使用 AD 的 MVC3 授权

Question

Is it possible to authorise/deny users of an MVC3 application using AD?

My app is secured using Windows authentication at the moment, but that means adding users to groups on the Win2007 server.

I'd like to change that so that users were allowed/denied access to the appliction/and controller actions/view based upon their AD roles instead, so they either auto-logged in (like Windows auth) or they get redirected to a "denied" page.

Any help very gratefully accepted...everything I find seems to be based upon Windows groups, or forms authentication.

Answer 1

You could use the Roles property:

[Authorize(Roles = @"SOMEDOMAIN\somegroup")]
public ActionResult Foo()
{
    ...
}

Here's a tutorial which explains the steps.

Answer 2

I'm using AD Groups for my intranet app.

<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
  <providers>
    <clear />
    <add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
  </providers>
</roleManager>

then just added Authorization attributes to my controller actions that I needed to secure:

[Authorize(Roles = MyNamesspace.Constants.MANAGER_GROUP)]
public ActionResult Blah() {...

And in a view you can use User.IsInRole and the name of their AD/Windows group.

Or get a list of the roles the webserver sees from that user: System.Web.Security.Roles.GetRolesForUser();

Caveat: my server and my clients are all on the same domain. this won't work if you need to do the same for web clients off site against your ActiveDirectory.

Answer 3

Just use the Membership provider framework that comes built-in to Asp.net. You will find that there is already an ActiveDirectoryMembershipProvider out of the box, but you will have to implement the RoleProvider yourself, as membership can be defined different ways in different networks.