Overview
Action base authorization architecture (ABA) is a security mechanism that improved the MVC role base security architecture. ABA provides a full functionality security control UI for administrators to manage user accounts, roles and permission assigning. The permission base user authorized pattern instead hard code the role name or user name in design time.
Why ABA?
Let's get a look in MVC users authenticating,when we wants to authorize an Action method we must specified a user name or user role name in our code explicitly it maybe like this:
public class ProductController:Controller
{
[Authorize(Roles="Administrators",Users="Ray")]
public ActionResult Create(Product product)
{
return View();
}
}
What do you think about this code ?
If we write the authorization code like this, after the application released we could not change the access roles of this Action and your application must have a role named “Administators” or a user named ”Ray” and you could not rename or delete them. It make no sense! In most case our application needs an UI to manage user acctions, application roles and assign users to roles, do you write this functions in every project or do it quickly and dirty (copy and paste)?
What does ABA do?
For release the develops from MVC security hard code nightmare and let our code more reuseable, ABA separates the role name and user name from code and provides a rich set of UI that allows administrator assign variant roles or users to the action at runtime, and provides series helper methods for authenticating users and control functions visibiltiy.
How does it work?
ABA provides a filter action attribute class “SecurityActionAttribute” to instead of “AuthorizeAttribute”. In order to understand ABA let we take a look in ABA architecture:
By pass we focus on which roles can request the Action so we need to specifies the role name or user name explicity. The core concept in ABA is : What permissions is current user has”, What is permission? Permission is the Action method name which need authoize. The permissions are assign to Roles, a user maybe in many roles at runtime ABA will get a permission list for current user.When the user request a authorized Action ABA will check the list wheather current user has any permissions in it.
How to use ABA ?
You can require a user to be authenticated before the user invokes a controller action by adding the [SecurityAction] attribute to the action. You can apply the [SecurityAction] attribute to an individual controller action or you can apply this attribute to an entire controller class For example:
public class ProductController:Controller
{
[SecurityAction("Production","Create product",
"Allows users can create a new product information.")]
public ActionResult Create(Product product)
{
return View();
}
}
In this example we specified the PermissionSet title "Production", Permission display title "Create product" and permission description.Now let run the DotNetAge and find what have happen. Select "SiteTools->Console->Security" , in Roles tab select the administrators role
In Permission set groups we will find a "Production" group and there is a permission in it. We can click the check box to assign/unassign this permission for current role.
When the no permit user access the Creae product page ,he/she will get a Access Deny message page.
The following table list the properties SecurityActionAttribute class:
| Property | Type | Description |
|---|---|---|
| Title | string | Gets/Sets the permission title text. |
| Description | string | Get/Sets the description of the permission |
| PermissionSet | string | Gets/Sets the PermissionSet name to grouping the permission |
| ResBaseName | string | Gets/Sets the resource file base name. |
| TitleResName | string | Gets/Sets the title text key name in resource file. |
| DescResName | string | Gets/Sets the description key name in resource file. |
| PermssionSetResName | string | Gets/Sets the permissionset key name in resource file. |
| ThrowOnDeny | bool | If this property set when current user has not permission IsAuthorized method will throw an AccessDenyException |
UI visibility controlling
Usually we need to control some functional UI visibility which allow authorize user only. ABA extend a helper method to HtmlExtensions class, named “IsAuthorize”. In view file we can use this helper method like this:
Razor
@if (WebContext.Current.IsAuthorized<WidgetController>("Create"))
{
@Html.ActionLink("Create new product","Create")
}
ASP.NET FROM
<%
if (WebContext.Current.IsAuthorized("Create"))
{
%>
<%: Html.ActionLink("Create new product","Create") %>
<%}%>
Logical usability controlling
In logical level (controller) developer could use the WebSiteContext.IsAuthorized method decide whether the user has the permission.
The following code sample is descide if current user has "Create" permission then he/she could use the "Edit" method:
public class ProductController : Controller
{
[SecurityAction("Production", "Create product",
"Allows users can create a new product information.")]
public ActionResult Create()
{
return View();
}
public ActionResult Edit(int id)
{
if (WebSiteContext.Current.IsAuthorized(this, "Create"))
{
//Do somthing here.
}
return View();
}
}
Conclusion
Action base authorization architecture is a simple way to control the access security in Mvc by just one line code! By the way the ABA still use the roles and users database of the ASPNETDB so you can upgrade the existing application to DotNetAge very smoothly.
-
Average:5
-
Читает(669)
-
Trackback(0)
-
Постоянная ссылка
Комментарии (0)