Skip to main content

Role-Based Authorization in ASP.NET MVC


Role-Based Authorization Explained

The most challenge aspect of any web application is implementing its security. In traditional web development with ASP.NET (from version 2.0 onwards), we have been using Membership and Role providers. These providers allows us to define Roles, Users and assign roles to users which helps us to manage Authorization. But with an increase in social networking and global authentication providers, we needed an upgraded membership system.
ASP.NET Identity is the new membership system for building ASP.NET web applications, phone, store, or hybrid applications using social identities for authentication and authorization. So we can now use Windows Live (e.g. Hotmail), Gmail, Facebook and Twitter for authentication before the user starts using our web application.
For internal application, we need to create users and roles for providing users access to creating items, products or managing other users. Necessary references are provided by MVC 5 applications for ASP.NET Identity. This allows to use external login using Live, etc. services and also allows us to create Roles and Users for internal application.

Implementing ASP.NET Identity

We are going to implement Role-Based Authorization using the application created in the previous article ASP.NETMVC Security System.

Open the above application in visual studio and make some changes to accommodate role-based authorization.

Double click on AcountViewModel from the models folder and add a property call Name or RoleName to RegisterViewModel to enable role implementation as shown below
public class RegisterViewModel
    {
        [Display(Name ="User Name")]
        [Required]
        public string Username { get; set; }

        [Required]
        [EmailAddress]
        [Display(Name = "Email")]
        public string Email { get; set; }

        [Display(Name ="Role Name")]
        public string RoleName { get; set; }

        [Required]
 [StringLength(100, ErrorMessage = "The {0} must be at least {2} characters long.", MinimumLength = 6)]
        [DataType(DataType.Password)]
        [Display(Name = "Password")]
        public string Password { get; set; }

        [DataType(DataType.Password)]
        [Display(Name = "Confirm password")]
           [Compare("Password", ErrorMessage = "The password and                   confirmation password do not match.")]
        public string ConfirmPassword { get; set; }
    }
Right click on CsharpnaijaModel.edmx in the models folder to open CsharpnaijaModel.edmx design and update the edmx file to add the created tables for authentication and authorization as shown below

Now double click on AccountCntroller and navigate the Register GET action and add the code snippet below
 [AllowAnonymous]
        public ActionResult Register()
        {
            ViewBag.Name = new SelectList(_context.AspNetRoles.ToList(),"Id","Name");
            return View();
        }  

Then add this code await _userManager.AddToRoleAsync(user.Id, model.RoleName); before signIn user in the Register POST Action of AccountController as shown below

        [HttpPost]
        [AllowAnonymous]
        [ValidateAntiForgeryToken]
        public async Task<ActionResult> Register(RegisterViewModel              model)
        {
            if (ModelState.IsValid)
            {
                var user = new ApplicationUser { UserName =                                model.Email, Email = model.Email };
                var result = await UserManager.CreateAsync(user,                           model.Password);
                if (result.Succeeded)
                {
                    //Adding user a role
                    await _userManager.AddToRoleAsync(user.Id,                 model.RoleName);

                    await SignInManager.SignInAsync(user,                                  isPersistent:false, rememberBrowser:false);

                    return RedirectToAction("Index", "Home");
                }
                AddErrors(result);
            }

            // If we got this far, something failed, redisplay form
            return View(model);
        }

Now double click on the Register View in the Account folder of View folder as shown below

Add the view code (html) snippet for users to select user role when registering in the application as shown below
<div class="form-group">
        @Html.LabelFor(m => m.RoleName, new { @class = "col-md-2 control-label" })
        <div class="col-md-10">
            @Html.DropDownListFor(m => m.RoleName,(IEnumerable<SelectListItem>)ViewBag.Name, new { @class="form-control"})
        </div>
    </div>

Now the Register View will look like the image below in the browser

The whole Register View code snippet is shown below

@model Csharpnaija_Security.Models.RegisterViewModel
@{
    ViewBag.Title = "Register";
}

