Asp.net mvc 4 Claims based authorization with ASP.NET MVC

Asp.net mvc 4 Claims based authorization with ASP.NET MVC,asp.net-mvc-4,authentication,authorization,claims-based-identity,Asp.net Mvc 4,Authentication,Authorization,Claims Based Identity,I was reading up a lot of blog posts and stackoverflow answers but still I am unable to find a real world open source project which uses claims based authentication and authorization, so that I can get an idea on how to actually implement these. So far what I could find is Thinktecture.IdentityModel and this blog implements a claims based authorization on a sample website. If you guys could point me some Open source projects using claims, that would be really helpful. What I am interested is h

I was reading up a lot of blog posts and stackoverflow answers but still I am unable to find a real world open source project which uses claims based authentication and authorization, so that I can get an idea on how to actually implement these.

So far what I could find is Thinktecture.IdentityModel and this blog implements a claims based authorization on a sample website. If you guys could point me some Open source projects using claims, that would be really helpful.

What I am interested is how to retrieve claims for my application using the database.

So far, what I have tried is that using an in memory claims store to simulate the databsae, I have created a

CustomClaimsTransformer
and
CustomAuthorisationManager
like this.

public class CustomClaimsTransformer : ClaimsAuthenticationManager
    {
        public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
        {
            //validate name claim
            string nameClaimValue = incomingPrincipal.Identity.Name;

            return CreatePrincipal(nameClaimValue);
        }

        private ClaimsPrincipal CreatePrincipal(string userName)
        {
            int userId = ClaimStore.Users.First(u => u.Value == userName).Key;
            var claims = ClaimStore.ClaimsSet.Where(c => c.Key == userId);

            var claimsCollection = claims.Select(kp => kp.Value).ToList();

            return new ClaimsPrincipal(new ClaimsIdentity(claimsCollection, "Custom"));
        }
    }

public class CustomAuthorisationManager : ClaimsAuthorizationManager
    { 
        public override bool CheckAccess(AuthorizationContext context)
        {
            string resource = context.Resource.First().Value;
            string action = context.Action.First().Value;

            if (action == "Show" && resource == "Code")
            {
                bool likesJava = context.Principal.HasClaim(ClaimStore._httpMyclaimsUsers, "True");
                return likesJava;
            }
            else if (action == "Read" && resource == "Departments")
            {
                bool readDeps = context.Principal.HasClaim(ClaimStore._httpMyclaimsDepartments, "Read");
                return readDeps;
            }
            return false;
        }
    }

How to implement these in a real world scenario without having too many IF conditions?


#1

Try the following link , it seems like a decent solution

http://developers.axiomatics.com/blog/index/entry/custom-claims-based-authorization-in-net-using-axiomatics-pep-sdk-for-net.html

Also you can define your policy and load it

http://msdn.microsoft.com/en-us/library/system.security.claims.claimsauthorizationmanager.loadcustomconfiguration.aspx

How to: Implement Claims Authorization in a Claims-Aware ASP.NET Application Using WIF and ACS http://msdn.microsoft.com/en-us/library/gg185907.aspx


#2

I finally managed to design my own system with the required functionality using the existing asp.net identity 2.0 tables + a few of my own.

I'm gonna call every AREA-CONTROLLER-ACTION trio as resources in my system. WebAPI included. Area itself is a resource. Controller itself is a resource. Action itself is a resource. Any combination of them, is also a resource. I'll auto generate everything from the system itself using reflection.

Also, I'm going to use the same AspNetRoles table to store my User Groups. Users belong to one or more groups (Super Admin, Admin, Agent, Client etc.).

Using the existing Role based model as a user group based model with claims, I could get it working.Super admins are on god mode. They can create lower level users/groups/assign permissions etc.

Users can have special permissions. For example, Everyone in Agent group is denied access to updating a hotel, but a special agent who might also be the owner of a hotel can be given specific access to updating only their hotel.

Since the entire access control system runs on MVC area-controller-action sets. No one initially has no access (including super admins) and we gradually define which parts the groups/users has access to. And we give super admins and admins exclusive access through a claim. Access to everywhere is denied by default.

Once I Auto generated the AREA-CONTROLLER-ACTION sets, I let the user select which group has access to which item.

When the user logs in, I get all the resources the current user has access to and store them as claims. Based on that, using a claims auth manager, when a user request access to some resource, I can check their claims and decide if they should be given access to.

foreach(var claim in permissionClaims) {
    var parts = claim.Value.Split(new [] {
        '|'
    }, StringSplitOptions.None);
    if (parts.Length == 3) {
        //var httpMethod = parts[0];
        var action = parts[1]; 
        var api = parts[2];
        //Current.Log.Warn("Checking Access : " + req + " [action: " + action + "]");
        // is this request for a API action?
        if (api.Contains("API")) {
            // if so, req must be for a API action
            if (req.Contains("Api") && action.Contains(req)) {
                Log.Trace("User has access to API : " + req + " [action: " + action + "]");
                return true;
            }
        } else {
            // this is for a MVC action
            if (action.Contains(req)) {
                Log.Trace("User has access to MVC : " + req + " [action: " + action + "]");
                return true;
            }
        }
    }
}

I have explained the approach in detail here - ASP.NET MVC Fine Grained Identity & Access Control.


#3

how did you end up doing it? can you please provide an answer

#4

Thank you for these valuable resources. I have looked into each and Axiomatics SDK sounds promising but I don't use it. Looks like I will have to go with a custom implementation with policies defined in the web.config or the database. I just don't understand how to evaluate rules.

#5

(disclaimer - I work for Axiomatics) Going for a custom implementation is never a good way to go. There are plenty of frameworks out there that cater to a range of authorization - from simple to complex. Microsoft even has built-in claims-based authZ. Implementing your own is definitely not the way to go

#6

Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.