Wednesday, 22 February 2012

How Does System.Web.MVC.AuthorizeAttribute work???

public ActionResult AuthenticatedUsers()
 return View();

[Authorize(Users = "Betty, Johnny")]
public ActionResult SpecificUserOnly()
 return View();

[Authorize(Roles = "Admin, Super User")]
public ActionResult AdministratorsOnly()
 return View();

How Does System.Web.MVC.AuthorizeAttribute work???

The inner-workings of the Authorize Attribute are a mystery to all developers bar those that have taken the time to research what the hell its doing under the hood - developers like yourself, presumably, since you're reading this!

This attribute works by looking at HttpContext.User.

First, it checks to see if

HttpContext.User.Identity.IsAuthenticated == true

If you've provided specific User names to authenticate, like this

[Authorize(Users = "Betty, Johnny")]
Then it will ensure the user name property of the current request (HttpContext.User.Identity.Name), matches one of the names you provided (case insensative).

Finally, if you've provided specific Roles, like this

[Authorize(Roles = "Admin, Super User")]

Then the application calls


How Does HttpContext.User get set?

The answer depends on whether your application is using Forms or Windows authentication.

This article explains the ASP.Net Security Architecture - a MUST READ for any serious ASP.Net developer!

Forms Authentication

If you're using FormsAuthentication (as opposed to Windows Authentication, for example), the FormsAuthenticationModule will handle the forms authentication control flow as part of the ASP.Net Request Processing Pipeline.

The FormsAuthenticationModule authenticates the user by inspecting the forms authentication ticket, which is typically included in the user's cookies collection. If no forms authentication ticket is present, the user is anonymous and not authenticated (see: source).

Note that in Windows authentication scenarios, when the user is not authenticated, the HTTP 401 status is returned to the browser. This status code causes the browser to prompt the user for their credentials via a modal dialog box.

With FormsAuthentication, however, the HTTP 401 Unauthorized status is never sent to the browser. Instead, the FormsAuthenticationModule detects the HTTP 401 status and modifies it to redirect the user to the login page (as configured in the <authentication> section of the web.config) via an HTTP 302 Redirect status.

The user will then submit their logon credentials via the HTML Form. The credentials are then authenticated against a data store; typically a Microsoft SQL Server database or Microsoft Active Directory directory service.

If the credentials are authenticated, then the FormsAuthenticationModule issues an Authentication Ticket to the browser (via a cookie or in the URL) and redirects the browser to the original URL specified in the QueryString as the RETURNURL variable (which was set by the FormsAuthenticationModule when it detected the HTTP 401 status).

Now that the user has a valid FormsAuthentication ticket, HttpContext.User.Identity.IsAuthenticated will be set to true!

AND the HttpContext.User property will be set to the IPrinciple instance the FormsAuthenticationModule created during the authentication process.

Note that the authenication ticket can be automatically generated (as described above) or explicitly generated - by using FormsAuthentication.SetAuthCookie.

Windows Authentication

Using Windows Authentication however enables the user to be authenticated (i.e. IsAuthenticated is set to true) automatically via their domain account and therefore the HttpContext.Current.Request user is set to that of the remote clients Windows user account.

Windows Authentication is implemented in ASP.NET using the WindowsAuthenticationModule module. The module constructs a WindowsIdentity based on the credentials supplied by IIS and sets the identity as the current User property value for the application.

IIS supplies these credentials via a number of authentication mechanisms, including anonymous authentication, Windows integrated (NTLM) authentication, Windows integrated (Kerberos) authentication, Basic (base64 encoded) authentication, Digest authentication, and authentication based on client certificates.

See What Identity does IIS return to an ASP.NET application for more information about IIS authentication.

Click the following link for more information about IIS Authentication Mechanisms.

1 comment:

  1. So question about windows authentication. When you use the authorize attribute or do this (HttpContext.User.IsInRole(yourRolesHere) does it go back to the domain server to check the credentials or are they stored after the the user first hits the site? I'm asking because I don't really want to to keep hitting the domain every time I do something that requires authorization.