ASP.NET Authorization for Content Written by JatApp

Category: General  /  Created: 07/14/2021 09:12:29  /  Modified: 07/14/2021 09:18:51

ASP.NET Authorization for Content Management Systems: Permission-Based Model

As a set of syntactic constructions that allows you to limit access to code snippets for different groups of users meets the mentioned requirements, the permission entity can be used. What is the difference between the permission and the role?
A role is a grouping element in the structure of interaction “user – action.” That is why roles are strongly linked to the notion of “user” at the semantic and structural levels of software development firm. Consequently, an entity that can group and abstract, but which is linked to the notion of “action,” i.e., to the content management system, is necessary. A permission is a separating element that adds a new level of abstraction to the structure of interaction.

Ads, Advertisement, Website, Layout, Commercial

From the standpoint of the developer, the functions of permissions are:

  • To group the system capacities in frames of acceptable user actions.

  • To allow the creation of formalized descriptions semantically linked to a specific set of the opportunities within the content management system.

  • To bind code access to the initial code.

  • To provide objects in a form that allows you to implement structure interactions with roles and separate users of the content management system.

Now let’s examine the “permission” entity in more detail. A permission usually has a name that is lexically and semantically linked to some action of the system in business application development. For example, a user who has «AddUserModulePermission» can add user modules. However, a name is not enough to provide the unique identification. If there are several types of user modules in the system, a conflict of names may occur. 

As mentioned above, content management system consists of a set of continuously updated, added and deled blocks. That is why assuming the uniqueness of permission names is incorrect. To provide unique permissions throughout the entire system, global uniqueness identifiers (GUID) are used. Another benefit of using GUIDs is the ease of manipulating them in the database management systems.

To bind code access permissions to the initial code of the system components, the following entities are required:

  • Classes that allow you to use an imperative programming style;

  • Attributes that allow you to use a declarative programming style for code access security.

The classes AllowCMSPermission and DenyCMSPermission that implement the IPermission interface are used to apply an imperative programming style. Implementation of the interface is necessary for all classes that are the part of the security system and are used to limit access to the code parts.
A unique permission identifier is passed to the class constructor when the class is created in software engineering company. IPermission.Demand() is a key interface method in using a created class instance. A unique permission identifier is passed to the class constructor when the class is created. IPermission.Demand() is a key interface method in using a created class instance. When the method is called, a user is verified for the availability or absence of one of the permissions. This permission is the one whose identifier (the one described as “A unique permission identifier is passed”) was passed as a parameter while creating the class.


If don't not meet?

If the user, or user role, does not meet the conditions of permission availability, SecurityException is activated. These classes are opposites of each other. AllowCMSPermission approves users who have the required permission, while DenyCMSPermission approves users who do not have the permission. 

Computer, Computer Monitor, Men, People, Using Computer

The two class attributes, AllowCMSPermissionAttribute and DenyCMSPermissionAttribute, are used for a declarative programming style. They are derived from the CodeAccessSecurityAttribute class, which has a very useful characteristic in terms of a security system. Before the method call, the CLR checks whether the method is linked to the attribute derived from the CodeAccessSecurityAttribute class. If it is, the method CodeAccessSecurityAttribute.CreatePermission(), which returns a link to the class that implements IPermission interface, is called. Then, CLR calls the method Demand(). Of course, these attribute classes also implement the opposite conditions of the permission availability. Another useful characteristic of these attributes is the ability to combine them. If it is necessary for a user who has at least one permission to call a method as qa outsourcing, it is enough to list the attributes with the identifiers of the necessary permissions before the method declaration. 
Finally, the ability to check the set of permissions associated with a particular user is necessary. This ability is provided by the extended implementation of the IPrincipal interface. IPrincipal is a standard mechanism for retrieving information about the user in ASP.NET and WinForms. That is why we drew from it and created the new method ICMSPrincipal.HasPermission(). The unique permission identifier is passed as a parameter, and the Boolean that defines whether the user has the permission or not is returned.

Compared to the traditional authorization role model, the permission-based model may look more bulky. But it works perfectly when software development outsourcing is involved. The permission-based model is used as an extension to the existing role model when the capacity of the role model is not enough for effective authorization system management.


Related Posts: