how to implement database record authorization with ldap in asp.net mvc

Question

User-875744750 posted

hello

i have a layered application of depenses invoices management, the presentation layer is a asp.net mvc 4 project, and i want to applay LDAP authentication on that application,

the user that have role admin can view/ create/ edit/delete all invoices.

and the other users, every one, can only view /create /edit/ delete the invoices that belong of its structure or subordonated structure of its structures.

how i can do this? any idea?

Answer 1

User1520731567 posted

Hi bensam16,

bensam16

the user that have role admin can view/ create/ edit/delete all invoices.

and the other users, every one, can only view /create /edit/ delete the invoices that belong of its structure or subordonated structure of its structures.

Accoriding to your descriptions,I refer to this article:

To use this code, all you have to do is use your custom AuthorizeAttribute instead of the built-in one. Something like this:

public class HomeController : Controller
{
        [AuthorizeRole(Roles="Admin")]
        public ActionResult Index()
        {
                ...
            return View();
        }
 
       [AuthorizeRole(Roles="user")]
        public ActionResult Index()
        {
            ....
            return View();
        }
...
}

custom AuthorizeAttribute:

public class AuthorizeRoleAttribute : AuthorizeAttribute
{
    private bool _authenticated;
    private bool _authorized;

    public string Roles{ get; set; }
    ...

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        base.HandleUnauthorizedRequest(filterContext);

        if (_authenticated && !_authorized)
        {
            filterContext.Result = new RedirectResult("/error/notauthorized");
        }
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        _authenticated = base.AuthorizeCore(httpContext);

        if (_authenticated)
        {
            if (string.IsNullOrEmpty(Roles))
            {
                _authorized = true;
                return _authorized;
            }

            var roles= Roles.Split(',');
            string username = httpContext.User.Identity.Name;

            try
            {
                _authorized = LDAPHelper.UserIsMemberOfGroups(username, roles);
                return _authorized;
            }
            catch (Exception ex)
            {
                this.Log().Error(() => "Error attempting to authorize user", ex);
                _authorized = false;
                return _authorized;
            }
        }

        _authorized = false;
        return _authorized;
    }
}

and the define method about get by LDAP:

public static class LDAPHelper
{
    public static string GetLDAPContainer()
    {
        Uri ldapUri;
        ParseLDAPConnectionString(out ldapUri);

        return HttpUtility.UrlDecode(ldapUri.PathAndQuery.TrimStart('/'));
    }

    public static string GetLDAPHost()
    {
        Uri ldapUri;
        ParseLDAPConnectionString(out ldapUri);

        return ldapUri.Host;
    }

    public static bool ParseLDAPConnectionString(out Uri ldapUri)
    {
        string connString = ConfigurationManager.ConnectionStrings["ADConnectionString"].ConnectionString;

        return Uri.TryCreate(connString, UriKind.Absolute, out ldapUri);
    }

    public static bool UserIsMemberOfGroups(string username, string[] roles)
    {
        /* Return true immediately if the authorization is not */
        if (roles == null || roles.Length == 0)
        {
            return true;
        }

        // Verify that the user is in the given role group (if any)
        using (var context = BuildPrincipalContext())
        {
            var userPrincipal = UserPrincipal.FindByIdentity(context,
                IdentityType.SamAccountName,
                username);

            foreach (var role in roles)
            {
                if (userPrincipal.IsMemberOf(context, IdentityType.Name, role))
                {
                    return true;
                }
            }
        }

        return false;
    }

    public static PrincipalContext BuildPrincipalContext()
    {
        string container = LDAPHelper.GetLDAPContainer();
        return new PrincipalContext(ContextType.Domain, null, container);
    }
    ...
}

Best Regards.

Yuki Tao

Answer 2

User-875744750 posted

thank you and again i ask you how authorize  the authenticated user to view/create / edit/delete the invoices that belongs only to its departments or subordinated departments of its department

Answer 3

User1520731567 posted

Hi bensam16,

thank you and again i ask you how authorize  the authenticated user to view/create / edit/delete the invoices that belongs only to its departments or subordinated departments of its department

This should be the problem of one to many entity.

Adding custom AuthorizeAttribute on your CRUD actions to authorize  the authenticated user.

Then in action,you need to get the specified field(e.g. get data by current id in one to many entity)

which could filter the other information.

In addition,you could add a one to many entity between departments and subordinated departments model.

Best Regards.

Yuki Tao

Answer 4

User-875744750 posted

hello again

i want to know how assign permission of Departments data row access to AD Group so that when a user is euthenticated, he can view only its Department invoices.

also CRUD only its Department invoices

Answer 5

User1520731567 posted

Hi bensam16,

i want to know how assign permission of Departments data row access to AD Group so that when a user is euthenticated, he can view only its Department invoices.

also CRUD only its Department invoices

I don't know what your database design,

If user is euthenticated,you could get his current id ,and use .Where() clause and join Role tables and Group tables to filter data.

Best Regards.

Yuki Tao