TH01 Role-Based Security Stinks: How to Implement Better Authorization in ASP.NET WebAPI


8:00am - 9:15am

Level: Advanced

Benjamin Day

Consultant & Trainer

Benjamin Day Consulting, Inc.

If your .NET user permissions are simple, you're in luck. Access the IPrincipal for the current user, call IsInRole(), and you're done in about three lines of code. It works great, until it doesn't. Then you're hosed.

When your application's user permissions model starts getting complicated, you'll instantly run into problems with .NET's role-based security. The good thing is it's not that hard to write your own custom authorization system.

This session will start by discussing what role-based security is all about and what its limits are in a typical ASP.NET or WebAPI application. From there, you'll go "off road" to talk about how to design, build, and test custom authorization schemes that handle more complex authorization scenarios. Along the way, you'll learn how to handle tricky details like user administration, creating arbitrary logical groupings of items & users, load testing your security code, and (most importantly) how to make all this code maintainable in the long term.

You will learn:

  • What is IIdentity, IPrincipal, and role-based security?
  • What is claims-based authentication?
  • How to implement a custom IPrincipal?
  • How to implement a generic maintainable authorization system for an ASP.NET MVC & WebAPI app?