Whittling away on security.

It’s here I must acknowledge my debt to this post. Great writing and excellent code, I’m in awe. What I’m doing below is just tinkering with this example really.

The authentication model that comes out of the box with ASP.NET works great – if you’re creating a standard external website. But what about if you want a more locked-down model – where people have to be authorized by a gatekeeper (an Admin?)

Note, the forms out of the box – Register, Manage, Login, Logoff – are all focused on self registration. We want a very limited set of behavior:

  • Allow an admin to view a list of user accounts
  • Allow an admin to create a new user
  • Allow an admin to edit user details
  • Allow the deletion of users
  • Assign roles to a user
  • Login and logoff behavior.

Here’s the steps I followed to do this in my application:

  1. Strip out AccountController down to the bare bones. (And don’t forget to R-click to remove and sort Usings)
  2. Clean up – remove _RemoteAccountPartial, _External*.cshtml views.
  3. Go into Login and Manage and remove references to ExternalLogin in the lower <div> sections.
  4. In Models\AccountviewModels – remove the ExternalLoginConfirmationViewModel. We won’t be using this!
  5. In IdentityModels.cs – add a FirstName, LastName, Email properties, and add methods in a new IdentityManager class (see Appendix)
  6. Modify the AccountViewModels class, heavily. Again, copy and paste code from the Appendix
  7. Heavy changes to AccountController class. We’re going to change the behavior of Register, and add an Index, Edit, Delete, and UserRoles paired set of methods.
  8. Copy over Register.html from Appendix.
  9. R-click Edit method in the AccountController, and select Add View.
    1. Edit view name
    2. Edit template
    3. Model – EditUserViewModel (leave the data context blank)
  10. Repeat above for Delete and Index. (For Index use the List default template)
  11. Replace the code in Index.cshtml
  12. R-click on the UserRoles method of AccountController, and select Add View.
    1. Empty template
    2. SelectUserRolesViewModel
  13. Create a new folder called Views\Shared\EditorTemplates. Right-click on it and select Add View. Call it Select RoleEditorViewModel
    1. Select Empty
    2. SelectRolesEditorViewModel
  14. Modify _Layout.cshtml shared view, and add a new link to Admin. remove the navbar-collapse <div> and replace.
  15. Remove the Register action link from LoginPartial
  16. Open up Package Manager Console, and enable EF migration with this command: Enable-Migrations -EnableAutomaticMigrations

  1. Open up Migrations => Configurations – and add seed data. See the Migration.cs class in the sample.
  2. Back to Package Manager Console. Run the following two commands in order:
    1. Add-Migration-Init
    2. Update-Database-verbose

 

 

Note in the AspNetUsers table – I can see the dharrison row as our chosen admin.

We have three roles available to us:

 

UserRoles contains links to each of these:

 

 

 

Now you can control access in the Controller part of MVC by using attributes like:

[Allow Anonymous]

[Authorize(Roles = “x”)]

For example see my HomeController class below. This lets the Index access be pretty much wide open, but the About and Contact screens are locked down.


public
class
HomeController : Controller

{


public
ActionResult Index()

{


return View();

}

 


//see the fanciness below. We’re screening off all but authorized users from the About and Contact pages.

[Authorize(Roles = “Admin, CanEdit, User”)]


public
ActionResult About()

{

ViewBag.Message = “Your application description page.”;

 


return View();

}

 

[Authorize(Roles = “Admin, CanEdit, User”)]


public
ActionResult Contact()

{

ViewBag.Message = “Your contact page.”;

 


return View();

}

}

}

 

In the web.config I set up access so the root folder is pretty much wide open- but the Forms subfolder is locked down:

<location
path=Forms>

    <system.web>

        <authorization>

<allow
roles=Admin, CanEdit, User/>

            <deny
users=*/>

        </authorization>

    </system.web>

</location>

 

 

<system.web>

 

 

<authorization>

<allow
roles=Admin, CanEdit, User/>

</authorization>

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s