Base solution for your next web application
Open Closed

How to ath #77


User avatar
0
mc xie created

First, i am very exciting to have this framework, i even can't sleep well when i start studying ABP. It's a great work, i want to express my thanks here.

I have seen many times of this two documents [[http://www.aspnetboilerplate.com/Pages/Documents/Authorization])] [[http://www.aspnetboilerplate.com/Pages/Documents/Abp-Session])]

I want to develop Authentication and Authorization in my project. we have a login page, once we get the user credential, how we store it into AbpSession with a specific field role ='Admin' and how we can define a attribute to limit the access who's role != 'Admin'.

I studied the Authorization document, but still confuse below example, why it can be defined.

public class MyAuthorizationProvider : AuthorizationProvider
{
    public override void SetPermissions(IPermissionDefinitionContext context)
    {
        var administration = context.CreatePermission("Administration");

        var userManagement = administration.CreateChildPermission("Administration.UserManagement");
        userManagement.CreateChildPermission("Administration.UserManagement.CreateUser");

        var roleManagement = administration.CreateChildPermission("Administration.RoleManagement");
    }
}

and where to define the user's permission?

thanks, MC


8 Answer(s)
  • User Avatar
    0
    hikalkan created
    Support Team

    Hi,

    Authorization system of ASP.NET Boilerplate only defines and checks permissions. Does not store it anywhere or grant for a specific role or user.

    So, where to do it? One way: You implement all. This is hard surely. Second way: Use module-zero. It's not documented yet (we should wait a few weeks mor for docs). But there is a sample project: <a class="postlink" href="https://github.com/aspnetboilerplate/module-zero/tree/master/sample">https://github.com/aspnetboilerplate/mo ... ter/sample</a> In this project, there are login (<a class="postlink" href="https://github.com/aspnetboilerplate/module-zero/blob/master/sample/ModuleZeroSampleProject.Web/Controllers/AccountController.cs#L43">https://github.com/aspnetboilerplate/mo ... ler.cs#L43</a>) and permission checking (<a class="postlink" href="https://github.com/aspnetboilerplate/module-zero/blob/master/sample/ModuleZeroSampleProject.Application/Questions/QuestionAppService.cs#L63">https://github.com/aspnetboilerplate/mo ... ice.cs#L63</a>) examples.

    For permission management, we're using UserManager and RoleManager. They have many methods to add a permission to a user or role. Download the project and play with codes.

  • User Avatar
    0
    mc xie created

    I am so glad to have you answers, I am successfully to reference the Abp.Zero and Abp.Entityframework by studying you example. Now Authenticate and Authorization is working now.

    one more question is how to store the user's information in both client and aplication level after use login. I can see the IAbpsession have already have the UserId, we want to extend one more information.

    For examples, we have a guidfield and have a companyIdfor each user because this two field is frequently used, so we want to store the guidand companyId in the global session(I think it must in session), and using in all application level, and client level.

    The question is how to store this two field and how to fetch it from client side and application side in a best practice way. thanks for your great work.

  • User Avatar
    0
    hikalkan created
    Support Team

    Hi,

    I'm glad that it worked.

    AbpSession.TenantId is similar to your need. We are storing it in the cookie (not is a server side session).

    To store in server side: Override CreateIdentityAsync method in UserManager and add your claim like that: <a class="postlink" href="https://github.com/aspnetboilerplate/module-zero/blob/master/src/Abp.Zero/Authorization/Users/AbpUserManager.cs#L370">https://github.com/aspnetboilerplate/mo ... er.cs#L370</a> You can do same thing in the Login method. You can add claims to identity.

    To retrieve it in server side, see AbpSession.TenantId: <a class="postlink" href="https://github.com/aspnetboilerplate/module-zero/blob/master/src/Abp.Zero/Runtime/Session/AbpSession.cs#L32">https://github.com/aspnetboilerplate/mo ... ion.cs#L32</a> It uses Thread.CurrentPrincipal to retrieve it.

    You can extend AbpSession class, write an extension method so on...

    For client side, if you're working SPA, you can get these session informations at first entrance to the application and store it in a global js variable or something like that.

  • User Avatar
    0
    hikalkan created
    Support Team

    BTW, ASP.NET's classic Session object is not prefered in ASP.NET Web API. See <a class="postlink" href="http://stackoverflow.com/questions/11478244/asp-net-web-api-session-or-something">http://stackoverflow.com/questions/1147 ... -something</a> for example.

  • User Avatar
    0
    bvz created

    I am not using Zero.

    I have already added some roles with this:

    public override void SetPermissions(IPermissionDefinitionContext context)
            {
                var admin = context.CreatePermission("Admin", new LocalizableString("Admin", MixTechConsts.LocalizationSourceName));
                var superadmin = context.CreatePermission("SuperAdmin", new LocalizableString("SuperAdmin", MixTechConsts.LocalizationSourceName));
                var user = context.CreatePermission("User", new LocalizableString("User", MixTechConsts.LocalizationSourceName));
                
            }
    

    My question is, when I call the API, and I hit something decorated with this:

    [AbpAuthorize("Admin")]
    

    How does ABP know how which users have which roles?

    How does ABP know if the currently logged in user has the Admin role or not, so that it can decide if the user has access to the REST API call or not?

  • User Avatar
    0
    hikalkan created
    Support Team

    Hi,

    Did you read the authorization documentation: <a class="postlink" href="http://www.aspnetboilerplate.com/Pages/Documents/Authorization">http://www.aspnetboilerplate.com/Pages/ ... horization</a>

    "Authorization system uses IPermissionChecker to check permissions. While you can implement it in your own way, it's fully implemented in module-zero project. If it's not implemented, NullPermissionChecker is used that grants all permissions to everyone."

    If you don't use module-zero then you should implement IPermissionChecker interface and register it to DI container.

    BTW, Permissions are not roles. While your style works, I advice to use permission based authorization instead of role-based because it's flexibility.

  • User Avatar
    0
    mc xie created

    thank you so much, you are genious!

  • User Avatar
    0
    hikalkan created
    Support Team

    Thanks :)