That seems you want to use claims-based authorization via policies . After setting windows authentication in your application , you could add custom claim to ClaimsPrincipal ,check user’s identity and confirm which permission current user has :
-
You can add a claims transformation service to your application:
class ClaimsTransformer : IClaimsTransformation { public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal) { var id = ((ClaimsIdentity)principal.Identity); var ci = new ClaimsIdentity(id.Claims, id.AuthenticationType, id.NameClaimType, id.RoleClaimType); if (ci.Name.Equals("name")) { ci.AddClaim(new Claim("permission", "readOnly")); } else { ci.AddClaim(new Claim("permission", "write")); } var cp = new ClaimsPrincipal(ci); return Task.FromResult(cp); } }
-
Add to Startup.cs(.net Core 2.0) :
services.AddTransient<IClaimsTransformation, ClaimsTransformer>();
-
Set your policy :
services.AddAuthorization(options => { options.AddPolicy("Readonly", policy => policy.RequireClaim("permission", "readOnly")); options.AddPolicy("Write", policy => policy.RequireClaim("permission", "write")); });
-
Restrict access to a controller or action by requiring this policy:
[Authorize(Policy = "Write")] public IActionResult Contact() { ViewData["Message"] = "Your contact page."; return View(); }
If you have already add groups(write,readonly) in your AD and add the related users to group , you can also check the groups :
public static class Security
{
public static bool IsInGroup(this ClaimsPrincipal User, string GroupName)
{
var groups = new List<string>();
var wi = (WindowsIdentity)User.Identity;
if (wi.Groups != null)
{
foreach (var group in wi.Groups)
{
try
{
groups.Add(group.Translate(typeof(NTAccount)).ToString());
}
catch (Exception)
{
// ignored
}
}
return groups.Contains(GroupName);
}
return false;
}
}
And use like :
if (User.IsInGroup("GroupName"))
{
}