Class. Aspnet.identity
Class. Aspnet.identity is a validation authorization module based on the asp.net identity extension design, which provides role-based access control (role-based access controls, RBAC), and splits system authorization into user ( users), role (roles), Permission (permissions). Allows developers to define in the system which roles the user belongs to, which roles have those permissions, and what functions the permissions can use. After subsequent users have validated, they can use the system functionality according to the role permissions.
Open Source Address: https://github.com/Clark159/CLK.AspNet.Identity
Problem scenarios
Once the developer has applied CLK.AspNet.Identity to the system, it can restrict the user's ability to use those features according to the users ' privileges. When a user enters the function page of the permission through the browser, he or she receives the HTTP 403 status code, which tells the consumer not to have permission to enter the page.
To provide a better user experience point of view, users click the menu item, get no access to the page's response. Such an operation process, it is easy to let users lose patience. In order to provide a better user experience, the system should display the menu items according to the user's privileges, and only show the menu items that have permission to enter the use, to reduce the user's chance to operate incorrectly.
Solution
In a system that applies to CLK.AspNet.Identity, you can use the Haspermission extension method to provide the ability to display menu items in accordance with permissions. Use the following methods:
Add a new Productcontroller, productviews in the system, and Add method and corresponding permissions according to the following example program: Productaddaccess, Productremoveaccess.
public class Productcontroller:controller
{
[Rbacauthorize (Permission = "productaddaccess")]
Public ActionResult ADD ()
{
Viewbag.message = "Your product add page."
return View ();
}
[Rbacauthorize (Permission = "productremoveaccess")]
Public ActionResult Remove ()
{
Viewbag.message = "Your product remove page."
return View ();
}
}
Edit the views\shared_layout.cshtml and use the Haspermission extension method to display the menu item according to the user's permissions, as shown in the following example.
<div class= "col-md-12" style= "Background-color: #222" >
<div class= "Container" >
@if (User.haspermission ("productaddaccess"))
{
@Html. ActionLink ("Product Add", "Add", "product", NULL, new {@class = "btn Btn-primary"})
}
@if (User.haspermission ("productremoveaccess"))
{
@Html. ActionLink ("Product Remove", "Remove", "product", NULL, new {@class = "btn Btn-primary"})
}
</div>
</div>
After completion of the above program development work, also need to enter the system, set the user power. In the example below, the demo uses the Permission Admin page to open permissions to the Admin group for use.
After using the preset admin account login (id:admin@example.com, pw:admin) login, you can see that because admin@example.com belongs to the Admin group and the Admin group has productaddaccess permissions, So you can see the Product Add menu item in the System menu.
Replace with a preset Guest account login (id:guest@example.com, pw:guest) login, you can see that because guest@example.com belongs to the guest group and the guest group does not have productaddaccess permissions, So the product Add menu item is not visible in the system menu.
Use CLK.AspNet.Identity to provide role-based access control (RBAC)
Objective
asp.net identity is an Open-source project that Microsoft has contributed to provide asp.net authentication and authorization mechanisms. In the functional module of asp.net identity: The claims-based validation is used to provide the authentication mechanism, and the implementation of role-based authorization to provide authorization mechanism. Once the developer has applied asp.net identity within the system, it is possible to define which role the user belongs to and which role to use, as in the following example, after subsequent users have authenticated, they can use the system functionality according to the role authorization.
The ASP.net identity authorization mechanism allows you to dynamically change the roles a user belongs to in a system run, but you cannot dynamically change the features that a role can use. This is because in the ASP.net identity, the user's role is stored in the database can be dynamically changed, and the role can use those features of the set is defined in the program code there is no way to dynamically change. While such authorization mechanisms can already meet most development requirements, developers have no opportunity to use the ASP.net identity-rich authentication authorization mechanism in development projects that require dynamic change roles to use those features.
