0

I have a 3 tier MVC solution: MVC Web - Business Layer - Data Access Layer

I have custom tables for users and groups in a database back-end, the user groups are mapped to a custom permission structure. The authentication needs to check for presence of the user and the authorisation needs to verify what the user can do based on their permissions.

I can perform the authentication and authorization by implementing a custom AuthorizeAttribute and asking the service level if the HttpContext.User.Identity.Name exists in the user table and also verify the user permissions based on the controller and action.

However, the service level needs to authorise the user again when being called from the action in the controller. This allows finer control over what the user can and can't do - for example, there are some fields that are read-only or hidden depending on the user group membership.

The issue being that I will end up authenticating and authorizing the user both in the AuthorizeAttribute of the controller action and from within the controller action itself (via the service level).

This is a design issue more than anything else but wanted to see if I am approaching the problem in the best way!

sjr
  • 33
  • 1
  • 4

1 Answers1

0

If I understand your question correctly, you have a requirement to check user permissions/role on your service layer and perform some logic on the basis of that. The answer really depends on what is the type of service layer you are using? Is it a web API or interface based service contracts. IF you are using web api then, you can inject token in Authorization header before calling your web api controller actions which is the common architecture for SPA using MVC and Web Api. In this scenario web api and MVC need not to be hosted on the same server since you are using Bearer token approach. If you are using cookie based authentication then that's a different case.

Himanshu Bhankar
  • 116
  • 6
  • Thanks for your answer @himanshu. At the moment the service layer is a tightly coupled dll (i.e. a direct project reference with no interfaces). The authentication is Windows Authentication and the username is passed as a method parameter to the service layer. In the future I will want to abstract this service layer. My issue is that I will be duplicating the authorization as I will be doing in the AuthorizeAttirbute and then again in the service layer. – sjr Jun 05 '17 at 18:50