ASP.NET MVC provides us the basic Authorization and Authentication functionalities when we use the Project template as the Internet. It does all the major functionalities such as Role membership management, Login credential validation handling, etc. For more information about basic authorization in MVC application, check out here our article “Insight of ASP.NET MVC’s Authorize Attribute”.
In brief, we can just restrict the anonymous users by decorating our Controllers and Action Methods using the Attribute called Authorize
. This will redirect the Anonymous users to the login page and with some overriding, we can navigate them to the Custom Error page as well. But it’s not flexible enough if we are going for more Enterprise level application where the security matters.
So there comes our concept of Customizing the Authorization and Authentication in ASP.NET MVC, let’s play around with it for some time.
Custom Membership Provider in ASP.NET MVC
MVC provides us few .NET built in Membership providers where implementing that and consuming is quite easy but as discussed earlier, it doesn’t provide enough flexibility in enhancing our security. The other option is to implement the own providers.
You would have noticed while implementing the Default membership provided by .NET, a table created with Schema related to Authentication and Authorization and persist the credentials that the end user creates. This work around is done automatically, but in case of Custom Authentication, it needs to be created starting from Scratch or can use the existing Schema system of already built in Application.
Setting Up the Database
- If you have the Security database configured already, then you can skip the step, else let us create ASP.NET security database.
- Open Visual Studio command prompt and type in the command “
aspnet_regsql
”.
- Which pops up a SQL wizard, click on the Next.
- You can decide here, whether to move on with the existing one or replace the security database.
- Provide your Server name and Database, the wizard will automatically load it with ASPNET security schema loaded table.
Creating Custom Membership
- Open up Visual Studio 2012 or Later and create a Class library project.
- Now it’s time to refer to an assembly called
System.Web.ApplicationServices
. This namespace provides us different classes that enables us to access the Forms authentication, Roles and Profiles application services. To refer to the assembly, right click on the Reference folder, then add reference and select Assemblies. Search or Scroll for corresponding namespace mentioned earlier and add it.
- Create your custom Authentication class here, for instance, its
WebDevelopmentCustomAuth
and derive it from the MembershipProvider
class.
MembershipProvider
provides us a method called “ValidateUser()
” which is one that needs to be overridden.
Implementing Custom Authentication into ASP.NET MVC4 Client
Customizing Authorization (Role Provider)
- In our before Class library project, create a class
CustomRoleProvider
that inherits the RoleProvider
class. - Where the
RoleProvider
class provides us with the method for handling the Roles, called as GetRoleForUser()
. - We can override that particular function with our logic.
- Now in our MVC 4 client project that we created earlier, open up the Web.Config file and add or replace the
RoleManager
Section as below. - Then decorate the
ActionMethod
’s Authorize attribute with the property called Roles
. - If we again run our application and navigate to decorated
ActionMethod
, then you can see the login only if your username has the role Administrator.
We can also make use of Third party Authentications such as Google, Microsoft, Facebook, etc. This can be implemented by deriving our WebDevelopmentCustomAuth
class from ExtendedMembershipProvider
class, where this particular class has its base class as MembershipProvider
class. We also need to refer to an assembly called as WebMatrix.WebData
and can manipulate the AccountController
to make use of other Social type of Authentication.
Custom Authorization and Authentication provides us enough flexibility in implementing Security, it’s quite a wide topic. I’ve written the most prominent way of implementing it and I hope this helps you in learning Customization and can move forward in securing your application.
Thanks for reading, make your app non-screwable!
More You Must Read about ASP.NET MVC & Related
The post Custom Authentication and Authorization in ASP.NET MVC appeared first on Web Development Tutorial.