Enable authentication in KAPTL ASP.NET MVC app

Stas Demchuk

by Stas Demchuk on 11/19/2015

ASP.NET MVC

As mentioned in the previous article, implementation of authentication and authorization in enterprise applicationss is one of the trickiest, but at the same time, most interesting tasks.

Let's go through the process of creating a security system for your ASP.NET MVC app generated by KAPTL. We'll use our example ruleset to generate a new app:

// example
App name is "Car Service".

Address has a street address, city, state, zip.

User has a name, email, user type, date joined, home address.
User types are driver, client. Date joined is a date field. Home address is an address.

Order has date, client, driver, source address, destination address, pickup time, order status, cost.
Date is a date field. Order statuses are new, picked up, dropped off, cancelled.
Client is a user. Driver is a user.
Source address is an address. Destination address is an address.

Main page title is "Welcome to Car Service"
Main page content is "<i>A Customer</i> is <b>always a customer</b>!"

All you need to do to enable authentication is apply an [Authorize] attribute to the appropriate controller or method. For example:

MainController.Generated.cs, line 14
namespace Web.Controllers
{
    [Authorize] // all the requests to this controller will require the user to be authenticated
    public partial class MainController : BaseController

Build and launch the application, and you will be redirected to the login page.

What about a scenario when you want all users to be able to look at the orders, but only the authenticated ones can create and edit orders? In this case, you should put [Authorize] right before OrderEdit method:

MainController.Generated.cs, line 259
[Authorize]
public ActionResult OrderEdit(int? id)
{
    using (_dbContextScopeFactory.CreateReadOnly())
    {
        ...
        return View(model);
    }
}

[Authorize]
[HttpPost]
public ActionResult OrderEdit(OrderViewModel viewModel)
{
    ...
    return View(viewModel);
}

Don't forget to delete [Authorize] from line 16, if you were following the steps in this article from the beginning. Build and launch the application again, navigate to "Order", and click "Add Order". You will once again be redirected to the login page.

Now let's pretend only the admin can delete the orders from the site. In this case you will need to check the user's role as well as the fact that he's authenticated. Luckily, we can handle this by passing a parameter to the Authorize attribute. Here is an example:

MainController.Generated.cs, line 349
[Authorize(Roles = "admin")]
public ActionResult OrderDelete(int id)
{
    ...
    // do some stuff to delete the record from the database
    return RedirectToAction("OrderList");
}

Build and launch the application again and try to delete the existing order. Unless you're an admin, you will not be permitted to do this.

Have any questions or suggestions? Let us know in the comments.