Authorization IN Asp.net

Authorization means the process that decides what a user is able to do. Let's take an example of user Adam who's able to create a document library, add documents, do the edit and delete them. But Bob might only be authorized to read the documents in a single library.

Authorization is orthogonal and not dependent on authentication, which is the process of knowing who a user is. Authentication might create one or more identities for the current user.

Authorization Types

In ASP.NET Core authorization offers simple declarative role and a richer policy-based model where authorization is mentioned in requirements and handlers assess a user's claims against the needs. The essential checks are based on simple policies or policies which assess both the user identity and the resource properties that the user is attempting to evaluate.

Namespaces

Authorization components, which include AuthorizeAttribute and AllowAnonymousAttribute ; featuresare found in the Microsoft.AspNetCore. Authorization namespace.

Simple Authorization

Authorization in MVC is kept by the AuthorizeAttribute feature and its several parameters. At its simplest applying the AuthorizeAttribute feature to a controller or action limits access to the controller or action to any authenticated user.

For example, the following code limits evaluate to the AccountController to an authenticated user.

[Authorize]

public class AccountController : Controller

{

public ActionResult Login()

{

}

public ActionResult Logout()

{

}

}

If you want to try authorization to an action rather than the controller , next apply the AuthorizeAttribute feature to the action itself;

public class AccountController : Controller

{

public ActionResult Login()

{

}

[Authorize]

public ActionResult Logout()

{

}

}

Only permitted users can ado the logout .

You can also utilize the AllowAnonymousAttribute feature to allow access by non-permitted users to individual actions; E.g.

[Authorize]

public class AccountController : Controller

{

[AllowAnonymous]

public ActionResult Login()

{

}

public ActionResult Logout()

{

}

}

This would allow only permitted users to the AccountController, except for the Login action, which canbe accessed by everyone, regardless of their authenticated or anonymous status.

Role-based Authorization

When you create an identity, it might belong to one or more roles, e.g. Tracy may belong to the Administrator and User roles while Scott may only belong to the user role. How these roles are created and managed? This depends on the backing store of the authorization process.

Adding role checks

Role based authorization checks sound declarative. The developer implants them within their code, against a controller or an action , specifying roles which the current user must be an authorized memberto access the requested resource.

For example the following code would limit access to any function on the AdministrationController to users who are a member of the Administrator group.

[Authorize(Roles = "Administrator")]

public class AdministrationController : Controller

{

}

You can specify multiple roles as a comma separated list;

[Authorize(Roles = "HRManager,Finance")]

public class SalaryController : Controller

{

}

This controller could be only accessed by users who are members of the HRM role or the Finance role.

If you apply multiple features, an accessing user must be a member of all the roles mentioned; the following sample requires that a user must be a member of both the PowerUser and ControlPanelUser role.

[Authorize(Roles = "PowerUser")]

[Authorize(Roles = "ControlPanelUser")]

public class ControlPanelController : Controller

{

}

You can further limit access by applying additional role authorization attributes at the action level;

[Authorize(Roles = "Administrator, PowerUser")]

public class ControlPanelController : Controller

{

public ActionResult SetTime()

{

}

[Authorize(Roles = "Administrator")]

public ActionResult ShutDown()

{

}

}

The previous code can be accessed by members of the Administrator role or the PowerUser role , but only members of the Administrator role can access the ShutDown action.

You can also shut down a controller but allow anonymous access to individual actions.

[Authorize]

public class ControlPanelController : Controller

{

public ActionResult SetTime()

{

}

[AllowAnonymous]

public ActionResult Login()

{

}

}

Policy based role checks

Role needs can also be expressed using the new Policy syntax, where a developer creates a policy at startup as part of the Authorization service configuration. This normally occurs in ConfigureServices() in your Startup.cs file.

public void ConfigureServices(IServiceCollection services)

{

services.AddMvc();

services.AddAuthorization(options =>

{

options.AddPolicy("RequireAdministratorRole", policy => policy.RequireRole("Administrator"));

});

}

Policies are applied with the help of the Policy property on the AuthorizeAttribute feature;

[Authorize(Policy = "RequireAdministratorRole")]

public IActionResult Shutdown()

{

return View();

}

If you want to specify multiple allowed roles in a need then you can specify them as criteria to the RequireRole method;

options.AddPolicy("ElevatedRights", policy =>

policy.RequireRole("Administrator", "PowerUser", "BackupAdministrator"));

This example authorizes users who belong to the Administrator, PowerUser or BackupAdministrator roles.

If you want to learn ASP.Net and perfect yourself in .NET training, our CRB Tech Solutions would be of great help for you. Join us with our updated program in ASP.Net course.

Stay connected to CRB Tech reviews for more technical optimization and other resources.