Base solution for your next web application
Open Closed

AbpSession and AbpAuthorize #138


User avatar
0
atlas30 created

Hi, We are trying to implement Asp.Net Boilerplate framework as database first but we are unable to integrate Abp Authorization. There are persmissions and authorization tables in our existing database Example: [AbpAuthorize("MENU_ITEM_MUAYENE")] We have added APPUSERROLE model İf in to ApbSession and we add this attribute above the method it should check within AbpSession.yetkiler and if the user has a corresponding authorization then the method should be allowed. We have tryed to set the AbpSessionand the AbpSession .UserId but no success and we are not sure if that is the right approach at the firs place. Also we encript/decript username and password is there any method within boilerplate for this or should we implement our own encription method?


5 Answer(s)
  • User Avatar
    0
    hikalkan created
    Support Team

    Hi,

    As you're not using module-zero, you should implement some interfaces in order to make authorization working.

    • You should implement IAbpSession (<a class="postlink" href="http://www.aspnetboilerplate.com/Pages/Documents/Abp-Session">http://www.aspnetboilerplate.com/Pages/ ... bp-Session</a>) interface to get current UserId and TenantId (if you're not using multi-tenancy, just return 1). A sample implementation: <a class="postlink" href="https://github.com/aspnetboilerplate/module-zero/blob/master/src/Abp.Zero/Runtime/Session/AbpSession.cs">https://github.com/aspnetboilerplate/mo ... Session.cs</a> You can get UserId from cookie or session upon your implementation.

    • You should implement IPermissionChecker (<a class="postlink" href="http://www.aspnetboilerplate.com/Pages/Documents/Authorization">http://www.aspnetboilerplate.com/Pages/ ... horization</a>) to check permissions from database.

    When you implement these interfaces and register to DI (you can use ITransientDependency for example, see docs: <a class="postlink" href="http://www.aspnetboilerplate.com/Pages/Documents/Dependency-Injection#DocRegisterDependencies">http://www.aspnetboilerplate.com/Pages/ ... pendencies</a>), ABP' authorization infrastructure will work.

  • User Avatar
    0
    atlas30 created

    Thank you for your quick reply,

    We have implemented IAbpSession and it works. We can get user id but it is null Because we couldnt understand how to set the userid. (How to set AbpSession.userid etc.) Also what information should we set into userid? As far as I undestand, we should save the userid information both cookie and session and whenever a method is called, we should send userid and the other informations with that request.

  • User Avatar
    0
    hikalkan created
    Support Team

    Hi,

    IAbpSession only requires getting current UserId. You can get it from any source. Just provide it. Best method is to set userId (as lon integer) as encrypted to a cookie and get it from this cookie on next requests. You can also learn and use Microsoft's ASP.NET Identity Framework for membership management.

  • User Avatar
    0
    pnw created

    <cite>hikalkan: </cite> Hi,

    IAbpSession only requires getting current UserId. You can get it from any source. Just provide it. Best method is to set userId (as lon integer) as encrypted to a cookie and get it from this cookie on next requests. You can also learn and use Microsoft's ASP.NET Identity Framework for membership management.

    Since IAbpSession only defines a getter for UserId, the assumption must be that initializing the value happens in AbpSession??

    I implemented AbpSession and now I just need to return a value from UserId. The value I need is in a cookie but HttpContext is not available in AbpSession. You mention providing it from a cookie but how do I get access to the cookies?

  • User Avatar
    0
    hikalkan created
    Support Team

    Hi,

    You can access to HttpContext if you implement AbpSession in .Web project (using HttpContext.Current...). Settion UserId probably will be on Login. You can even set it to and get from Session. IdentityFramework does it well, module-zero uses it.

    Storing user informations on login (IdentityFramework's SignIn method):

    <a class="postlink" href="https://github.com/aspnetboilerplate/module-zero-template/blob/master/src/AbpCompanyName.AbpProjectName.WebSpaAngular/Controllers/AccountController.cs#L85">https://github.com/aspnetboilerplate/mo ... ler.cs#L85</a>

    Getting from principals (IdentityFramework itself resolved cookie and sets principals):

    <a class="postlink" href="https://github.com/aspnetboilerplate/module-zero/blob/master/src/Abp.Zero/Runtime/Session/AbpSession.cs">https://github.com/aspnetboilerplate/mo ... Session.cs</a>