Skip to main content

Role-Based Authorization in ASP.NET MVC


Role-Based Authorization Explained

The most challenge aspect of any web application is implementing its security. In traditional web development with ASP.NET (from version 2.0 onwards), we have been using Membership and Role providers. These providers allows us to define Roles, Users and assign roles to users which helps us to manage Authorization. But with an increase in social networking and global authentication providers, we needed an upgraded membership system.
ASP.NET Identity is the new membership system for building ASP.NET web applications, phone, store, or hybrid applications using social identities for authentication and authorization. So we can now use Windows Live (e.g. Hotmail), Gmail, Facebook and Twitter for authentication before the user starts using our web application.
For internal application, we need to create users and roles for providing users access to creating items, products or managing other users. Necessary references are provided by MVC 5 applications for ASP.NET Identity. This allows to use external login using Live, etc. services and also allows us to create Roles and Users for internal application.

Implementing ASP.NET Identity

We are going to implement Role-Based Authorization using the application created in the previous article ASP.NETMVC Security System.

Open the above application in visual studio and make some changes to accommodate role-based authorization.

Double click on AcountViewModel from the models folder and add a property call Name or RoleName to RegisterViewModel to enable role implementation as shown below
public class RegisterViewModel
    {
        [Display(Name ="User Name")]
        [Required]
        public string Username { get; set; }

        [Required]
        [EmailAddress]
        [Display(Name = "Email")]
        public string Email { get; set; }

        [Display(Name ="Role Name")]
        public string RoleName { get; set; }

        [Required]
 [StringLength(100, ErrorMessage = "The {0} must be at least {2} characters long.", MinimumLength = 6)]
        [DataType(DataType.Password)]
        [Display(Name = "Password")]
        public string Password { get; set; }

        [DataType(DataType.Password)]
        [Display(Name = "Confirm password")]
           [Compare("Password", ErrorMessage = "The password and                   confirmation password do not match.")]
        public string ConfirmPassword { get; set; }
    }
Right click on CsharpnaijaModel.edmx in the models folder to open CsharpnaijaModel.edmx design and update the edmx file to add the created tables for authentication and authorization as shown below

Now double click on AccountCntroller and navigate the Register GET action and add the code snippet below
 [AllowAnonymous]
        public ActionResult Register()
        {
            ViewBag.Name = new SelectList(_context.AspNetRoles.ToList(),"Id","Name");
            return View();
        }  

Then add this code await _userManager.AddToRoleAsync(user.Id, model.RoleName); before signIn user in the Register POST Action of AccountController as shown below

        [HttpPost]
        [AllowAnonymous]
        [ValidateAntiForgeryToken]
        public async Task<ActionResult> Register(RegisterViewModel              model)
        {
            if (ModelState.IsValid)
            {
                var user = new ApplicationUser { UserName =                                model.Email, Email = model.Email };
                var result = await UserManager.CreateAsync(user,                           model.Password);
                if (result.Succeeded)
                {
                    //Adding user a role
                    await _userManager.AddToRoleAsync(user.Id,                 model.RoleName);

                    await SignInManager.SignInAsync(user,                                  isPersistent:false, rememberBrowser:false);

                    return RedirectToAction("Index", "Home");
                }
                AddErrors(result);
            }

            // If we got this far, something failed, redisplay form
            return View(model);
        }

Now double click on the Register View in the Account folder of View folder as shown below

Add the view code (html) snippet for users to select user role when registering in the application as shown below
<div class="form-group">
        @Html.LabelFor(m => m.RoleName, new { @class = "col-md-2 control-label" })
        <div class="col-md-10">
            @Html.DropDownListFor(m => m.RoleName,(IEnumerable<SelectListItem>)ViewBag.Name, new { @class="form-control"})
        </div>
    </div>

Now the Register View will look like the image below in the browser

The whole Register View code snippet is shown below

@model Csharpnaija_Security.Models.RegisterViewModel
@{
    ViewBag.Title = "Register";
}

