyId)
{
if(null == mUser)
{
mUser = db.Users.Where(u => u.Username == cachedUsername).Single();
}
tmpRoleIds = mUser.Roles.Where(r => r.Company.Id == currentCompanyId).Select(r => r.RoleId).ToList();
session["MyAuthorize.CachedUserCompanyRoleNames"] = cachedUserCompanyRoleNames = db.Roles.Where(r => tmpRoleIds.Contains(r.Id)).Select(r => r.Name).ToList();
session["MyAuthorize.CachedCompanyId"] = cachedCompanyId = currentCompanyId;
}
}
}
catch (Exception ex)
{
return false;
}
}
if (0 >= authorizedRoleNames.Count)
{
return true;
}
else
{
return cachedUserCompanyRoleNames.Intersect(authorizedRoleNames).Any();
}
}
}
In closing, as I said, I'm not sure if this is the best way to do it, but it works for me. Now, throughout your system, make sure you used your overloaded methods when dealing with Roles. I am also thinking about caching the Roles in a MVC BaseController that I wrote so that I can get similar functionality to User.IsInRole in all of my MVC Views.