Applying fine-grained security to an existing application

Posted by Mark on Stack Overflow See other posts from Stack Overflow or by Mark
Published on 2011-11-15T01:38:18Z Indexed on 2011/11/15 9:50 UTC
Read the original article Hit count: 267

I've inherited a reasonably large and complex ASP.NET MVC3 web application using EF Code First on SQL Server. It uses ASP.NET Membership roles with database authentication. The controller actions are secured with attributes derived from AuthorizeAttribute that map roles to actions. There are extension methods for the finer points, such as showing a particular widget to particular roles. This is works great and I have a good understanding of the current security model.

I've been asked to provide finer grained security at the data level. For example a 'Customer' user can only see data (throughout the database) associated with themselves and not other Customers. The problem is that 'Customer' is only 1 of 5 different types with their own specific restrictions (each of the 9 roles is one of these 5 types).

The best thing I can think of is to go through all the data repositories and extend each and every LINQ statements/query with a filter for every user type. Even if I had time for that it doesn't seem like the most elegant way.

Any suggestions? I really don't know where to start with this so anything could be helpful.

Many thanks.

© Stack Overflow or respective owner

Related posts about asp.net-mvc

Related posts about c#-4.0