Imperative authorization techniques

Declarative authorization is executed before the controller or action method is executed, whereas sometimes it is needed to load the controllers or actions before the authorization is executed, and this can be done using imperative authorization or resource-based authorization. Let's take an example of university courses, where we need to show the course page to only those students who have paid their course fees.

To implement this authorization, we first have to add the overloaded constructor in our Course controller, as follows:

    public class CourseController : Controller 
    {  
        IAuthorizationService _authorizationService = null; 
        public CourseController(IAuthorizationService 
          authorizationService) 
        { 
            _authorizationService = authorizationService; 
        }

Here is the action method that the user will invoke to load the course page:

    public async Task<IActionResult> ViewCourse(string courseCode) 
    {  
        Course course = GetCourseObject(courseCode); 
        if(await _authorizationService
          .AuthorizeAsync(HttpContext.User,
            course, "PaidCourse")) 
        { 
            return View(course); 
        } 
        else 
        { 
            return new ChallengeResult(); 
        } 
    }

In the preceding code snippet, we have called the AuthorizeAsync method and passed User, course object, and the policy name that can be used to validate if the user has rights to view the course page.

Similarly, like BaseLocation, we can define the requirement for the course and define the CoursePaidHandler to evaluate the authorization. The course object that we have passed through the AuthorizeAsync method can be retrieved using the context.Resource object and its IsPaid property denotes whether the student has paid the course fees or not:

    public class CoursePaidRequirement : Microsoft.AspNetCore
    .Authorization.IAuthorizationRequirement 
    { 
        public CoursePaidRequirement() 
        { 
        } 
        public class CoursePaidHandler : Microsoft.AspNetCore
       .Authorization.AuthorizationHandler<CoursePaidRequirement> 
        { 
            protected override Task HandleRequirementAsync(
              Microsoft.AspNetCore.Authorization
              .AuthorizationHandlerContext context,
              CoursePaidRequirement requirement) 
            {  
                Course course=(Course) context.Resource; 
                if (course.IsPaid) 
                { 
                    context.Succeed(requirement); 
                } 

                return Task.CompletedTask; 
             } 
        } 
    }

Finally, we will add the following lines in our Startup class to register the policy and CoursePaidHandler:

    services.AddAuthorization(options =>options.AddPolicy(
    "CoursePaid", policy => policy.Requirements.Add(new 
      CoursePaidRequirement()))); 
    services.AddSingleton<IAuthorizationHandler,
      CoursePaidHandler>();

Likewise AuthorizationAsync on the controller level, we can also use it in the view to load/unload a particular section of the page, and it can be specified as follows:

    @model Models.Course 
    @if (await AuthorizationService.AuthorizeAsync(User, Model,
      "CoursePaid")) 
    { 
        <p>Course fees paid?  @Model.IsPaid</p> 
    }
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.133.158.36