Base solution for your next web application
Open Closed

Auth Design: Permissions, Roles and Claims #110


User avatar
0
bogdan created

Hi Halil, I'd like to use Claims-based security in my project because it is more universal than Roles-based. Particularly, Roles can be implemented as claims. With the current Abp.Core design, IPermissionChecker is based on Permission concept which can be identified by some string. To use claims (using my own implementation of IPermissionChecker), I'm using&parsing permissions in the form:

[AbpAuthorize("MyClaimType=MyClaimValue")] public MyResult MyAction(MyInput input) {...}

Unfortunately claims typically have long uri-based names (see System.Security.Claims.ClaimTypes standard .Net type) and it not convenient to have these names in an AbpAuthorizeAttribute. More convenient approach would be to extend AbpAuthorizeAttribute and permission checker such that it will be possible to write:

[AbpAuthorize(ClaimTypes.Role, "MyClaimValue")] public MyResult MyAction(MyInput input) {...}

What do you think?

-- Bogdan


1 Answer(s)
  • User Avatar
    0
    hikalkan created
    Support Team

    Hi,

    Yes, making AbpAuthorize attribute and permission checker more flexible can help people who want to use some custom mechanism for authorization. I also added an issue for that: <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/issues/496">https://github.com/aspnetboilerplate/as ... issues/496</a> Thanks for these design suggestions.