Security----Authorization----Role-based authorization

Role based Authorization?role-based authorization133 of 153 people found this helpful

When a identity is created it could belong to one or more roles, for example Tracy could belong to the Administrator and User Roles whilst Scott May is belong to the user role. How these roles is created and managed depends on the backing store of the authorization process. Roles is exposed to the developer through the IsInRole property on the ClaimsPrincipal class.

The new identity can belong to one or more roles, for example, Tracy can belong to the administrator and user roles, and whilst Scott can belong to the user role only. How you create and manage these roles relies on how the authorization process is stored.

Adding role checks?Add role Validation

Role based authorization checks is declarative-the developer embeds them within their code, against a controller or an Action within a controller, specifying roles which the current user must is a member of to access the requested resource.

Role-based validation is declarative, and the developer embeds it into the code, assigns a role to a controller or a method in it, and specifies that the user in a request must meet the appropriate member requirements.

For example the following code would limit access to all actions on the to users who is AdministrationController a member of the Administrator group .

For example, the following code restricts any one of the methods in Administrationcontroller and must be a member of the Administrator Group to use.

" Administrator " )]publicclass  administrationcontroller:controller{}

You can specify multiple roles as a comma separated list;

You can add multiple specified roles to a comma-separated list:

" hrmanager,finance " )]publicclass  salarycontroller:controller{}

This controller would is accessible by users who is members of the HRManager role or the Finance role.

The controller will only be accessible to members of Finance the hrmanager role or role.

If you apply multiple attributes then an accessing user must is a member of all the roles specified; The following sample requires that a user must be a member of both the PowerUser and ControlPanelUser role.

If you use multiple attributes, the access user must be a member of all roles; The following example requires that a user must be a member of both the PowerUser and controlpaneluser roles.

" PowerUser "  "controlpaneluser")]publicclass  controlpanelcontroller:controller{}

You can further limit access by applying additional role authorization attributes at the action level;

You can use additional role authorization attributes at the method level to apply additional usage restrictions;

 [Authorize (Roles =  " administrator, PowerUser   " )]   Public  class   Controlpanelcontroller:    controller{ public   ActionResult settime () {} [Authorize (Roles  =  " administrator
     " )]   Public   ActionResult ShutDown () {}}  

In the previous code snippet members Administrator of the role or the PowerUser role can access SetTime the controller and the action, b UT only members of the Administrator role can access the ShutDown action.

In the preceding code fragment, theAdministrator role or members of the poweruser role can use the controller and the settime method, but only Administrator members of the role can use the ShutDown method.

You can also lock-a controller but allow anonymous, unauthenticated access to individual actions.

You can also block a controller, but allow anonymous users to use a separate method without authorization.

[Authorize]  Public class controlpanelcontroller:controller{    public  actionresult settime ()    {    }    [ AllowAnonymous]    public  actionresult Login ()    {    }}

Policy based role checks? policy-based role checking

Role requirements can also is expressed using the new policy syntax, where a developer registers a Policy at startup as Pa RT of the Authorization service configuration. This normally takes part in ConfigureServices() your Startup.cs file.

The requirements for a role can also be achieved by using the new policy syntax, in which the developer registers a policy as part of the authorization service configuration. This is usually added to the configureservices () of the Sartup.cs file.

 Public void configureservices (iservicecollection services) {    services. Addmvc ();     = =    {        options. Addpolicy ("requireadministratorrole", policy = policy. Requirerole ("Administrator"));}    );

Policies is applied using the property on the Policy AuthorizeAttribute attribute;

Policies are implemented by using the policy property on the Authorizeattribute property.

" Requireadministratorrole " )] public iactionresult Shutdown () {    return  View ();}

If you want to specify multiple allowed roles in a requirement then you can specify them as parameters to the RequireRole metho D

If you want to specify multiple roles in a request, you can specify them as multiple parameters of the requirerole method:

Options. Addpolicy ("elevatedrights", policy =                  policy. Requirerole ("Administrator""poweruser" "  backupadministrator"));

This example authorizes users belong Administrator to the, PowerUser or BackupAdministrator roles.

The authorized user in this example will belong Administrator， PowerUser或者 BackupAdministrator to the role.

Original link

Security----Authorization----Role-based authorization