Claims based authentication in MVC5

1
votes

In my application, there are three types of users. Admin, SuperAdmin, Normal Users. I want to do authentication without roles concept and by using claims. There is table called AspNetClaims in db for asp.net identity. How to fill this table with claims? When first time user is registered, he should be assigned claim(admin, superadmin, user). Then next onwards, when user login, i must be able to find the type of user. How can i acheive it?

My another question is: In this scenario, is it correct to do claim based authentication without any roles concept?

2
asp.net-identity
What is the difference of your claims to roles? you pretty much creating roles, but save them as claims. Make your life simplier and just go with roles.trailmax
Note that MVC5 creates claims for roles. So your request is already fulfilled really.James Sampica

2 Answers

0
votes

If you are only ever going to have types of users where it is ok for all users of a given type to have the same permissions (and not for example for the permissions to vary by user for different data records), then you are effectively doing the same as if you were using Roles based permissions rather than Claims based ones.

The point of using Claims is that it allows you to do everything you could do via Roles and more. Claims give you more flexibility: e.g. your database could contain data for several different clients (ClientA and ClientB), each of whom could have an Admin user (eg AdminUserA, and AdminUserB) but who only have admin rights over records related to the particular client they belong to.

In that situation you could achieve this by giving user AdminUserA a claim of type ClientA with value Admin, and user AdminUserB a claim of type ClientB with value Admin. Then in code you would only allow users with a claim value of Admin for claim to administer records for client with clientname .

See my comment on How to add claims in ASP.NET Identity for two different ways of adding a claim to a user (unfortunately, Microsoft don't seem to have documented this well, so it is unclear as to whether both methods are needed!). As mentioned there, you can add a claim to the AspNetClaims table (but not to cookies) via manager.AddClaim(userID, claim) in GenerateUserIdentityAsync(UserManager manager) for class ApplicationUser within IdentityModel.cs (within an MVC5 project).

You can check what claims a user has as follows: When the user logs in, userIdentity.Claims should contain all the claims the user has (including custom claims that were in the AspNetClaims before the user logged in, but not any added since via manager.AddClaim!), and manager.GetClaims(userID) should return all the user's custom claims (including ones added via manager.AddClaim!). This is messy, and Microsoft really ought to tidy this up or at least document it better!

Hope this helps

0
votes

Step-1:You have to apply your filter on an action method like below example

Here is my Action method:

[AuthAttribute]
        [CustomAuthorize("Admin", "SuperAdmin")]
        public ActionResult GetEmployeeList(string sortOrder, string currentFilter, string searchString, int? page)
        {

            List<GetListviewData_Result> listGetListviewData_Result = db.GetListviewData().ToList();
return view(listGetListviewData_Result);
}

Step-2: You have to write code in your authorize filter method like below example

Here is my Authorise filter:

protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
            var userEmailId = httpContext.Session["userName"];
            bool authorize = false;
            foreach (var role in allowedroles)
            {
                /* getting user form current context */
                var user = context.user_tbl.Where(m => m.emailId == userEmailId  && m.role == role);
                if (user.Count() > 0)
                {
                    authorize = true; /* return true if Entity has current user(active) with specific role */
                }
            }
            return authorize;
        }