Performing Authorization In Class Libraries Without Coupling Security in ASP.NET Identity

Most of the time it makes sense to perform authorization at the Controller or Web API level in an ASP.NET MVC application using an AuthorizeAttribute on the controller or action.  This handles at least 95% of the scenarios but occasionally it makes sense to handle authorization down in a class library or it needs to be handled in code for more complex situations. An example might be an application that allows users to create folders and files that have individual permissions.  In this scenario the resource being acted upon must be determined at run-time and therefore we cannot use a static AuthorizeAttribute.

So how do we determine permissions on a dynamic resource without coupling security with our application domain. This is a good time to use a custom ClaimsAuthorizationManager.   A ClaimsAuthorizationManager will allow a class library to loosely couple authorization in our application domain and configure it at deployment.  Here is an example on using the ClaimsAuthorizationManager that I added to the SimpleSecurity project using ASP.NET Identity.  You can get the source code for this example here.

Here is how we would insert an authorization check in our class library. 

    public class FakeService
    {
        public static void MyMethod()
        {
            //Here is where we would check access to perform operations in this method.
            ClaimsPrincipalPermission.CheckAccess(AppResources.Foo.ToString(), Operations.Read.ToString());
            //If we made it this far we were authorized and we would perform the actual operations here.
        }
    }


When calling the ClaimsAuthorizationManager you invoke the CheckAccess method which expects two parameters; a resource and an action. This provides context to the ClaimsAuthorizationManager on what to authorize. In this contrived example the resource and action are static, but as you can imagine they could just as easily have been derived from something like a database query or other application logic. Notice that the resource and action passed in fit nicely with the concepts I presented in an earlier article on decoupling the security model from your MVC application. If the authorization fails the ClaimsAuthorizationManager throws a SecurityException which we can handle in our controller or Web API.

What makes this method of authorization even more flexible is that we configure which ClaimsAuthorizationManager to use in the web.config. Here is what the configuration looks like for this example. 

 <system.identityModel>
    <identityConfiguration>
      <claimsAuthorizationManager type="SimpleSecurity.AspNetIdentity.SimpleAuthorizationManager, SimpleSecurity.AspNetIdentity"/>
    </identityConfiguration>
  </system.identityModel>

This allows us to configure different ClaimsAuthorizationManagers for different web applications, further decoupling the authorization process from our application domain.

Here is what the code look like for this custom ClaimsAuthorizationManager.

    public class SimpleAuthorizationManager : ClaimsAuthorizationManager
    {
        public override bool CheckAccess(AuthorizationContext context)
        {
            string resourceStr = context.Resource.First().Value;
            string actionStr = context.Action.First().Value;
            int resourceId;
            Operations operationId;
            try { resourceId = Int32.Parse(resourceStr); }
            catch { throw new Exception("Invalid resource. Must be a string representation of an integer value."); }
            try { operationId = (Operations)Enum.Parse(typeof(Operations),actionStr); }
            catch { throw new Exception("Invalid action/operation. Must be a string representation of an integer value."); }

            //Get the current claims principal
            var prinicpal = (ClaimsPrincipal)Thread.CurrentPrincipal;
            //Make sure they are authenticated
            if (!prinicpal.Identity.IsAuthenticated)
                return false;
            //Get the roles from the claims
            var roles = prinicpal.Claims.Where(c => c.Type == ClaimTypes.Role).Select(c => c.Value).ToArray();
            //Check if they are authorized
            return ResourceService.Authorize(resourceId, operationId, roles);
        }
    }

This authorization process gets the roles from the current authenticated users claims and checks in the database if any of those roles are associated with the resource and operation/action that is being performed. The resource and action passed in are strings so I need to convert them to the integer ID and enumerated operation used in the database.

If the authorization process fails a SecurityException is thrown. Here is how we can catch the exception and handle it in the controller. 

        public ActionResult UseClaimsAuthorization()
        {
            try
            {
                FakeService.MyMethod();
            }
            catch (SecurityException ex)
            {
                Response.Redirect(loginUrl(Url.Action("UseClaimsAuthorization", "Home")));
            }
            ViewBag.Message = "Test Claims Authorization";
            return View();
        }

        public string loginUrl(string returnUrl)
        {
             return "../Account/Login?ReturnUrl=" + HttpUtility.UrlEncode(returnUrl);
        }


In this example I handle the SecurityException just like forms authentication would and redirect to the login page. In a Web API you could return an HTTP Unauthorized error.

You can try this out by downloading the source code from SimpleSecurity, compiling and running the application.  The example MVC application is in AspNetIdentity\SimpleSecurity.AspNetIdentity.RefApp. The database is seeded with a user who has a user name of "user" and password of "password" that has the role for the resource/operation authorized in this example.

I think this is a good method for handling security in your class libraries and lower layers of the application without tightly coupling your security model. What do you think? Can you think of some applications for this technique.

Comments

Post a Comment

Popular posts from this blog

Using Claims in ASP.NET Identity

Claims can simplify and increase the performance of authentication and authorization processes. I wrote about how you can use the roles stored as claims to eliminate back-end queries every time authorization takes place .  ASP.NET Identity has good support for claims-based identity and it creates several claims for you automatically when you create a new identity.  Here is how we create the identity for a new user during the log-in process UserManager<applicationuser> userManager = new UserManager<applicationuser>(new UserStore<applicationuser>(new SecurityContext())); ClaimsIdentity identity = userManager.CreateIdentity(user, DefaultAuthenticationTypes.ApplicationCookie); If you inspect the Claims property of ClaimsIdentity after calling CreateIdentity you will see that there are there are three or more claims. There is a claim for the user ID, user name, identity provider and one for each role assigned. So what if you want to add some more claims? Here is an ex
Keep reading

Seeding & Customizing ASP.NET MVC SimpleMembership

Image
In ASP.NET MVC 4 Microsoft introduced a new membership provider that is referred to as SimpleMembership.  SimpleMembership makes it easier to customize user profiles and incorporates  OAuth support.  I have seen a lot of questions on StackOverflow on how to customize SimpleMembership and seed it with data and in this post I will discuss some methods for achieving both . SimpleMembership uses Entity Framework (EF) 5 and the code-first model. To initialize the database that contains the users and roles a filter is used called  InitializeSimpleMembershipAttribute.   This attribute is decorated on the AccountController as shown here: [Authorize] [InitializeSimpleMembership] public class AccountController : Controller { ... } This is setup this way so that the initialization code is only called when accessing the actions on the AccountController .  If you look at the code for  InitializeSimpleMembershipAttribute you will see a lot of code to setup initialization which is basically
Keep reading

Customizing Claims for Authorization in ASP.NET Core 2.0

Image
There have been some major changes to ASP.NET Identity with the release of Core 2.0, which you can read about here .  One of the major changes is that it does not rely on using middleware anymore to customize it.  Instead dependency injection is used by configuring via services in the ConfigureServices method of StartUp.cs .   There is not much documentation or examples on how to do this so I am going to explore how to customize ASP.NET Identity and publish some examples in this blog.  First I wanted to look at how you would add custom claims to the identity and then use those claims for authorization. To begin create a new ASP.NET Core Web Application  project in Visual Studio 2017.  Be sure to select . NET Core and ASP.NET Core 2.0 in the two drop downs at the top.  Select the template for Web Application (Model-View-Controller) and Change the Authentication to Individual User Accounts .  When the project is created you are ready to add some code. For this example we are s
Keep reading