I'm using ASP.NET MVC 5 in Visual Studio 2015 with Windows authentication. Currently, the user connects to the app seamlessly -- no logon screen, by having the following in the Web.config file:
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
Then Global.asax.cs has this for authorization:
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
GlobalConfiguration.Configure(WebApiConfig.Register);
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
GlobalFilters.Filters.Add(new System.Web.Mvc.AuthorizeAttribute()
{ Roles = "Some-AD-Group, Another-AD-Group" });
}
The above filter limits those who are allowed into the app to AD groups. I'd like to use the built-in [AspNet*] tables on SQL Server to manage authorization and match a user to roles.
This example lets me create a custom authorization, but then how do I fetch the user's roles from the [AspNetUserRoles] table and where do I store that for the duration of the user's session?
Here's another example that works with roles, but not sure where it gets them. There's a lot of good information in this article as well, but nothing about tying it to Windows authentication.
Thanks for your help.
Update: The filter will be replaced with the AspNetUserRoles; that's currently just a bandage to keep folks out until we figure this piece out.
You'll need to write a custom Auth provider for this.
One approach might be to do something like this:
https://www.codeproject.com/Articles/5353/Custom-Authentication-provider-by-implementing-IHt
Or you might be able to take the existing WindowsAuthenticationProvider class in the framework and inherit it to "override" the role based methods.
This might be useful if you want a deeper dive with a few more options ...
but the offficial docs, you may want to start from begin here ...