1 Replies - 5715 Views - Last Post: 06 May 2013 - 07:35 AM

#1 zauii  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 35
  • Joined: 02-January 11

Trouble understanding [authorize] and assignment of roles mvc4

Posted 02 May 2013 - 03:31 PM

Hello,
So I've a few questions in regards to the [Authorize] tag which i just can't find a clear answer on.
If I apply [Authorize] on a controller class without specifying roles or users, its still accessible by everyone correct. What if i wanted everyone to be denied unless authorized?

Another thought goes to how this [Authorize] ties in with database-users.
I've created my own empty mvc4 project and building my own login and hooked it up to a database.
How on earth does the [Authorize]-attribute help me? I mean if i set that roles "admin","test"
should have access to a certain controller, how to i give my users these roles so they can actually access it?

(Im not talking about any windows authentication or such , im talking about simple database users stored in a table with their details)

In PHP this might translate to:
#1. User logs in with form and you might do something as checking vs database to see if details i valid,
#2. If ok then give user an access token valid for x amount of minutes before requiring a new (ie put it in a session)
#3. Use this access token when doing stuff as long as its valid and there then the user is logged in, aka OK to perform certain tasks. (All depending on how controllers are designed)

---
I just don't get how this translates in ASP.NET mvc
My own conclusion would be to just do my own checks in the controllers vs database & sessions and see if users
are allowed to perform tasks rather than relying on [Authorize] which i barely know how to work with.

Is This A Good Question/Topic? 0
  • +

Replies To: Trouble understanding [authorize] and assignment of roles mvc4

#2 BattlFrog  Icon User is offline

  • D.I.C Head

Reputation: 2
  • View blog
  • Posts: 72
  • Joined: 09-April 12

Re: Trouble understanding [authorize] and assignment of roles mvc4

Posted 06 May 2013 - 07:35 AM

You have a few things in play here, a Role Provider, Membership Provider, Forms Authentication and AuthorizedAttribute. These are all built in things, that many people customize to their own needs.

The Membership providers control account creation, password management, logon /log off, etc.

Role Providers manage user roles.

Forms Authentication takes data from the providers (membership & role) and handles the internal web site security.

The Authorize attribute uses data from the role provider to specify to Forms Authentication, which roles have access to the different parts of the site.

So when you decorate an action method like so:

[Authorize(Roles="Admin")
public ActionResult SecretPage()
{
return View();
}

the authorize attribute ask Forms Auth to ask if the user attempting to access the page, is part of the Admin role. If yes, it allows acces, if no it issues a 401 error.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1