Role Based Access Control in ASP.NET MVC

Role Based Access Control in ASP.NET MVC is pretty straight forward. There is also a way to do Claims access control, but the most common way is the authorization of a user based on the roles they have in an organization.

This blog post only explains RBAC using ASP.NET Model-View-Controller framework for web applications.

As a developer, to show or hide action links in a View, depending on the user role you can use the following Razor syntax:

@if (User.IsInRole("Administrator"))

On the Controller class, to avoid access to an action if the user types in the URL directly on the browser, we can annotate the action with the Role check tags.

For example, the following code would limit access to any actions on the AdministrationController to users who are  members of the Administrator group.

[Authorize(Roles = "Administrator")]
public class AdministrationController : Controller

You can specify multiple roles as a comma separated list;

[Authorize(Roles = "HRManager,Finance")]
public class SalaryController : Controller

The SalaryController  class above will be only accessible by users who are members of the HRManager role or theFinance role.

If you apply multiple attributes then, a user’s HTTP request, accessing the methods on the controller  must be a member of all the roles specified. The following sample requires that a user must be a member of both the PowerUser and ControlPanelUser role before authorization is granted.

[Authorize(Roles = "PowerUser")]
[Authorize(Roles = "ControlPanelUser")]
public class ControlPanelController : Controller

You can further limit access by applying additional role authorization attributes at the action level;

[Authorize(Roles = "Administrator, PowerUser")]
public class ControlPanelController : Controller
    public ActionResult SetTime()
    [Authorize(Roles = "Administrator")]
    public ActionResult ShutDown()

In the previous code snippet members of the Administrator role or the PowerUser role can access the controller and the SetTime action, but, only members of the Administrator role can access the ShutDown action.

You can also lock down a controller but allow anonymous, unauthenticated access to individual actions.

public class ControlPanelController : Controller
    public ActionResult SetTime()
    public ActionResult Login()

There is also a way to use Policies for limiting access, but to keep it simple, since we already have the roles defined, we can use the common RBAC for now until we need something more complex.

When the user requests the URL directly they will get a nasty 401 Unauthorized page from IIS if their request is not Authorized.

The Razor code shown on the first code snippet can be used in the View to show the elements on the View, if the User is part of the Administrators role, but if the requestor (user) is not part of the role, he or she will receive a 401 HTTP Unauthorized response.

We can give them a more friendly page explaining they don’t have permissions to access the resources requested and link them to a request access page.

This is what could be done:

For a 401 you will probably be seeing the standard 401 Unauthorized page, even if you have added 401 to the customerrors section in your web.config. When using IIS and Windows integrated Authentication, the check happens before ASP.NET MVC even sees the request.

By editing the Global.asax file you can redirect to a route created for 401 Unauthorized HTTP response errors, sending the user to the “Unauthorized to see this” View (friendly page). The use case for this scenario would be if someone received a link for a View that requires the user to be authorized but  the user has not completed other steps in the process, such as paperwork needed prior to accessing the secure resource.

In the Global.asax:

void Application_EndRequest(object sender, System.EventArgs e)
    // If the user is not authorized to see this page or access this function, send them to the error page.
    if (Response.StatusCode == 401)
        Response.RedirectToRoute("ErrorHandler", (RouteTable.Routes["ErrorHandler"] as Route).Defaults);

and in the Route.config:

                new { controller = "Error", action = "Unauthorized", errMsg = UrlParameter.Optional }

and in the ErrorController class:

public ViewResult Unauthorized()
        //Response.StatusCode = 401; 
        // Do not set this or else you get a redirect loop
        return View();
        //where View is the friendly .cshtml page



Happy coding.

Down memory lane, The Agile Manifesto

With the proliferation of agile term overloads and the software suites that claim to be “agile”, how do you differentiate the noise from the real thing?

Is chaos really agile?

No, certainly not. Collaboration and working software, developers at the center of enabling business change, that for me is Agile. Chaos and unmanaged change is not.

I signed the Agile Manifesto in June of 2005:
Lizet Pena de Sola is an agilite

Every time someone tells me about the next software suite that will track all my projects and solve all my problems because it will make the “process” really “agile”, I go back and read the manifesto.
If this new software suite contradicts or impedes any of the 4 cornerstones of the manifesto, that software suite, process, administrative paperwork, extra meeting, is out. Did I mention that extra excel file logging the exact same “issues” everyone knows about and the email chains?

Here are the four main points of the Agile Manifesto, focus on the ones on the left and feel free to apply these four points to any new “agile” tool that will solve all your problems overnight. The points are great to detect baloney.

I need to get rid of that switch statement. What is the Strategy Pattern?