Domain model
Roles can use those features
public class Homecontroller:controller
{
[Authorize (Roles = "Admin")]
Public ActionResult Contact () {...}
[Authorize (Roles = "Guest")]
Public ActionResult Contact () {...}
}
Which role does the user belong to
This article introduces a verification authorization module based on ASP.net Identity development design: CLK.AspNet.Identity. This authentication authorization module provides role-based access control (role-based access controls, RBAC), and splits system authorization into user (consumer), Role (roles), Permission (permissions). Once the developer has applied CLK.AspNet.Identity to the system, it is possible to define which role the user belongs to, which role has those permissions, and what functions the permissions can use, as in the following example, and subsequent users can use the system functionality according to role permissions after validation.
Class. The aspnet.identity authorization mechanism, in addition to continuing to use the claims-based authentication mechanism inherited from ASP.net identity, can dynamically alter the authorization settings stored in the database in the system's operation: the user's role, the permissions that the role has, Let the system's authorization set more flexible, to meet more user needs.
Domain model
What features can be used by permissions
public class Homecontroller:controller
{
[Rbacauthorize (Permission = "aboutaccess")]
Public ActionResult Contact () {...}
[Rbacauthorize (Permission = "contactaccess")]
Public ActionResult Contact () {...}
}
Which role does the permission belong to
Which role does the user belong to
Installation
First, open Visual Studio to create a "completely blank" asp.net Web application.
Then open the NuGet management tool, search and install: "CLK. ASPNET.IDENTITY.MVC template"
It takes some time to install, and you can see that the necessary files are added to the project after the installation is complete.
After you install CLK.AspNet.Identity, press the Visual Studio Execution button to see the preset home page content on your browser.
Change the permissions of a role
Using a preset visitor account login (id:guest@example.com, pw:guest), click the Page menu button: about because guest@example.com belongs to the guest group and the guest group does not have aboutaccess permissions , you will receive 403 of the page content denied access.
Using a preset admin account login (id:admin@example.com, pw:admin), click on the Page menu button: Permissionsadmin into the Rights Management page, edit aboutaccess permissions, Let the guest group have aboutaccess permissions.
Replace the preset visitor account login (id:guest@example.com, pw:guest), click the Page menu button: about, because now the guest group has aboutaccess permissions, so you can browse about page content.
Changing the role of a user
Using the preset visitor account login (id:guest@example.com, pw:guest), click the Page menu button: contact, because guest@example.com belongs to the guest group, and the guest group does not Contactaccess permissions, you will receive 403 of the page content denied access.
Using the preset admin account login (id:admin@example.com, pw:admin), click the Page menu button: Usersadmin into the User Management page, edit guest@example.com user, let guest@ example.com users to join the admin group.
Replace the preset visitor account login (id:guest@example.com, pw:guest), click the Page menu button: Contact, because now guest@example.com belong to the Admin group, and the admin group has Contactaccess permission, so you can browse the contact page content.
New System permissions
Go back to Visual Studio to edit the new features, first add a new feature to the HomeController "news", set newsaccess permissions to use this feature, and add the corresponding changes to the Viwes.
public class Homecontroller:controller
{
[Rbacauthorize (Permission = "newsaccess")]
Public ActionResult News ()
{
Viewbag.message = "Your News page."
return View ();
}
}
By pressing Visual Studio's execution button, you can see the preset home page content in the browser, and there is an extra menu button called news in the content.
Using a preset visitor account login (id:guest@example.com, pw:guest), click the Page menu button: News, which will receive permissionname not because the system does not have Newsaccess permissions set. Found. Error Message page.
Using a preset admin account login (id:admin@example.com, pw:admin), click on the Page menu button: Permissionsadmin into the Rights Management page, add the newsaccess permissions, And let the guest group have newsaccess permissions.
Replace the default visitor account login (id:guest@example.com, pw:guest), click the Page menu button: News, because now the guest group has newsaccess permissions, so you can browse the News page content.