stackoom
  简体   繁体   中英

DNN API Role based authorization

 原文  2013-04-30 06:29:31       asp.net-web-api/ dotnetnuke/ role-base-authorization

Question

I want to apply authorization on API call with respect to DNN roles. so that DNN itself will perform checks whether logged user has access to particular API call. I got one solution but not exactly what I want. = > How to handle security/authentication on a DNN-based web API . This link suggest to have separate module for API authorization so that we can assign roles to this module and by using [SupportedModules("ModuleName")] attribute on API call we can restrict authorization. I checked this example but no luck...PLZ suggest me proper way to do it.

2 answers

solution1
 3  2013-04-30 14:31:28

As long as you work with the DnnApiController as part of 7.x you can simply add this attribute to any method to require authorization based on role. 

[DnnAuthorize(StaticRoles = "MyRoleNameHere")]

Where "MyRoleNameHere" is the name of the role that the user must have.

solution2
 2  2013-05-09 21:21:39

Have you checked this post? http://www.dotnetnuke.com/Resources/Blogs/EntryId/3329/Authorization-in-the-new-DNN-Services-Framework.aspx

I have found this useful (as well as the other answer you referred to)... but it's taken me a long time to understand it! Here's what I've figured out so far: If you're using a web browser, DNN can accept your request and evaluate the permissions (based on your login). The linked blog entry demonstrates this with an API that lists tabs -- it only shows the tabs your login has permission to see. If you write an HTTP request from somewhere else (such as in a PHP script), you can see the same behavior if you send username/password with the request.

You can use the DnnAuthorize attribute, but using role names directly can be problematic for the reasons you mentioned -- what if they change? However, you can write your own attribute. Basically, it will require (in some way, shape, or form) a TabID and ModuleID. That way, instead of checking a role name, you can have DNN check what permissions the current user has for that module.

You can write a module for it, assign role-based permissions to your module, and have DNN just check that tab/module for the given login. Writing your own attribute will make it easy to assign the permissions in your controller... without specifying the roles directly.

I believe the link refers to DNN 6.2, so there may be some differences with 7.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Role based authorization in identity server 4 with .Net core web API Implementing Authentication and role based authorization in ASP.NET MVC web API service and MVC client architecture How to do role based authorization for asp.net mvc 4 web api ASP.NET Core 3.1 Web API Role based authorization not working Role-based authorization in ASP.NET Web API - how to set roles on the principal? How to do Role-based Web API Authorization using Identity Server 4 (JWT) .Net core web api - Role based authorization (Allow specific domains without asking JWT) Role Based Custom Authorization for WebApi and MVC Controllers Token Based Authorization Web API Securing Web api Role Based
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM