Skip to main content

Security

The platform uses Microsoft ASP .NET Identity and OWIN to provide security for the system. The ASP.NET identity model required for implementation is done with the following classes:

To support the ASP.NET Identity model, several database tables were created to store the required information. The model was expanded from feature requirements to support effective date availability and permissions. The tables created for security include:

The ASP.NET Identity store classes are used to manipulate security objects. There is a IUserStoreBusinessRepository and an IUserStoreServiceRepository used to access security in the application. If you are a host application, you would use the BusinessRepository. If you are a client host, then you would use the ServiceRepository. The same is true for the IRoleBusinessRepository and IRoleServiceRepository. They are configured with the application using structuremap in your application’s object location registration task. These repositories are configured and obtained in code through the following interfaces:

These interfaces should be used for most security routines such as creating a user, getting a user by email, getting a user’s roles/claims, etc. However you can operate on the underlying table data by using the Eleflex.Security* objects noted above.

Securing web controllers methods can be done with the [Authorize()] class attribute or with a custom implementation. The next example shows adding the [Authorize()] attribute to secure the Admin controller to require only user’s that have the “Admin” role are allowed to call the method.


    [Authorize(Roles = "Admin")]
    public partial class AdminController : Controller
    {
        
        public ActionResult Index()
        {
            return View();
        }
    }

Securing service command methods can be done with the [PrincipalPermission()] class attribute or with a custom implementation. The next example shows adding the [PrincipalPermission()] attribute on the Execute() method to require only user’s that have the “Admin” role are allowed to call the method.


[WCFCommandRegistration(typeof(ExampleRequest), typeof(ExampleResponse))]
public partial class ExampleCommand : WCFCommand<ExampleRequest, ExampleResponse>
{
    [PrincipalPermission(SecurityAction.Demand, Role = "Admin")]
    public override void Execute(ExampleRequest request, ExampleResponse response)
    {            
        response.Output = “Hello ” + request.Input;
    }
}