ASP.NET Core Authorize AD Groups through web.config

To expand on Morten_564834's answer, here is our approach for this problem. Create a base controller that all controllers inherit from. 

[Authorize(Policy = "AdUser")]
public class FTAControllerBase : Controller
{
    private readonly ApplicationDbContext _db;
    private readonly ILogHandler _logger;

    public FTAControllerBase(ApplicationDbContext DbContext, ILogHandler Logger, IWindowsAccountLinker WinAccountLinker)
    {
        _db = DbContext;
        _logger = Logger;

        /// get registered user via authenticated windows user.
        //var user = WinAccountLinker.LinkWindowsAccount();
    }
}

Then in your other controllers:

public class LettersController : FTAControllerBase
{ ... }

If you want granular permissions on methods:

[Authorize("GenerateLetterAdUser")]
[HttpGet]
public IActionResult Generate()
{
    return View();
}

Startup.cs:

// add authorization for application users
var section = Configuration.GetSection($"AuthorizedAdUsers");
var roles = section.Get<string[]>();
services.AddAuthorization(options =>
{
    options.AddPolicy("AdUser", policy => policy.RequireRole(roles));
});

AppSettings.json:

"AuthorizedAdUsers": [
"domain\\groupname"
],

I solved this by making it into a policy which is able to call appsettings.json. This way other people who have access to the server can then edit the group to their own.

In Startup.cs:

services.AddAuthorization(options =>
{
    options.AddPolicy("ADRoleOnly", policy => policy.RequireRole(Configuration["SecuritySettings:ADGroup"]));
});

services.AddMvc(config =>
{
    var policy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .Build();

    config.Filters.Add(new AuthorizeFilter(policy));
});

In appsettings.json (or perhaps appsettings.production.json if you have different):

"SecuritySettings": {
  "ADGroup": "YourDomain\\YourADGroup"
}

In your controllers you can then decorate it with this attribute:

[Authorize(Policy = "ADRoleOnly")]

Hope this can help other people

I have still to figure out how to apply this policy globally, so I don't have to authorize every controller, I'd figure it can be done in the services.AddMvc somehow?

Tags:

C#

Active Directory

Asp.Net Core

Asp.Net Core 2.0

Related

Using Sql Server with Django 2.0 Unable to display datetime correctly in iOS/Safari using ionic2/angular2 TensorFlow Object Detection API - what do the losses mean in the object detection api? In Vue.js how to use multiple router-views one of which is inside another component? How to convert pyspark.rdd.PipelinedRDD to Data frame with out using collect() method in Pyspark? Logout using react Native DrawerNavigator eal_memory.c:56:18: fatal error: numa.h: No such file or directory "_doc" mapping type name not accepted in ElasticSearch 5.6 How can I execute code before all tests suite with Cypress? java.lang.IllegalArgumentException: No injector factory bound for Class<MyActivity_> How to detect two different colors using `cv2.inRange` in Python-OpenCV? Function with a custom return type and the "false" return conditions?

Recent Posts