Click here to Skip to main content
13,354,132 members (57,630 online)
Click here to Skip to main content
Add your own
alternative version


21 bookmarked
Posted 13 Jul 2013

MVC Dynamic Authorization

, 14 Jul 2013
Rate this:
Please Sign up or sign in to vote.
A simple way to implement "Dynamic Authorization" with the ability to assign permissions for actions to roles or users.


In MVC the default method to perform authorization is hard coding the "Authorize" attribute in the controllers, for each action, in this article I will explain a simple way to implement "Dynamic Authorization" with the ability to assign permissions for actions to roles or users.  

Using the code 

First I will explain my user authentication and role assigning model, I have used Forms Authentication this scenario, here is my sample login action: 

public ActionResult Login(LoginModel model, string returnUrl)
    //sample data
    Dictionary<string, string> users = new Dictionary<string, string>();
    users.Add("admin", "admin-pass");
    string roles;

    if (users[model.UserName] == model.Password)
        Session["User"] = model.UserName;
        roles = "admin;customer";                
        // put the roles of the user in the Session            
        Session["Roles"] = roles;

        HttpContext.Items.Add("roles", roles);

        //Let us now set the authentication cookie so that we can use that later.
        FormsAuthentication.SetAuthCookie(model.UserName, false);

        //Login successful lets put him to requested page
        string returnUrl = Request.QueryString["ReturnUrl"] as string;

        return RedirectToLocal(returnUrl);

        if (returnUrl != null)
            //no return URL specified so lets kick him to home page
        // If we got this far, something failed, redisplay form
          "The user name or password provided is incorrect");
        return View(model);

All the actions that need authentication have to be loaded in a list, and also all of the roles and actions that each role has access to, I have put some sample code to simulate them "AllRoles" and "NeedAuthenticationActions". Then we need to create a base class for controllers in which I have overridden the OnActionExecuting method, in which the user will be authorized based on its current role and whether he/she has logged in or not, the action may also has no need to be authorized.

public class ControllerBase : Controller
private string ActionKey;

//sample data for the roles of the application
Dictionary<string, List<string>> AllRoles = 
           new Dictionary<string, List<string>>();

protected void initRoles()
    AllRoles.Add("role1", new List<string>() { "Controller1-View", 
      "Controller1-Create", "Controller1-Edit", "Controller1-Delete" });
    AllRoles.Add("role2", new List<string>() { "Controller1-View", "Controller1-Create" });
    AllRoles.Add("role3", new List<string>() { "Controller1-View" });
//sample data for the pages that need authorization
List<string> NeedAuthenticationActions = 
  new List<string>() { "Controller1-Edit", "Controller1-Delete"};  

protected override void OnActionExecuting(ActionExecutingContext filterContext)
    ActionKey = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName +
                       "-" + filterContext.ActionDescriptor.ActionName;
    string role = Session["Roles"].ToString();//getting the current role
    if (NeedAuthenticationActions.Any(s => s.Equals(ActionKey, StringComparison.OrdinalIgnoreCase)))
        if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
            string redirectUrl = string.Format("?returnUrl={0}", 
            filterContext.HttpContext.Response.Redirect(FormsAuthentication.LoginUrl + redirectUrl, true);
        else //check role
            if (!AllRoles[role].Contains(ActionKey))
                filterContext.HttpContext.Response.Redirect("~/NoAccess", true);

Points of Interest

Using this scenario there is no need to hard code the Authorize attribute and role or user names in the controller class, and all of them may be loaded from any source and be used dynamically.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Bahram Ettehadieh
Web Developer
Iran (Islamic Republic of) Iran (Islamic Republic of)
I hold a BS degree in software engineering and am a Microsoft Certified Solution Developer(MCSD).
I have more than 8 years of experience in .NET developement, mostly web develop using C# and ASP.NET.

You may also be interested in...

Comments and Discussions

QuestionGood Article need source code Pin
LogicPlayer18-Mar-17 7:11
memberLogicPlayer18-Mar-17 7:11 
AnswerRe: Good Article need source code Pin
Bahram Ettehadieh3-Apr-17 5:45
memberBahram Ettehadieh3-Apr-17 5:45 
GeneralRe: Good Article need source code Pin
LogicPlayer25-May-17 20:31
memberLogicPlayer25-May-17 20:31 
Questioncomment Pin
d.Ramezani19-Oct-13 23:27
memberd.Ramezani19-Oct-13 23:27 
GeneralMy vote of 5 Pin
AlirezaZahediKermani28-Jul-13 5:55
memberAlirezaZahediKermani28-Jul-13 5:55 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.180111.1 | Last Updated 14 Jul 2013
Article Copyright 2013 by Bahram Ettehadieh
Everything else Copyright © CodeProject, 1999-2018
Layout: fixed | fluid