ASP.NET MVC Authorize by Subdomain
Posted
by Jimmo
on Stack Overflow
See other posts from Stack Overflow
or by Jimmo
Published on 2010-03-08T20:46:17Z
Indexed on
2010/03/08
21:51 UTC
Read the original article
Hit count: 301
I have what seems like a common issue with SaaS applications, but have not seen this question on here anywhere.
I am using ASP.NET MVC with Forms Authentication. I have implemented a custom membership provider to handle logic, but have one issue (perhaps the issue is in my mental picture of the system).
As with many SaaS apps, customers create accounts and use the app in a way that looks like they are the only ones present (they only see their items, users, etc.). In reality, there are generic controllers and views presenting data depending on the customer represented in the URL. When calling something like the MembershipProvider.ValidateUser, I have access to the user's customer affiliation in the User object - what I don't have is the context of the request to compare whether it is a data request for the same customer as the user.
As an example,
One company called ABC goes to abc.mysite.com
Another company called XYZ goes to xyz.mysite.com
When an ABC user calls
http://abc.mysite.com/product/edit/12
I have an [Authorize] attribute on the Edit method in the ProductController to make sure he is signed in and has sufficient permission to do so.
If that same ABC user tried to access
http://xyz.mysite.com/product/edit/12
I would not want to validate him in the context of that call. In the ValidateUser of the MembershipProvider, I have the information about the user, but not about the request. I can tell that the user is from ABC, but I cannot tell that the request is for XYZ at that point in the code.
How should I resolve this?
© Stack Overflow or respective owner