<h2>@ViewBag.Title.</h2>

@using (Html.BeginForm("Register", "Account", FormMethod.Post, new { @class = "form-horizontal", role = "form" }))
{
    @Html.AntiForgeryToken()
    <h4>Create a new account.</h4>
    <hr />
    @Html.ValidationSummary("", new { @class = "text-danger" })
    <div class="form-group">
        @Html.LabelFor(m => m.Email, new { @class = "col-md-2 control-label" })
        <div class="col-md-10">
            @Html.TextBoxFor(m => m.Email, new { @class = "form-control" })
        </div>
    </div>
    <div class="form-group">
        @Html.LabelFor(m => m.Password, new { @class = "col-md-2 control-label" })
        <div class="col-md-10">
            @Html.PasswordFor(m => m.Password, new { @class = "form-control" })
        </div>
    </div>
    <div class="form-group">
        @Html.LabelFor(m => m.ConfirmPassword, new { @class = "col-md-2 control-label" })
        <div class="col-md-10">
            @Html.PasswordFor(m => m.ConfirmPassword, new { @class = "form-control" })
        </div>
    </div>

    <div class="form-group">
        @Html.LabelFor(m => m.RoleName, new { @class = "col-md-2 control-label" })
        <div class="col-md-10">
            @Html.DropDownListFor(m => m.RoleName,(IEnumerable<SelectListItem>)ViewBag.Name, new { @class="form-control"})
        </div>
    </div>

    <div class="form-group">
        <div class="col-md-offset-2 col-md-10">
            <input type="submit" class="btn btn-default" value="Register" />
        </div>
    </div>
}

@section Scripts {
    @Scripts.Render("~/bundles/jqueryval")
}

Let us now implement Authorization on Employee Controller

Double click on Employee Controller from the Controllers folder as shown below

Add Roles=(“Admin”) to the attribute Authorize before the controller class as shown below

[Authorize(Roles ="Admin")]
    public class EmployeesController : Controller
    {}

This means only users with an Admin role can view or access this controller
Now run the application and try accessing the Employee menu without registering or admin role and you a see a login page telling you to login or register as shown below


Congrat, we have successfully implemented Role-based authentication and Authorization

Labels:
Location: Abuja, Nigeria

Comments

  1. SAFETOTOSITEPRO18March 12, 2022 at 7:19 AM

    So good indeed! Glad to have found your page!! This is such great work!! Interesting to read. 토토사이트

    ReplyDelete

Post a Comment

Popular posts from this blog

Collections in C#

Collections in C# In our previous article , we have learned about how we can use arrays in C#. Arrays in programming are used to group a set of related objects. So one could create an array or a set of Integers, which could be accessed via one variable name. What is Collections in C#? Collections are similar to Arrays, it provides a more flexible way of working with a group of objects. In arrays, you would have noticed that you need to define the number of elements in an array beforehand. This had to be done when the array was declared. But in a collection, you don't need to define the size of the collection beforehand. You can add elements or even remove elements from the collection at any point of time. This article will focus on how we can work with the different collections available in C#. There are three distinct collection types in C#: standard generic concurrent The standard collections are found under the System.Collections. They do not store elemen...
Post a Comment
Read more

The String.Join Method in C# Explained

The String.Join Method in C#   The string.Join concatenates the elements of a specified array or the members of a collection, using the specified separator between each element or member. Overloads of string.Join Method Description Join(Char, Object[]) Concatenates the string representations of an array of objects, using the specified separator between each member. Join(Char, String[]) Concatenates an array of strings, using the specified separator between each member. Join(String, IEnumerable<String>) Concatenates the members of a constructed IEnumerable<T> collection of type String, using the specified separator between each member. Join(String, Object[]) Concatenates the elements of an object array, using the specified separator between each element. Join(String, String[]) Concatenates all the elements of a string array, usi...
Post a Comment
Read more

System.IO Namesapce in C#

  System.IO Namesapce in C# A  file  is a collection of data stored in a disk with a specific name and a directory path. When a file is opened for reading or writing, it becomes a  stream . The stream is basically the sequence of bytes passing through the communication path. There are two main streams: the  input stream  and the  output stream . The  input stream  is used for reading data from file (read operation) and the  output stream  is used for writing into the file (write operation). From the above definition of file, the C# provides a namespace that enable us to manipulate file in C# called System.IO.   System.IO  is a  namespace  and it contains a standard IO (input/output) types such as classes , structures , enumerations , and  delegates  to perform a read/write operations on different sources like file, memory, network, etc.   System.IO Classes The table below shows differen...
Post a Comment
Read more