Search code examples
.netasp.net-mvcsecurityasp.net-identity-2

what security approach should i apply?

my team developing a large scale web app . according to our analysis : some users should be be able to access page and using its controls for add, update , delete and approve etc.. and others should be able to access those pages with any ability to perform any actions (no controls) and others have the ability to perform some(not all) actions and others should't be able to access some pages at all. so what approach should we use : membership , identity , or using session and checking for permission in each page and each control in the page ??? what should we do ?? someone told me that i create table for modules and other one for each module pages and another for each page actions and develop a class library for security checking as a security layer above (BLL) IS THAT RIGHT(best practise) ? if not then what ??

Solution

  • If you gonna work with ASP.NET MVC I suggest you to use the ASP.Net Identity Framework. Another possibility is to use the old ASP.NET membership, but Microsoft is pushing hard to the new ASP.Net Identity, so If I were you I would use this new framework.

    Besides, you will notice that ASP.NET Identity creates all Authorization tables needed (AspNetUsers, AspNetRoles, ...) automatically. So, if you don't want to make changes on them, you can forget about all DB stuff related with Authorization and Authentication.

    This tutorial is a good starter to know how to implement ASP.NET Identity.

    By the other hand, I think that implementing Security as a different module (even in a different DB) it's a good idea, keeping Authorization Server and Resource Server separated. This post of the same blog, will show you a step by step tutorial, to achieve it.

    Edited

    Asp.net identity allows you Authorize your application at controller level or at action level:

    [Authorize(Roles="Admin")]
public class AdminController : Controller
{
 // ...
}

public class UserController : Controller
{
 [Authorize(Roles="Admin,User")]
 public ActionResult LinkLogin(string provider)
 {
   // ...
 }
}

    As you will see in the above tutorials, to manage the roles authorization you have three tables: AspnetUsers, AspnetRoles and the table that relates both, AspNetUserRoles.

    So, you have a lot of flexibility to authorize some users to use your controllers and at the same time not allowing some actions (add, update, delete, ...) inside.