MVC- Authentication/Authorization

Hello again! Today, I came with authentication and authorization in MVC.

Authentication and Authorization are common term in development cycle.
Authentication:It is a process to identify the user. System will check for user is valid or not base on user credentialed.

Authorization: It is a process to check what rights and roles of valid user for access system resources. System will check user rights and roles and decide what resources are accessible by user.

Type of authentication

1.Forms:It is custom authentication type. We can use our custom code for that auth. We can use membership provide for authentication. You can check my previous post LINK about custom membership provider in MVC for more details. We need to set In web.config file.

2.Windows:In this web pages will use local windows users and groups to authenticate and authorize resources. We set windows authentication by set In web.config file.

3.Passport:Passport authentication is based on the passport website provided by the Microsoft .So when user logins with credentials it will be reached to the passport website where authentication will happen. If Authentication is successful it will return a token to your website.

4.Anonymous Access:If there is none of above authentication then you will be anonymous access.

After authentication using authorization system will check and verify user has what rights and roles to access system.

In MVC we can verify user by Authorize attribute. We can set Authorize attribute on action method or controller for verify user.

            //
            // GET: /Index/
            [Authorize]
            public ActionResult Index()
            {
                return View();
            }
        

Above code will check for validate user before access Index action method.

            [Authorize]
            public class IndexController : Controller
            {
                //
                // GET: /Index/
                public ActionResult Index()
                {
                    return View();
                }

            }
        

For apply authorization to all action method in controller we can use above code block. We can set Authorize attribute on controller. It will validate user before access any action methods in particular controller.

For check user roles we can use same attribute and add roles in attribute in constructor of attribute. See following code.

            For Controller:

            [Authorize(Roles="Administrator, User")]
            public class IndexController : Controller
            {
                //
                // GET: /Index/

                public ActionResult Index()
                {
                    return View();
                }

            }

            For Action Method:

            //
            // GET: /Index/
            [Authorize(Roles = "Administrator, User")]
            public ActionResult Index()
            {
                return View();
            }

            [Authorize(Roles = "User")]
            public ActionResult User()
            {
                return View();
            }

        

In above code block user can access code base on assigned roles.

That all above code will check users and roles using default Membership Provider and Role Provider.

We can customize that authorize attribute to make custom code for validate user and set initialize all data at validation time.

MVC provide OnAuthorization override method, We can override this method and add our custom code on that override method.

For create custom authorize attribute create one class and inherit that class from AuthorizeAttribute class and override OnAuthorization method and add custom code.

See code:

            public class CustomAuth : AuthorizeAttribute
            {
                 public override void OnAuthorization(
                            AuthorizationContext filterContext)
                   {
                    base.OnAuthorization(filterContext);
                    if (filterContext.RequestContext.
                            HttpContext.User.Identity.IsAuthenticated)
                    {
                        //TODO: Add code for validate user
                    }
          }
      }


            For use this atherization code see below code block.


            [CustomAuth]
            public ActionResult Index1()
            {
                return View();
            }

        

That’s all for authorization and authentication in MVC.

See the final code more improve and flexible for authorization and authentication.

            public class CustomAuth : AuthorizeAttribute
            {
                public string[] _roles;
                public CustomAuth()
                {
                    _roles = new string[] { "Administrator" };
                }

                public CustomAuth(string[] roles)
                {
                    _roles = roles;
                }

                public override void OnAuthorization(
                        AuthorizationContext filterContext)
                {
                    base.OnAuthorization(filterContext);
                    if (filterContext.RequestContext.
                            HttpContext.User.Identity.IsAuthenticated)
                    {
                        //TODO: Add code for validate user
                        //TODO: Check Roles
                    }
                }
            }



            [CustomAuth(new [] { "Administrator", "User" })]
            public ActionResult Index2()
            {
                return View();
            }

        

I hope its help!

Feel free to add comments!