Professional Documents
Culture Documents
The following diagram gives an idea of Authentication when the end-user makes a call to
an MVC 6 application.
When the end-user makes a call to an MVC 6 application requesting a View, a response
in the form of a View is returned when the action is executed. However if the Controller or
the Action is applied with the [Authorize] filter , then the request processing on the
server sends the Login Page response to the client. Once the end-user sends the
request with credentials, the Authentication Filter is executed which is responsible for
validating Credentials against the Database server where the application users are
stored. If the credentials are validated, then the Users will be Logged In and response of
the View will be sent back to the user.
• Filters in mvc
What are the filters:
Sometimes we would like to perform certain action before or after a particular operation,
or sometimes we need a pre or post action behaviors from action, for achieving this
functionality ASP.NET MVC provides a feature called Filters.
Types of filters:
1. Action Filters
2. Authorization Filters
3. authentication Filters
4. Result Filters
5. Exception Filters
Action filters are used to implement the logic that get executed before or after a
controller action executes.
Authorization Filters:
Result Filters:
Result filters contains logic that gets executed before or after a view result gets
executed. E.g. if you want to change view before its get render to browser.
Exception Filters:
Exception filters are used to handle error, caused by either controller action or
controller action results, we can also use it for logging the exceptions.
Action Filters can be applied to either controller action or controller itself, with the
help of action filter we can change the way, the action or controller gets executed.
This filter caches the output of action for certain duration. E.g. below code
snippet, we are decorating login action with output cache keyword, that will
cache the output of login action for 20 seconds( we have given 20 seconds
duration).
• Handle Error:
Authorize:
It is used for filtering the authorized user to access the resource. E.g. in below
code snippet we have decorated an action method with Authorize attribute.
• If we will try to access this action then it will give following error:
[Authorize(Roles = "Sales")]
public IActionResult DoSalesyStuff()
{ /* .. */ }
Following lesson focus on how to use ASP.NET Identity in MVC Application for
creating user roles and displaying the menu depending on user roles.
Authentication
Check for the Valid User. Here the question is how to check whether a user is
valid or not. When a user comes to a website for the first time he will register
for that website. All his information, like user name, password, email, and so
on will be stored in the website database. When a user enters his userID and
password, the information will be checked with the database. If the user has
entered the same userID and Password as in the database then he or she is a
valid user and will be redirected to the website home page. If the user enters
a UserID and/or Password that does not match the database then the login
page will give error message, something like “Enter valid Name or
Password”.
The entire process of checking whether the user is valid or not for
accessing the website is called Authentication.
You need to add <system.web> to the web.config and put the authentication
section within it:
<system.web>
<authentication mode="Forms">
<forms loginurl="~/Comfirm/Login" timeout="2880"></forms>
</authentication>
</system.web>
Authorization
Once the user is authenticated he needs to be redirected to the appropriate page by his
role. For example, when an Admin is logged in, then he is to be redirected to the Admin
Page. If an Accountant is logged in, then he is to be redirected to his Accounts page. If
an End User is logged in, then he is to be redirected to his page.
Web.config role provider
Features
Configuration
<configuration>
...
<system.web>
<roleManager enabled="true"
defaultProvider="WebConfigRoleProvider">
<providers>
<add name="customRoleProvider"
type="WebConfigRoleProvider. myRoleProvider"/>
</providers>
</roleManager>
</system.web>
Role-based authorization in ASP.NET mvc
When an identity is created it may belong to one or more roles. For example, Tracy
may belong to the Administrator and User roles whilst Scott may only belong to the
User role. How these roles are created and managed depends on the backing store
of the authorization process
Adding role checks
Role-based authorization checks are declarative—the developer embeds them
within their code, against a controller or an action within a controller, specifying
roles which the current user must be a member of to access the requested resource.
For example, the following code limits access to any actions on
the AdministrationController to users who are a member of
the Administrator role:
[Authorize(Roles = "Administrator")]
public class AdministrationController : Controller
{
}
If you apply multiple attributes then an accessing user must be a member of all the
roles specified; the following sample requires that a user must be a member of both
the PowerUser and ControlPanelUser role.
[Authorize(Roles = "PowerUser")]
[Authorize(Roles = "ControlPanelUser")]
public class ControlPanelController : Controller
{
}
You can further limit access by applying additional role authorization attributes at
the action level:
You can also lock down a controller but allow anonymous, unauthenticated access to
individual actions.
[Authorize]
public class ControlPanelController : Controller
{
public ActionResult SetTime()
{
}
[AllowAnonymous]
public ActionResult Login()
{
}
}