How do I handle application security? using ActionFilterAttribute and/or SiteMap authorization..?
i created the following ActionFilterAttribute
to check if a user is granted access to a page. I also created two custom Exceptions
to handle different scenarios: NotLoggedInException
and InsufficientPrivilegeException
.
ActionFilterAttribute
Public Class ValidateAuthentication : Inherits ActionFilterAttribute
Private _page As BLL.Page
Public Sub New(ByVal Page As BLL.Page)
Me._page = Page
End Sub
Public Overrides Sub OnActionExecuting(ByVal filterContext As System.Web.Mvc.ActionExecutingContext)
Select Case Me._page.IsAccessibleToUser(filterContext.HttpContext.User)
Case -1
Throw New NotLoggedInException()
Case 0
Throw New InsufficientPrivilegeException()
Case 1
//access granted
End Select
End Sub
End Class
I also have a custom SiteMapProvider where I implemented my own IsAccessibleToUser() function. So I also have securityTrimming.
SiteMapProvider
Public Overrides F开发者_如何转开发unction IsAccessibleToUser(ByVal context As System.Web.HttpContext, ByVal node As System.Web.SiteMapNode) As Boolean
Dim p As New BLL.Page
p.LoadFromSiteMapNode(node)
Select case p.IsAccessibleToUser(context.User)
Case 1
Return true
Case else
Return false
End Select
End Function
The questions:
- Where do I catch the exceptions to for instance redirect users if not authorized?
- Should I perhaps use the SiteMap authorization somewhere else instead of using the ActionFilterAttribute and throwing Exceptions..?
note: as you can see I'm using a custom class for BLL.Page. This is a ORM page which has Role based security stored in the database. SiteMap is also populated based on this data
Do not reinvent AuthoriazeAttribute
. Your version won't handle cached actions; the built in AuthorizeAttribute
will. If you need to customize your authentication, then customize the membership provider or subtype AuthorizeAttribute
, rather than reinventing MVC security.
精彩评论