authorization

I know in controllers, you can write [Authorize("policyName")] without an issue, but is there any way to use a policy in a view? I'd rather not use User.IsInRole(...) every single time I want to authorize some HTML. Edit: Here's some code Startup.cs -- Policy Declaration services.AddAuthorization(options => { options.AddPolicy("testPolicy", policy => { policy.RequireAuthenticatedUser() .RequireRole("RoleOne", "RoleTwo", "RoleThree") .RequireClaim(ClaimTypes.Email); }); }); Admin Controller [Authorize("testPolicy")] public class AdminController : Controller { public IActionResult Index() {

What is the best way to achieve application authorization and entitlement in .Net. Earlier AzMan use to be the standard way. With the advent of provider model, at least roles are taken care of but I am not sure about the authorization & entitlement. I am looking at the ability to define and access operation level permissions for roles / users. What is the most suitable way to achieve the above? According to this blog post the ClaimsAuthorizationManager API is 'next generation of AzMan'. It's just an API however, and doesn't come with a default implementation or an admin GUI, so it's not yet

I'm using play framework 2.4.2 with Java and I want to validate that a user is logged in by intercepting all requests and checking if a session value is set. So I have extended the DefaultHttpRequestHandler and overridden the createAction Method to intercept all requests. However, I have not found a good way to validate the session. Option 1 - Fail When I try to fetch the session value I get a runtime exception: There is no HTTP Context available from here Below is the class I'm working with: public class RequestHandler extends DefaultHttpRequestHandler { @Override public Action createAction

So I'm trying to access my own data from an external app via their API. I only need access to my own data . Not trying to receive data from any of my users' accounts, so they don't need to authorize anything. So obviously I need to avoid any redirects (which seems to be the standard process the more I research OAuth...) The process is hit the /authorize endpoint, which returns a code. Then provide that code in a request to the accesstoken endpoint. Which then allows me to access my account via the API. I'm 95% sure this process is standard for all OAuth, but figured I'd provide details in case

I have a cherrypy application and on some of the views I want to start only allowing certain users to view them, and sending anyone else to an authorization required page. Is there a way I can do this with a custom decorator? I think that would be the most elegant option. Here's a basic example of what I want to do: class MyApp: @authorization_required def view_page1(self,appID): ... do some stuff ... return html def authorization_required(func): #what do I put here? Also can the authorization_required function when called as a decorator accept parameters like allow_group1, allow_group2? Or do

I have a WebApi secured with Basic Auth which is applied to the entire Api using a AuthorizationFilterAttribute. I also have SignalR Hubs sitting on several of my Api Controllers. Alongside this I have a web page which makes use of my WebApi. The web page is mostly written in Backbone, so in order to make calls to my secured WebApi, I have added the following jquery $.ajaxSetup({ beforeSend: function (jqXHR, settings) { jqXHR.setRequestHeader('Authorization', 'Basic ' + Token); return true; } }); This works for communicating with my Api Controllers, but adding the above code has broken the

I have two kinds of users in my application - clients and sellers. I am using a PhaseListener in JSF to prevent users from accessing pages without logging in, but after they are logged in I dont know how to prevent the user from change the URL in the location bar and accessing pages that he is not allowed too. E.g, preventing clients from accessing sellers pages. Does anyone have an idea on how I could prevent such illegal accesses? BalusC Assign the user a group/role and check on that as well inside your phase listener (which could technically better be a simple servlet filter, after all, a