Authorization means the process that decides what a user is able to do. Let’s take an example of user Adam who’s able to create a document library, add documents, do the edit and delete them. But Bob might only be authorized to read the documents in a single library.
2. Dot Net Training
Today we will be discussing resource based authorization.
Often authorization is based upon the accessed resource .
E.g. a document might have an author property. So only the author would be allowed
to update it; the resource must be loaded from the document repository before an
authorization access can be made.
This can't be done with an Authorize attribute, as feature evaluation takes place before
data binding and before the code to load a resource runs inside an action.
Instead of the declarative authorization, the attribute method, we must use impervious
authorization, where a developer calls upon an authorize function within his own code.
Authorizing within a code
Authorization is executed as a service, IAuthorizationService, registered in the service
collection and available via dependency injection for Controllers to approach.
3. Dot Net Training
public class DocumentController : Controller
{
IAuthorizationService _authorizationService;
public DocumentController(IAuthorizationService authorizationService)
{
_authorizationService = authorizationService;
}
}
IAuthorizationService has 2 methods: in one, you pass the resource and the policy
name and in the other, you pass the resource and a list of requirements to assess.
Task<bool> AuthorizeAsync(ClaimsPrincipal user,
object resource,
IEnumerable<IAuthorizationRequirement> requirements);
Task<bool> AuthorizeAsync(ClaimsPrincipal user,
object resource,
string policyName);
4. Dot Net Training
Writing a resource based handler
Now to write a handler for resource based authorization is not very much different to
write a plain requirements handler. You create a requirement, and then execute a
handler for the requirement, then specify the requirement as before and also the
resource type.
Therefore, a handler which might accept a Document resource would look as below:
public class DocumentAuthorizationHandler : AuthorizationHandler<MyRequirement,
Document>
{
public override Task HandleRequirementAsync(AuthorizationHandlerContext
context,
MyRequirement requirement,
Document resource)
{
// Ratify the requirement against the resource and identity.
return Task.CompletedTask;
}
}
5. Dot Net Training
public static class Operations
{
public static OperationAuthorizationRequirement Create =
new OperationAuthorizationRequirement { Name = "Create" };
public static OperationAuthorizationRequirement Read =
new OperationAuthorizationRequirement { Name = "Read" };
public static OperationAuthorizationRequirement Update =
new OperationAuthorizationRequirement { Name = "Update" };
public static OperationAuthorizationRequirement Delete =
new OperationAuthorizationRequirement { Name = "Delete" };
}
Your handler could then be executed as follows, using a hypothetical Document class
as the resource;
6. Dot Net Training
You can view the handler works upon OperationAuthorizationRequirement. The code
inside the handler must take the Name property of the supplied need into account
when making its evaluations.
To call an operational resource handler you are required to specify the operation when
calling AuthorizeAsync in your action. For example
if (await authorizationService.AuthorizeAsync(User, document, Operations.Read))
{
return View(document);
}
else
{
return new ChallengeResult();
}
This example checks if the user is able to perform the read function for the current
document. If authorization succeeds the view for the document will be returned.
If you want to learn ASP.Net and perfect yourself in .NET training, our CRB Tech
Solutions would be of great support for you. Join us with our updated program in
ASP.Net course.
Stay connected to CRB Tech reviews for more technical optimization and other
resources