How to use policy-based authorization in ASP.NET Core
By Tan Lee Published on Jan 04, 2025 313
ASP.NET Core is a framework for building web applications across different platforms, policy-based authorization is a new feature that complements traditional role-based authorization.
While role-based authorization assigns permissions based on user roles, policy-based authorization offers a more flexible and loosely coupled security model, allowing developers to define custom authorization logic through policies.
In a policy-based security model, there are three key concepts: policy, requirement, and handler.
- A policy consists of requirements, which are made up of parameters that identify a user's credentials.
- A handler evaluates the user's authorization, determining which resources the user can access based on the policy and its requirements.
Register a policy in ASP.NET Core
A policy in ASP.Net Core is registered in the ConfigureServices method of the Startup.cs file.
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
services.AddAuthorization(options =>
{
options.AddPolicy("CustomAgePolicy", policy =>
policy.Requirements.Add(new MinimumAgeRequirement(18)));
});
}Implement a policy requirement class in ASP.NET Core
public class MinimumAgeRequirement : IAuthorizationRequirement
{
public MinimumAgeRequirement(int age)
{
MinimumAge = age;
}
protected int MinimumAge { get; set; }
}This class defines a custom requirement called MinimumAgeRequirement, which accepts an integer representing the minimum age required for authorization.
Implement a policy handler class in ASP.NET Core
public class MinimumAgeHandler : AuthorizationHandler<MinimumAgeRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationContext context, MinimumAgeRequirement requirement)
{
if (!context.User.HasClaim(c => c.Type == ClaimTypes.DateOfBirth))
{
return Task.CompletedTask;
}
var dob = Convert.ToDateTime(context.User.FindFirst(c => c.Type == ClaimTypes.DateOfBirth).Value);
var age = DateTime.Now.Year - dob.Year;
if (dob > DateTime.Now.AddYears(-age)) age--;
if (age >= requirement.MinimumAge)
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
}In this example, the MinimumAgeHandler evaluates the DateOfBirth claim of the user and checks if their age meets or exceeds the minimum required age.
Applying the Authorization Policy
To apply this policy in your application, you would use the [Authorize] attribute like this:
[Authorize(Policy = "CustomAgePolicy")]
public class ProfileController : Controller
{
// Controller actions go here...
}Here, the ProfileController is protected by the CustomAgePolicy, meaning that only users who meet the age requirement will be authorized to access its actions.
- How to Initialize TagHelpers in ASP.NET Core with Shared Data
- Boost Your ASP.NET Core Website Performance with .NET Profiler
- The name 'Session' does not exist in the current context
- Implementing Two-Factor Authentication with Google Authenticator in ASP.NET Core
- How to securely reverse-proxy ASP.NET Core
- How to Retrieve Client IP in ASP.NET Core Behind a Reverse Proxy
- Only one parameter per action may be bound from body in ASP.NET Core
- The request matched multiple endpoints in ASP.NET Core
Categories
Popular Posts
Portal HTML Bootstrap
Nov 13, 2024
Freedash bootstrap lite
Nov 13, 2024
Motiv MUI React Admin Dashboard Template
Nov 19, 2024
K-WD Tailwind CSS Admin Dashboard Template
Nov 17, 2024