Search code examples
asp.net-mvc-2authorizationrhino-security

Finding authorization framework to be used on a ASP.NET MVC project


I have a asp.net mvc project and persistent is handled by repositories . Form authentication is used. Now I need implement authorization . For example , I need to ensure a manager user can only open his/her taskes and assign workers to the taskes. A worker will only see taskes that have been assigned to him/her. A super-moderator can edit everything. Is there any ready to use framework that allow me to define permissions ?

I am in the process of evaluating Ayende Rhino Security . Where can I get more examples codes ? What is your opinion on Rhino Security ?
My project use Linq to SQL and has not made use of NHibernate. Can Rhino Security works without NHibernate ?


Solution

  • I am afraid, Rhino Security depends on Nhibernate to work.
    I have been evaluating Rhino Security for a couple of months and, at the end, I've decided to use it cause it's a really really good product.
    You can find good an useful informations on Ayende's blog or here. I have straggled a bit to integrate it with StructureMap (instead of Castle Windsor). You can find some info here.
    To do what you're trying to achieve you have to define a class which implements the IEntityInformationExtractor interface.

    First of all you have to add the following references (I've recompiled Rhino Security with NH 3.0) to:

    • Microsoft.Practices.ServiceLocation
    • NHibernate
    • NHibernate.ByteCode.Castle
    • StructureMap
    • Rhino.Security
    • StructureMapAdapter

    Then you define a bootstrapper:

    public static class Bootstrapper
    {
        public static void Initialize()
        {
            ObjectFactory.Initialize(cfg =>
            {
                cfg.UseDefaultStructureMapConfigFile = false;
                cfg.IgnoreStructureMapConfig = true;
                cfg.AddRegistry<StructureMapRegistry>();
            });
            ServiceLocator.SetLocatorProvider(() => new StructureMapServiceLocator(ObjectFactory.Container));
        }
    }
    

    Then you define the StructureMap registry class:

    public class StructureMapRegistry : Registry
    {
        public StructureMapRegistry()
        {
            string ConnDb = "Data Source=(local); Initial Catalog=RhinoSecurity_Test; Trusted_Connection=true;";
    
            For<ISessionFactory>()
                .Singleton()
                .TheDefault.Is.ConstructedBy(() => new NHSessionFactory(ConnDb, false).SessionFactory);
            For<ISession>()
                .Singleton()
                .TheDefault.Is.ConstructedBy(x => x.GetInstance<ISessionFactory>().OpenSession());
            For<IAuthorizationRepository>()
                 .Use<AuthorizationRepository>();
            For<IPermissionsService>()
                .Use<PermissionsService>();
            For<IAuthorizationService>()
                .Use<AuthorizationService>();
            For<IPermissionsBuilderService>()
                .Use<PermissionsBuilderService>();
            For<IEntityInformationExtractor<Model.Task>>()
                .Use(p =>
                    {
                    return (new TaskInfromationExtractor(p.GetInstance<ISession>()));
                    });
        }
    }
    

    NHSessionFactory basically create a a NH session factory.

    I've create a class (TaskInfromationExtractor) which implements IEntityInformationExtractor. This will allow you to define permissions for the task entity. Now your app is ready. You just have to "bootstrap" structuremap:

    • Bootstrapper.Initialize();

    You would do this when your app starts up. Now you can use Rhino security repository and services to create users, groups, relations etc etc. as the links I've give you suggest. You can find a sample I've prepared here