Permission-Based Authentication and ACL in .NET
In many kinds of applications, we need to implement Authentication and Authorization in order to prevent unallowed requests to access our resources and end-points.
So as a .NET developer firstly what comes to mind is using Role-Based authentication and on the Front-End side use the if(User.IsInRole("Blah Blah")).
But what if meanwhile one of the Roles needs to access some more areas or the Business decides to block some endpoints for a particular Role?
A very straightforward way to do that is to modify the actions and put or remove [Authorize(Roles="BlahBlah")] annotations then change some conditions in the Front-End side finally create a new release and finish! But Wait ...
Have you heard about Permission-Based Authentication and The ACLs?
So Basically the Permissions are a few Claims which will be added to a particular Role dynamically and whenever we define a new Action or Controller depending on the business logic we will define a policy for that and reciprocally we define the permissions as a claim for the policy as well.
Pay attention to a piece of code below for adding the Authentication service to our service collection.
//Startup.cs
services.AddAuthorization(options =
{
options.AddPolicy("Student.Create", policy => policy.RequireClaim("Permission", "Student.Create")); // ---> Attantion!
});
//StudentController.cs
public class StudentController : Controller
{
? ? [Authorize(Policy = "Product.Create")] // ---> Attantion!
? ? public IActionResult Create()
? ? {
? ? ? ? return View();
? ? }
}
We have just one action named Create which is in the StudentsController and as you see at the top of that action, we defined an Authorize annotation with Product.Create policy.
In another hand in the Startup.cs file, we added a specific policy with its claim named Product.Create and also the application has two roles first is Admin and the second is BasicUser.
The issue is we need to dynamically Allow or Prevent BasicUser (All the users that belong to the BasicUser role) from accessing this Action and also in our Razor view it should automatically show to the user if he has access or become hide when it does not permit.
领英推荐
Regarding the code above if any role has a claim with the name Student.Create , it will have access to the student Creation otherwise it will not. so the next step is to just have a Permission Controller which is just permitted by AdminUser and he can bind or remove a Particular Claim (Permission) to/from a Role, same like the image below:
and then:
Then finally if you login as a BasicUser you will see you have access to the Create Action:
but do not get panic! All the implementation both for Backend and Frontend exist in my Github repository and you can download it from here :
feel free to contact me if you have any questions :)
Also, I used this article to implement this Permission-Based Authentication However it has some uncovered parts which I covered in all of them in the project.
https://codewithmukesh.com/blog/permission-based-authorization-in-aspnet-core/
Technical Lead at TOSAN (Banking and Payment Solutions Provider)
3 年Hi , Mohamad Ravaei . Please look at RBAC Pattern probably you find some implementations it on .NET or Java or any other Platform . https://transang.me/pattern-oriented-software-architecture-access-control-pattern/