Search code examples
asp.net-mvcasp.net-identityowinonion-architecture

Authorize with Roles in onion Architecture


hello everyone

i have a project where am using ASP.NET Identity 2.0. in this project am following the Onion architecture. the layers are :

1.UI: no reference to Owin or ASP.Net Identity

2.AuthenticationService:contains a wrapper for the asp.net identity usermanager.this wrapper implement an interface that lives in the Bal layer.this layer also contain my custom UserStore.

3.Dal: DbContext lives here.

4.Bal: contain Domaine entities and interfaces .no reference to Owin or ASP.NET identity or anything else.

5.DependencyResolver: Owin Startup is here plus some Ninject Modules and the NinjectWebCommon.So am Using Ninject.

till now everything is fine. users are happy creating accounts and ,they can login/logout/manage any time they want.the problem am facing now is with the Authorize(Role="rolename").it just doesn't work.

[Authorize(Users="pedro")]
[Authorize]

both of these works

[Authorize(Roles="Admin")]

this is one no.

in my Database i have users who belongs to the Role Admin.I am not sure why this doesn't work.mybe because i moved all the authentication stuff to another layer so the IPrincipal.IsInRole(string role) can't figure out how to check this anymore.

am working on creating a custom Authorize attribute or create some extensions. but i decided to seek your advices first.

Thank you for your time


Solution

  • well Here i am answering My Own Question.

    Indeed the problem was because the Method User.IsInRole(or IPrincipal.IsInRole because User is an IPrincipal). Inspecting the code of AuthorizeAttribute Using Reflector Shows that this Attribute uses the IsInRole Method To Check if The Authenticated User Is In Role X or Xs.but here comes another question .why it can't do that , i mean why it can't find out if a user belongs to a specific role or not.

    the problem come from the Cookie generated for the user.because roles are associated to the Cookie they need to be there so IsInRole can Find Them and this is where i made My mistake.I moved the Authentication and authorization to somewhere else but i didn't provide a way to embed the roles informations inside the cookie so the IsInRole (from User or from Roles) couldn't find them in order for the Authorize Attribute to do it's job as i wanted it to.so the good news is that i only needed to insert the roles inside the cookie somehow.

    the better news is : ASP.NET Identity wich am using now support claims,and in 4.5 GenericPrincipal derives from ClaimsPrincipal wich in turn derive from IPrincipal,so i can work with claims rather than old fashion roles (wich we can still use if we want to).

    well.if someone came across the same issue,i recommand the following:

    1.Authorize Attribute needs that the cookie to contain all the informations you are trying to rely on (Roles,User Names).

    2.use thinktecture Nuget rather than Authorize or ClaimsPrincipalPermission attributes wich gives you the pros of both of them.

    3.Learn About Claims.yo will never regret it.