Handle Access Denied in asp.net MVC

Today I had to add security to the application. Essentially check if the logged in user has got permission to access a function and if not redirect to Unauthorised page. There may be a few ways this can be achieved. Some developers may prefer to add if else check in the view and depending if access needs to be granted they show selective part of the view. This will work, but I think there is a more elegant way to handle this. This is how I achieved this.

Create an attribute that will redirect unauthorised access to a SecurityController. In order to show custom unauthorised messages, it should allow specific messages which can be achieved by passing a reason string.

Here is the code for security attribute: (its in vb.net, but I am sure you can convert to C# easily)

<AttributeUsage(AttributeTargets.Method, AllowMultiple:=True, Inherited:=True)> _

Public NotInheritable Class ApplySecurityAttribute

    Inherits ActionFilterAttribute

    Private ReadOnly _permission As Integer


    Public Sub New(ByVal permission As Integer)

        Me.New(permission, String.Empty)

    End Sub


    Public Sub New(ByVal permission As Integer, ByVal reason_1 As String)

        _permission = permission

        Reason = reason_1

    End Sub


    Public Property Reason() As String


            Return m_Reason

        End Get

        Set(ByVal value As String)

            m_Reason = Value

        End Set

    End Property

    Private m_Reason As String


    Public Overrides Sub OnActionExecuting(ByVal filterContext As ActionExecutingContext)

        If Not PermissionsManager.HasPermission(_permission) Then

            ‘ Put security check here

            ‘ Security Controller

            ‘ Unauthorized Action

            ‘ Put the reason here

            Dim routeValueDictionary = New RouteValueDictionary() From { _

             {“controller”, “Security”}, _

             {“action”, “Unauthorized”}, _

             {“reason”, Reason} _



            filterContext.Result = New RedirectToRouteResult(routeValueDictionary)

        End If



    End Sub

End Class

Using the attribute is simple. Just declare it on a controller like this:

<ApplySecurity(Enums.Permissions.OfficeUserViewReports, "You are not authorised to view reports")>

Here is the Security Controller class.

Namespace YourCaretaker
    Public Class SecurityController
        Inherits System.Web.Mvc.Controller
        Function Unauthorized(ByVal reason As String) As ViewResult
           ViewBag.Reason = reason
            Return View()
        End Function
    End Class
End Namespace

And finally the permission manager

Public NotInheritable Class PermissionsManager
    Private Sub New()
    End Sub
    Public Shared Function HasPermission(ByVal permissionId As Integer) As Boolean
        'insert your implementation
        'if access allowed Return True else Return False
    End Function
End Class
Posted in .net, asp .net, mvc. Tags: . Leave a Comment »

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: