view raw
adem caglin adem caglin - 5 months ago 42
C# Question

How to implement Permission Based Access Control with Asp.Net Core

I am trying to implement permission based access control with aspnet core. For dynamically managing user roles and permissions(create_product, delete_product etc.), they are stored in the database. Data Model is like

Before aspnet core (in MVC 5) i was using custom

like below to handle the issue:

public class CustomAuthorizeAttribute : AuthorizeAttribute
private readonly string _permissionName { get; set; }
public IAccessControlService _accessControlService { get; set; }

public CustomAuthorizeAttribute(string permissionName = "")
_permissionName = permissionName;

public override void OnAuthorization(AuthorizationContext filterContext)
var user = _accessControlService.GetUser();
if (PermissionName != "" && !user.HasPermission(_permissionName))
// set error result
filterContext.HttpContext.Response.StatusCode = 403;
filterContext.HttpContext.Items["CUSTOM_USER"] = user;

Then i was using it in action method like below:

public ActionResult Index(PersonListQuery query){ }

Additionally, i was using HttpContext.Items["CUSTOM_USER"] in views to show or hide html part:

@if (CurrentUser.HasPermission("<Permission Name>"))


When i decided to switch aspnet core, all my plan was failed. Because there was no virtual
method in the
. I tried some ways to solve problem. Those are below:

  • Using new policy based authorization(i think it is not suitable for
    my scenerio)

  • Using custom
    (i read this
    post but i couldn’t change it properly)

  • Using custom middleware(how to get
    of current

  • Using ActionFilter(is it correct for security purpose?)

I couldn’t decide which way is the best for my scenerio and how to implement it.

First question: Is MVC5 implementation bad practice?

Second question: Do you have any suggest to implement aspnet core?


Based on the comments, here an example on how to use the policy based authorization:

public class PermissionRequirement : IAuthorizationRequirement
    public PermissionBasedRequirement(PermissionEnum permission)
         Permission = permission;

    public PermissionEnum Permission { get; }

public class PermissionHandler : AuthorizationHandler<PermissionRequirement>
    private readonly IUserPermissionsRepository permissionRepository;

    public PermissionHandler(IUserPermissionsRepository permissionRepository)
            throw new ArgumentNullException(nameof(permissionRepository));

        this.permissionRepository = permissionRepository;

    protected override void Handle(AuthorizationContext context, PermissionRequirement requirement)
            // no user authorizedd. Alternatively call context.Fail() to ensure a failure 
            // as another handler for this requirement may succeed
            return null;

        bool hasPermission = permissionRepository.CheckPermissionForUser(context.User, requirement.Permission);
        if (hasPermission)

And register it in your Startup class:

services.AddAuthorization(options =>
    UserDbContext context = ...;
    foreach(var permission in context.Permissions) 
        // assuming .Permission is enum
            policy => policy.Requirements.Add(new PermissionRequirement(permission.Permission)));

// Register it as scope, because it uses Repository that probably uses dbcontext
services.AddScope<IAuthorizationHandler, PermissionHandler>();

And finally in the controller

[Authorize(Policy = PermissionEnum.PERSON_LIST.ToString())]
public ActionResult Index(PersonListQuery query)

The advantage of this solution is that you can also have multiple handlers for a requirement, i.e. if first one succeed the second handler can determine it's a fail and you can use it with resource based authorization with little extra effort.

The policy based approach is the preferred way to do it by the ASP.NET Core team.

From blowdart:

We don't want you writing custom authorize attributes. If you need to do that we've done something wrong. Instead you should be writing authorization requirements.