4

Consider a website like: Confused.com, which is a price comparison website that has millions of registered users who use it for price comparison purposes. These users register their details for price comparison purposes?

How do you deal with administration i.e. people who work for the company in question? For example, lets say that admin user x wants to see all the quotes that were generated in the last 24 hours.

Would you use ASP.NET Identity for authentication and Role Based authorisation was used for authorisation. This would mean:

1) All users whether they are admin or non-admin (price comparison searches) would be contained in the same ASP.NET Identity table.

2) After the user has logged in, the app will figure out if they are admin. If they are admin then additional options appear on the screen or they are redirected to an admin webpage.

Does this sound right? Alternatively a separate app for admin could be developed.

How is this usually done?

Peter M
  • 2,029
  • 2
  • 17
  • 22
w0051977
  • 7,031
  • 6
  • 59
  • 87

2 Answers2

2

That's the general idea. Identity Management handles both the Identification and Authentication side of things. In other words, it provides you facts about a user and makes sure we know the user is who they say they are.

Your application then makes explicit decisions to allow access to certain features. That process is called Authorization. Asp.Net MVC does have additional features to help you such as the authorization related attributes:

[AllowAnonymous]

Explicitly allow anyone to this action, overrides class level authorization

[Authorize]

Authorize any authenticated user

[Authorize(Roles = "Administrators, Content Editor")]

Authorizes users with the role Administrators or Content Editor

What those do is prevent access to people who know the URL but don't have the proper authority to access the part of the application you want protected. The server responds with a 401 error which means "Unauthorized".

It's good practice to simply remove buttons or links that take you to protected areas of the application if the user doesn't have access. Once they log in, and are properly authenticated, we can grant them access.

Berin Loritsch
  • 45,784
  • 7
  • 87
  • 160
  • Thanks. Does it makes sense to use your strategy for a large DDD app. – w0051977 Aug 30 '17 at 14:04
  • It's the framework's strategy. The alternative is to handle the authorization in the business objects themselves, as long as you have a mechanism to preserve the HTTP response codes. – Berin Loritsch Aug 30 '17 at 15:05
  • Thanks. Can you have a look at my other question here: https://softwareengineering.stackexchange.com/questions/356660/is-an-administration-facility-a-bounded-context-in-its-own-right – w0051977 Sep 01 '17 at 18:23
  • 5 years late to the party, but I'll throw in my question anyways: if such application had a domain model for users, how would this relate to the asp.net identity user? Would you have to reference asp.net identity in the domain layer? – Kappacake Apr 01 '22 at 17:50
  • That side of things is a bit different. I did build something like that 5 years ago, but the way you extend identity management has changed significantly since then. You'll have to check the current extension mechanisms. – Berin Loritsch Apr 02 '22 at 14:32
0

You would normally segment or 'modularize' your application. With MVC you could use areas and apply different authorization to an 'admin' (and other) area/s.

The differentiation here is:

  • Authentication, determining if the user is allowed to login
  • Authorization, determining what the user is allowed to access

If you modularize your application into numerous areas, you can apply authorisation against those areas and also security trim any menu's or visualizations per authorization role using some built in mechanisms.

Walkthrough: Organizing an Application using Areas

Depending on your adherence to DDD, you could also potentially use an area per domain and taking it a step further have each area as an independent entity so different teams could code and test each area in isolation of the other areas before bringing it together for e2e testing of the superset of areas/domains.

click2install
  • 179
  • 3