Admin Authorization in MVC

Question

I have created a cookie which contains userID in it..

C#

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
    "UserID",
    DateTime.Now,
    DateTime.MaxValue,
    true,
    s.EmpID, // userID   
    FormsAuthentication.FormsCookiePath);
    // Encrypt the ticket.
    string encTicket = FormsAuthentication.Encrypt(ticket);
    // Create the cookie.
    Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket) {
        Expires = ticket.Expiration
    });

But the problem is, How can I display An error page stating that Permission Denied when the non admin user accessing admin pages

 [Authorize(Roles = "Admin")]

You may look at ASP .NET Identity: http://www.asp.net/identity. The `Authorize` attribute with roles means that only users with the specified role are allowed to access the controller or action method. — Tetsuya Yamamoto, Oct 07 '16 at 08:49
For `Authorize` to work you have to either configure in web.config a membership provider, or you can use windows identity for authentication. I'd suggest following some tutorials first. — Candide, Oct 07 '16 at 08:49
An example from SO: http://stackoverflow.com/questions/1385042/asp-net-mvc-forms-authentication-authorize-attribute-simple-roles. Your code describes first step when user doing sign in, the second thing you need is adding authorization code into `Global.asax` like given issue and then you can use `Authorize` with roles. — Tetsuya Yamamoto, Oct 07 '16 at 08:57
How can I display An error page stating that Permission Denied when the non admin user accessing admin pages? — RJV, Oct 07 '16 at 09:38

score 0 · Answer 1 · answered Oct 07 '16 at 12:51

I'll try to explain this by how i have done in my project.

I have added RoleProvider in the web.config and Authentication. The RoleProvider is implemented in project BLL of class UserBs.cs whereas Authentication mode = Forms returns any user to /Common/Login if the user is not authorized for a View.

Implementing Abstract classes of your RoleProvider in a class file. Herein you have to implement a function to getRolesForUser which takes the Privilege/Role from database.

And the last step is to use [Authorize(Roles="ADMIN")] before the start of every controller to specify for only that user privilege to access that page or simply [Authorize()] for the user to sign in before accessing any page.

]

Admin Authorization in MVC

1 Answers1