ASP.NET MVC4中的角色和安全性

Question

Can anyone tell me the best way to implement Roles and security in ASP.NET MVC4 app.

I am working on a MVC project and I want to implement the roles and security in that project. I have roles defined which I am getting from the database.But I dont know how to use those roles in my project. How can I make a connection(in webconfig or something) from which I can declare the roles on the Action method so that only users with those roles can only access that method.

Like I have some roles : Read,Edit,Update ..I want only users with read role to only perform read operation and other operations respectively depending on roles.

I know this is a very broad question.but I just want to know the best way using which I can implement the roles and security in my application.

What will be the step by step process:

Do I need to make some connection in the webconfig so that the dataannotation with the role defined work or something..

Plz help me guys. Thanks.

Answer 1

Which authentication mode are you using? Forms authentication has option User.IsInRole but for that to work, you need to have Forms Authentication in place. User.IsInRole MSDN

What you can do is create different views for Details, Insert/Update, Delete. Then, on each controller, you just allow the users with your desired roles.

Answer 2

I think what you actually needed is RBAC.

User has one or more roles, and there are many functions for each role.

User & Role, One to Many or Many to Many
Role & Function, Many to Many

http://en.wikipedia.org/wiki/Role-based_access_control

Add an AuthorizeAttribute(eg: MyAuthorize) class.

[MyAuthorize("Admin-User-Add")]
public ActionResult Add(){}

"Admin-User-Add" is the unique key of the function of "Add user action".