Remove From My Forums

Is it possible to create a rule for access permissions on controllers?

Question
0

Sign in to vote

User-733224187 posted

Hello, guys I was wondering if it is possible to create a rule to access the most dynamic crontrollers, instead of using the authorize, because as our application is evolving to put in each controller the authorization of the paper is already getting complicated.

I only found examples in Asp.Net Core or using owin Identity, but starting from scratch without using the individual user account.

Exemple of roles:

https://codinginfinite.com/dynamic-role-based-authorization-asp-net-core-assign-database/

Monday, August 19, 2019 8:24 PM

Answers

User475983607 posted

I understand, do you have an example of form authentication?

I'm a little confused. According to your similar thread you implement forms authentication. Are you receiving an error?

                if (string.Compare(Crypto.Hash(login.Password), v.Password) == 0)
                {
                    int timeout = login.RememberMe ? 525600 : 20; // 525600 min = 1 year
                    var ticket = new FormsAuthenticationTicket(login.UserName, login.RememberMe, timeout);
                    string encrypted = FormsAuthentication.Encrypt(ticket);
                    var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encrypted);
                    cookie.Expires = DateTime.Now.AddMinutes(timeout);
                    cookie.HttpOnly = true;
                    Response.Cookies.Add(cookie);

Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM

Tuesday, August 20, 2019 6:22 PM

User475983607 posted

Forms authentication is very simple. Add the forms authentication configuration to web.config to turn on forms authentication.

  <system.web>
    <authentication mode="Forms">
      <forms loginUrl="/account/login" />
    </authentication>

Create a controller with login actions and a secured action.

        // GET: Account
        [Authorize]
        public ActionResult Index()
        {
            return View();
        }

        // GEt: Login
        [AllowAnonymous]
        [HttpGet]
        public ActionResult Login()
        {
            return View();
        }

        // POST: Login
        [AllowAnonymous]
        [HttpPost]
        public ActionResult Login(string submit)
        {
            if(submit == "submit")
            {
                FormsAuthentication.RedirectFromLoginPage("GibsonLesPaul", false);
            }
            return View();
        }

@{
    ViewBag.Title = "Login";
}

<h2>Login</h2>

@using (Html.BeginForm())
{
    <input id="Submit1" type="submit" value="submit" name="submit" />
}

Index View

@{
    ViewBag.Title = "Index";
}

<h2>Index</h2>

@User.Identity.Name

Go the the Account/Index page. You'll be redirected to login. Click the button and you'll go back to the Index page where you will see the username.

Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM

Tuesday, August 20, 2019 8:03 PM

All replies

0

Sign in to vote

User475983607 posted

You asked a similar question here; https://forums.asp.net/p/2158689/6274233.aspx?Re+How+make+a+dynamic+Authorize+ where we illustrated how to use an authorization filter. The filter is where you write code to grant or deny access to a resource.

It is up to you to design a table schema and write code to support your requirements which are unknown at this point.

By the way, the link is for ASP.NET Core but you posted this question in an MVC forum. Are you building an ASP.NET Core application?

Monday, August 19, 2019 8:40 PM
0

Sign in to vote

User-733224187 posted

In case that was an example of the idea I wanted to put in the application and not that I was using Core, I want to delete that question, it ended up leaving a lot of context

Monday, August 19, 2019 8:54 PM
0

Sign in to vote

User-733224187 posted

Your example is using httpContext.User.Identity.Name, in my case it is not useful because I am using a new user table and I am not using Owin

Monday, August 19, 2019 8:58 PM
0

Sign in to vote

User-474980206 posted

if your custom authentication is not filling in User.Identity.Name, then you should fix this first.

Monday, August 19, 2019 10:01 PM
0

Sign in to vote

User475983607 posted

Your example is using httpContext.User.Identity.Name, in my case it is not useful because I am using a new user table and I am not using Owin

You misunderstand a few fundamental concepts. OWIN is a specification for building features that can be injected into a hosted application outside the .NET framework. HttpContext.User.Identity.Name is a static property of the Controller class that exposes the principal object of the current request context. In a browser based application, the principal is commonly set by an authentication cookie framework.

You are correct, there is an OWIN Cookie Authentication API that you can use if you like. There is also the older Forms Authentication. I personally prefer the OWIN Cookie Authentication Middelware because it handles claims too. Claims give you more options when it comes to granting access to secured resources. However, both APIs populate HttpContext.User.Identity.Name.

