Finding authorization framework to be used on a ASP.NET MVC project

1.5k views Asked by At

I have a asp.net mvc project and persistent is handled by repositories . Form authentication is used. Now I need implement authorization . For example , I need to ensure a manager user can only open his/her taskes and assign workers to the taskes. A worker will only see taskes that have been assigned to him/her. A super-moderator can edit everything. Is there any ready to use framework that allow me to define permissions ?

I am in the process of evaluating Ayende Rhino Security . Where can I get more examples codes ? What is your opinion on Rhino Security ?
My project use Linq to SQL and has not made use of NHibernate. Can Rhino Security works without NHibernate ?

3

There are 3 answers

5
LeftyX On BEST ANSWER

I am afraid, Rhino Security depends on Nhibernate to work.
I have been evaluating Rhino Security for a couple of months and, at the end, I've decided to use it cause it's a really really good product.
You can find good an useful informations on Ayende's blog or here. I have straggled a bit to integrate it with StructureMap (instead of Castle Windsor). You can find some info here.
To do what you're trying to achieve you have to define a class which implements the IEntityInformationExtractor interface.

First of all you have to add the following references (I've recompiled Rhino Security with NH 3.0) to:

  • Microsoft.Practices.ServiceLocation
  • NHibernate
  • NHibernate.ByteCode.Castle
  • StructureMap
  • Rhino.Security
  • StructureMapAdapter

Then you define a bootstrapper:

public static class Bootstrapper
{
    public static void Initialize()
    {
        ObjectFactory.Initialize(cfg =>
        {
            cfg.UseDefaultStructureMapConfigFile = false;
            cfg.IgnoreStructureMapConfig = true;
            cfg.AddRegistry<StructureMapRegistry>();
        });
        ServiceLocator.SetLocatorProvider(() => new StructureMapServiceLocator(ObjectFactory.Container));
    }
}

Then you define the StructureMap registry class:

public class StructureMapRegistry : Registry
{
    public StructureMapRegistry()
    {
        string ConnDb = "Data Source=(local); Initial Catalog=RhinoSecurity_Test; Trusted_Connection=true;";

        For<ISessionFactory>()
            .Singleton()
            .TheDefault.Is.ConstructedBy(() => new NHSessionFactory(ConnDb, false).SessionFactory);
        For<ISession>()
            .Singleton()
            .TheDefault.Is.ConstructedBy(x => x.GetInstance<ISessionFactory>().OpenSession());
        For<IAuthorizationRepository>()
             .Use<AuthorizationRepository>();
        For<IPermissionsService>()
            .Use<PermissionsService>();
        For<IAuthorizationService>()
            .Use<AuthorizationService>();
        For<IPermissionsBuilderService>()
            .Use<PermissionsBuilderService>();
        For<IEntityInformationExtractor<Model.Task>>()
            .Use(p =>
                {
                return (new TaskInfromationExtractor(p.GetInstance<ISession>()));
                });
    }
}

NHSessionFactory basically create a a NH session factory.

I've create a class (TaskInfromationExtractor) which implements IEntityInformationExtractor. This will allow you to define permissions for the task entity. Now your app is ready. You just have to "bootstrap" structuremap:

  • Bootstrapper.Initialize();

You would do this when your app starts up. Now you can use Rhino security repository and services to create users, groups, relations etc etc. as the links I've give you suggest. You can find a sample I've prepared here

1
Andrew Orsich On

I think asp.net mvc attributes will be good for such task.

First you need to create some list of roles and somehow reference it with user. Than you need store user roles in Session after login. Than mark controllers or actions with this attribute. In attribute you shoud pass roles that need to perform some action. In attribute implementation you need just check if user have some role then nothing to do, else redirect to the not authorized page. Or throw some custom exception and redirect in global.asax.

Mb check this article for code example.

0
naiem On

Check out this one also. It is easy to use.

http://code.google.com/p/saf-framework/