<h2>@ViewBag.Title.</h2>

@using (Html.BeginForm("Register", "Account", FormMethod.Post, new { @class = "form-horizontal", role = "form" }))
{
    @Html.AntiForgeryToken()
    <h4>Create a new account.</h4>
    <hr />
    @Html.ValidationSummary("", new { @class = "text-danger" })
    <div class="form-group">
        @Html.LabelFor(m => m.Email, new { @class = "col-md-2 control-label" })
        <div class="col-md-10">
            @Html.TextBoxFor(m => m.Email, new { @class = "form-control" })
        </div>
    </div>
    <div class="form-group">
        @Html.LabelFor(m => m.Password, new { @class = "col-md-2 control-label" })
        <div class="col-md-10">
            @Html.PasswordFor(m => m.Password, new { @class = "form-control" })
        </div>
    </div>
    <div class="form-group">
        @Html.LabelFor(m => m.ConfirmPassword, new { @class = "col-md-2 control-label" })
        <div class="col-md-10">
            @Html.PasswordFor(m => m.ConfirmPassword, new { @class = "form-control" })
        </div>
    </div>

    <div class="form-group">
        @Html.LabelFor(m => m.RoleName, new { @class = "col-md-2 control-label" })
        <div class="col-md-10">
            @Html.DropDownListFor(m => m.RoleName,(IEnumerable<SelectListItem>)ViewBag.Name, new { @class="form-control"})
        </div>
    </div>

    <div class="form-group">
        <div class="col-md-offset-2 col-md-10">
            <input type="submit" class="btn btn-default" value="Register" />
        </div>
    </div>
}

@section Scripts {
    @Scripts.Render("~/bundles/jqueryval")
}

Let us now implement Authorization on Employee Controller

Double click on Employee Controller from the Controllers folder as shown below

Add Roles=(“Admin”) to the attribute Authorize before the controller class as shown below

[Authorize(Roles ="Admin")]
    public class EmployeesController : Controller
    {}

This means only users with an Admin role can view or access this controller
Now run the application and try accessing the Employee menu without registering or admin role and you a see a login page telling you to login or register as shown below


Congrat, we have successfully implemented Role-based authentication and Authorization

Labels:
Location: Abuja, Nigeria

Comments

  1. SAFETOTOSITEPRO18March 12, 2022 at 7:19 AM

    So good indeed! Glad to have found your page!! This is such great work!! Interesting to read. 토토사이트

    ReplyDelete

Post a Comment

Popular posts from this blog

The String.Join Method in C# Explained

The String.Join Method in C#   The string.Join concatenates the elements of a specified array or the members of a collection, using the specified separator between each element or member. Overloads of string.Join Method Description Join(Char, Object[]) Concatenates the string representations of an array of objects, using the specified separator between each member. Join(Char, String[]) Concatenates an array of strings, using the specified separator between each member. Join(String, IEnumerable<String>) Concatenates the members of a constructed IEnumerable<T> collection of type String, using the specified separator between each member. Join(String, Object[]) Concatenates the elements of an object array, using the specified separator between each element. Join(String, String[]) Concatenates all the elements of a string array, usi...
Post a Comment
Read more

Most Popular Programming Languages in 2020

Most Popular Programming Languages in 2020 In this blog post, you will learn about the most popular programming languages in 2020 for creating the best web applications. Check its pros and cons. Analyzed by technostacks Not very long ago, just a few people were considered to be computer programmers, and the general public viewed them with awe. In this digital age that we are now living in, however, a large number of IT jobs need a solid grasp of one or more programming languages. Whether one wants to develop a mobile app or get a certification for having programming knowledge, or even to learn new skills, one needs to opt for the right programming language. Below mentioned eight most popular programming languages which are in demand for software development and web applications. This is the most used programming languages in 2019 and will be in 2020. For each, there is little information about the language, benefits and its complexity, as well as about its usage. One must...
1 comment
Read more

HashTable in C# with Example

  HashTable in C# with Example Hashtable  is used to store a collection of key/value pairs of different  data types  and are organized based on the hash code of the key.   Generally, the hashtable object will contain buckets to store elements of the collection. The bucket here, is a virtual subgroup of elements within the hashtable and each bucket is associated with a hash code, which is generated based on the key of an element.   In C#, hashtable is same as a  dictionary  object but the only difference is that the  dictionary  object is used to store a key-value pair of same  data type  elements.   When compared with  dictionary  object, the hashtable will provide a lower performance because the hashtable elements are of object type so the boxing and unboxing process will occur when we are storing or retrieving values from the hashtable.   C# HashTable Declaration Hashtable is a non-generic type...
Post a Comment
Read more