As promised a follow up post on my first post on Rhino Security. This post will deal with the integration of Rhino Security in ASP.NET MVC.
In our application we need to deal with different levels of security:
- Security on field level: some users cannot see certain fields
- Security on operations.
- Security on the data a user can see. e.g. a certain user can see vehicles but not the BMW's. That means that in each query that is sent to the database the BMW's need to be filters out.
For now I will focus on 1 and 2 and I hope to find some time to come back on 3 in a next post. But before we do all that we have to some preparations:
We have created our own base Controller that derives from the System.Web.Mvc.Controller. That Controller has an attribute: Authorization. This "AuthorizationAttribute" derives from the default "ActionFilterAttribute" and first checks whether the user is authenticated and after that it checks whether the user is authorized to perform the action that is requested. That brings us to security on operations:
Security on operations
On each public action method we add an attribute "SecuredOperation" and the "AuthorizationFilter" checks whether the logged in user is authorized to perform the requested action using the "Rhino.Security.Interfaces.IAuthorizationService". That means of course that we need to add all "SecuredOperations" to Rhino.Security. Now, that is quite easy. We just loop over all action methods with the "SecuredOperation" attribute and add them to Rhino.Security using the IAuthorizationRepository. Security on operations is not enough in our case. In some cases we also need security on field level. It turns out that ASP.NET MVC makes this really easy to do
Security on field level
Extensions methods are key here. You are probably already using the "HtmlHelpers" in your application. To include security you just need to extend those and use the extended ones. You create for example a "Html.SecuredTextbox" and a "Html.SecuredActionLink". In the implementation of those you check whether the user has access to the field or operation and you deal with it accordingly. In the case of the textbox you can for example show it, show it disabled or not show it.
This post shows that without a lot of effort you can integrate the powers of Rhino.Security in ASP.NET MVC and of course you can do exactly the same in Castle.Monorail. I hope to find some time in the coming weeks to write about secured queries, meaning that you restrict query results based on the user rights.