I have a large ASP.Net C# application that I am working on and we had implemented security by two approaches:
- web.config based URL authorization rules.
- In each control event method, write code to check if the user is in the required role and additional check's on user's data.
When I discovered that security could be implemented at declarative attributes on methods and classes via http://ift.tt/2m3ojAS I was simply amazed.
However, the security in the application is not as straight forward as - if you are in Role X, you can edit this data.
An example security rule that I have is - You can edit the data if you originally created it or you have the "Editor" role.
I have done a good amount of googling and came across solutions that offer customization by deriving from the CodeAccessSecurityAttribute class. Here are the list of references:
I am unable to figure out two things and that's where I am looking for some help:
- These customizations return the PrincipalPermission object by creating in a custom manner. Where is the override method that would be called in which I can do my custom check of whether user is in a particular role and any other customization that I want to write?
- Within the code of the attribute, somehow be able to get a handle to the class on which the attribute is applied so that I can access the data of the user which would be used in making the decision whether to allow a particular authorization request. In this context I read this stackoverflow post but the accepted solution in a way kills the purpose of the attribute.
Aucun commentaire:
Enregistrer un commentaire