Custom Authentication and Authorization in ASP.NET MVC

ASP.NET MVC provides us the basic Authorization and Authentication functionalities when we use the Project template as Internet. It does all the major functionalities such as Role membership management, Login credential validation handling etc. For more information about basic authorization in MVC application check out here our article “Insight of ASP.NET MVC’s Authorize Attribute”.
In brief we can just restrict the anonymous users by decorating our Controllers and Action Methods using the Attribute called Authorize. This will redirects the Anonymous users to the login page and with some overriding we can navigate them to the Custom Error page as well. But it’s not flexible enough if we are going for more Enterprise level application where the security matters.

So there comes our concept of Customizing the Authorization and Authentication in ASP.NET MVC, let’s play around with it for some time.

Custom Membership provider in ASP.NET MVC

MVC provides us few .NET built in Membership providers where implementing that and consuming is quite easy but as discussed earlier it doesn’t provide enough flexibility in enhancing our security. The other option is to implement the own providers.

You would have noticed while implementing the Default membership provided by .NET, a table created with Schema related to Authentication and Authorization and persist the credentials that the end user creates. This work around is done automatically, but in case of Custom Authentication it needs to be created starting from Scratch or can use the existing Schema system of already built in Application.

Setting Up the Database

  • If you have the Security database configured already then you can skip the step, else let us create ASP.NET security database.
  • Open Visual Studio command prompt and type in the command “aspnet_regsql”.Visual Studio Command Prompt
  • Which pops up a Sql wizard, click on the Next.ASP.NET SQL Server Setup Wizard
  • You can decide here, whether to move on with existing on or replace the security database.ASP.NET Membership
  • Provide you Server name and Database, the wizard will automatically load it with ASPNET security schema loaded table.ASP.NET MVC MembershipCustom Membership Provider

Creating Custom Membership

  • Open up Visual studio 2012 or Later and create a Class library project.ASP.NET MVC Custom Membership
  • Now it’s time to refer an assembly called System.Web.ApplicationServices. This namespace provides us different classes that enables us to access the Forms authentication, Roles and Profiles application services. To refer assembly, Right click on the Reference folder, then Add reference and Select Assemblies. Search or Scroll for corresponding namespace mentioned earlier and add it.Forms Authentication, Roles and Profiles
  • Create your custom Authentication class here for instance its WebDevelopmentCustomAuth and derive it from the MembershipProvider class.Custom Authorization
  • MembershipProvider provides us a method called “ValidateUser()” which is one that needs to be overridden.Membership Provider

Implementing Custom Authentication into ASP.NET MVC4 Client

  • Create a brand new ASP.NET MVC 4 application (The template project could be Internet).
  • We can replace or add some membership tags in our Web.Config file mapping to our Custom Authentication Class library.
  • Now decorate the required Controllers or ActionMethods with Authorize attribute as usual.Authorize attribute in ASP.NET MVC
  • It’s important that we need to set Off the Simple Membership and Auto Form authentication in the Web Config file.
    <add key= “enableSimpleMembership” value= “false” />
    <add key= “autoFormsAuthentication” value= “false” />
  • Now Run the application by hitting F5 and navigate to the Authorize attribute decorated Action Method.ASP.NET MVC Action Method
  • You will be navigated to the Login page as desired.

Customizing Authorization (Role Provider)

  • In our before Class library project, create a class CustomRoleProvider that inherits the RoleProvider class.
  • Where the RoleProvider class provides us with the method for handling the Roles, called as GetRoleForUser().
  • We can override that particular function with our logic.
  • Now in our MVC 4 client project that we created earlier, open up the Web.Config file and add or replace the RoleManager Section as below.
  • Then decorate the ActionMethod’s Authorize attribute with the property called Roles.
  • If we again run our application and navigate to decorated ActionMethod then you can see the login only if your username has the role Administrator.

We can also make use of Third party Authentications such as Google, Microsoft, Facebook etc. This can be implemented by deriving our WebDevelopmentCustomAuth class from ExtendedMembershipProvider class, where this particular class has its base class as MembershipProvider class. We also need to refer an assembly called as WebMatrix.WebData and can manipulate the AccountController to make use of other Social type of Authentication.MVC Third Party Auth

Custom Authorization and Authentication provides us enough flexibility in implementing Security, it’s quite a wide topic. I’ve written the most prominent way of implementing it and I hope this helps you in learning Customization and can move forward in securing your application.

Thanks for reading, make your app Non-Screwable !

More You Must Read about ASP.NET MVC & Related