Monday, August 19, 2019 10:05 PM
0

Sign in to vote

User-733224187 posted

I understand, do you have an example of form authentication?

Tuesday, August 20, 2019 6:10 PM

User475983607 posted

I understand, do you have an example of form authentication?

I'm a little confused. According to your similar thread you implement forms authentication. Are you receiving an error?

                if (string.Compare(Crypto.Hash(login.Password), v.Password) == 0)
                {
                    int timeout = login.RememberMe ? 525600 : 20; // 525600 min = 1 year
                    var ticket = new FormsAuthenticationTicket(login.UserName, login.RememberMe, timeout);
                    string encrypted = FormsAuthentication.Encrypt(ticket);
                    var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encrypted);
                    cookie.Expires = DateTime.Now.AddMinutes(timeout);
                    cookie.HttpOnly = true;
                    Response.Cookies.Add(cookie);

Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM

Tuesday, August 20, 2019 6:22 PM

0

Sign in to vote
User-733224187 posted

If I put authorize on the Homer controller, it says that it is not authorized, I followed an example that I think create a login, register from scratch, only the login does not authorize, another doubt was to make the authorize dynamic, where I create the roles in a view and select in checkbox which controller it can access to create, edit and delete.

example:

https://drive.google.com/file/d/1zisLxoY3QGaUdsfsfvsS6sOe_UH91C07/view?usp=sharing

https://drive.google.com/file/d/1b1FNM7PRzLgFjUK1BEpPAqAo7Wp5acga/view?usp=sharing

https://drive.google.com/file/d/1GqVQ4t0PVIOd6kewf0jv3e22JZIajjmO/view?usp=sharing

:
Tuesday, August 20, 2019 6:47 PM

User475983607 posted

Forms authentication is very simple. Add the forms authentication configuration to web.config to turn on forms authentication.

  <system.web>
    <authentication mode="Forms">
      <forms loginUrl="/account/login" />
    </authentication>

Create a controller with login actions and a secured action.

        // GET: Account
        [Authorize]
        public ActionResult Index()
        {
            return View();
        }

        // GEt: Login
        [AllowAnonymous]
        [HttpGet]
        public ActionResult Login()
        {
            return View();
        }

        // POST: Login
        [AllowAnonymous]
        [HttpPost]
        public ActionResult Login(string submit)
        {
            if(submit == "submit")
            {
                FormsAuthentication.RedirectFromLoginPage("GibsonLesPaul", false);
            }
            return View();
        }

@{
    ViewBag.Title = "Login";
}

<h2>Login</h2>

@using (Html.BeginForm())
{
    <input id="Submit1" type="submit" value="submit" name="submit" />
}

Index View

@{
    ViewBag.Title = "Index";
}

<h2>Index</h2>

@User.Identity.Name

Go the the Account/Index page. You'll be redirected to login. Click the button and you'll go back to the Index page where you will see the username.

Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM

Tuesday, August 20, 2019 8:03 PM

0

Sign in to vote
User-474980206 posted

in your example you are creating a role / claim per action

[Authorize(Role="MyController.MyAction")] [HttpGet] ActionResult MyAction() { ... } [Authorize(Role="MyController.MyAction")] [HttpPost] ActionResult MyAction(MyModel model) { ... }

then you assign roles to a user. if the role only need to apply at the controller, than just assign at controller. you may also do something like:

[Authorize(Role="MyController.Read")]

[Authorize(Role="MyController.Write")]

[Authorize(Role="MyController.Delete")]

if the makes sense. you could assign .Read at the controller, and others at the action is needed.
Tuesday, August 20, 2019 9:58 PM
0

Sign in to vote

User-733224187 posted

Hi Bruce, In this example do you have the AspNetUser table or can it be used with form authentication?

Wednesday, August 21, 2019 11:27 AM
0

Sign in to vote

User475983607 posted

The table is irrelevant. As stated above, Forms Authentication does not cache claim or roles within the authentication cookie. You need to do a lookup which has also been explained here and in your other similar thread.

Keep in mind the pattern in the previous thread can be easily achieved using Identity out-of-the-box.

Wednesday, August 21, 2019 2:05 PM

Answered by:

Is it possible to create a rule for access permissions on controllers?

Question

Answers

All replies