Freigeben über

More on Securing Entities in ASP.NET Dynamic Data

  • Artikel

In the last post I talked about how to expose or hide specific tables in ASP.NET Dynamic Data. What if you want to this based on authorization rules, eg whether a user is authenticated or a member of a particular role. ASP.NET offers a powerful set of application services that include authentication and role based authorization. It'd be a shame not to use them.

The first (and easiest) way to control access is declaratively in web.config. However, as Dynamic Data makes use of ASP.NET Routing, you can't simple create a local web.config file in the folder you want to secure; that wont work for requests that are routed via an IRouteHandler. Instead you can make use of the location element under <configuration> in web.config. This allows you to specify a path that the configuration settings apply to. eg to prevent access to the List view on my Order_Details table I would use:

   <location path="Order_Details/List.aspx">
    <system.web>
      <authorization>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>

Alternatively, if you want additional flexibility, it's possible to hook into the routing mechanism itself. To do this I would create my own IRouteHandler and Route (both derived from their DynamicData equivalents) and add some authorization in there. Here's a simple example which ensures only authenticated users get access. This could easily be modified to check for roles and could be nicely hooked into a declarative mechanism to specify rules for particular tables.

 Imports Microsoft.VisualBasic
Imports System.Web.DynamicData

Public Class CustomDynamicDataRouteHandler
  Inherits DynamicDataRouteHandler

  Public Overrides Function CreateHandler(ByVal route As System.Web.DynamicData.DynamicDataRoute, _
                                          ByVal table As System.Web.DynamicData.MetaTable, _
                                          ByVal action As String) _
                                          As System.Web.IHttpHandler

    If (HttpContext.Current.User.Identity.IsAuthenticated) Then
      Return MyBase.CreateHandler(route, table, action)
    Else
      Throw New UnauthorizedAccessException()
    End If

  End Function

End Class

Public Class CustomDynamicDataRoute
  Inherits DynamicDataRoute

  Sub New(ByRef url As String)
    MyBase.New(url)

    Me.RouteHandler = New CustomDynamicDataRouteHandler()
  End Sub

End Class

To make this work I simply add a CustomDynamicDataRoute in RegisterRoutes() rather than a DynamicDataRoute.

I have to admit it took me ages to get the VB syntax right for the above. It also took me a while to figure out that TypeOf in VB is not the same thing as TypeOf in C#. Oh well....

Technorati Tags: asp.net,dynamic data,security

Comments