I’m a big advocate of software maintainability and there is nothing better for that than applying well known patterns to improve the existing code. Each time I see long if..then..else constructs, or switch statements to drive logic, I think of how much better the code would be if we allow encapsulation and use one of my favorite behavioral pattern… => the Strategy Pattern.

StrategyPatternA Strategy is a plan of action designed to achieve a specific goal

This is what this pattern will do for you: “Define a family of algorithms, encapsulate each one, and make them interchangeable. Strategy lets the algorithm vary independently from clients that use it.” (Gang of Four);

Specifies a set of classes, each representing a potential behaviour. Switching between those classes changes the application behavior. (the Strategy). This behavior can be selected at runtime (using polymorphism) or design time. It captures the abstraction in an interface, bury implementation details in derived classes.

When we have a set of similar algorithms and its need to switch between them in different parts of the application. With Strategy Pattern is possible to avoid ifs and ease maintenance;

Now, how can we digest that in code, now that you got the gist of the problem and want a better solution than your case statements.

This example I’ll be showing is a pure academic exercise:

The problem to solve is given a string as an input, create a parsing algorithm(s) that given a text stream identifies if the text complies with the following patterns. Angle brackets should have an opening and closing bracket and curly brackets should also have an opening and closing bracket, no matter how many characters are in the middle. These algorithms must be tested for performance.

<<>>{}  True
<<{>>}  False
<<<>    False
<<erertjgrh>>{sgsdgf} True

Continue reading I need to get rid of that switch statement. What is the Strategy Pattern?

Localization of XAML, WPF applications.

As you may know, localization and globalization of user interfaces have been a topic I like to discuss. Being bilingual, I like to give the opportunity to applications to show their glory in several languages.

In my previous jobs, I have localized ASP.NET Web Forms and ASP.NET MVC forms, and also Windows Forms, but the other day someone asked me about WPF/XAML and MVVM. How to localize a XAML markup.

This is what this post is all about. Back in 2007, a coworker and I wrote a Localization Toolkit and published all the code Open Source at CodePlex, after writing an article about the new features in .NET 2.0 and Visual Studio 2005 that allowed you to generate resources files from the literal strings embedded on an ASP.NET web form.

Fast forward a few years to the end of 2007 and beginning of 2008, with the outcome of WPF, are resources files still in use?

Yup, they still are, and they are selected by the same mechanism that selects a given satellite assembly given the UI Thread Culture. The same mechanism that was available in the .NET world in 2005 for ASP.NET Web Forms.

Satellite assemblies are nothing but key/value pairs stored in a resource file that the ResourceManager type can search by Key.

Now, let’s say I generated resource file (.resx) for a given locale and region (fr-FR or fr-CA) and I want the resource file key bound to the XAML view after the UI Culture Thread is set to the OS locale and region, or after the user selects the locale and region he would like. Notice there are two settings to set with the locale and region: the UI Thread and the current thread. They are different.

            CultureInfo ci = new CultureInfo("fr-CA");
            Thread.CurrentThread.CurrentCulture = ci;
            Thread.CurrentThread.CurrentUICulture = ci;


How are the literal values bound to the proper resources file holding the locale and regional translation?

Within the Window tag of your XAML window file, add the following line of code:


For each control within our grid (Button, Labels and Window Title) do not set the Title or Content values to static text. Instead use the resources file value.

<Label Content="{x:Static properties:Resources.LabelFirstName}"…/>
<Button Content="{x:Static properties:Resources.ButtonSubmit}"…/>

There are also other projects at GitHub that have been added recently specifically for WPF: WPFSharp.Globalizer which offers a better option than the LocBalm tool to generate and  maintain the resources files for translation.

LocBaml is the de-facto tool documented on MSDN for WPF resource generation, but there are other projects such as the one mentioned above and the NuGet package ResXManager that offers more features.

LocBalm will generate UiDs on your XAML markup that will link automatically to the regional resource after the Current UI Thread is set. LocBalm can also be used to generate the different resource files after the application is developed, using the option to parse the main assembly for XAML markup.

Parlez vous Français? Oui, mais mon interface ne parler pas.

Technical Debt – What it is and what to do about it

The following paragraphs in italic are taken from an article in IASA (International Association of Software Architects) written by Gene Hughson

In spite of all that’s been written on the subject of technical debt, it’s still a common occurrence to see it defined as simply “bad code”. Likewise, it’s still common to see the solution offered being “stop writing bad code”.  It’s not that simple.

What is Technical Debt?

A design or construction approach that’s expedient in the short term but that creates a technical context in which the same work will cost more to do later than it would cost to do now (including increased cost over time) .

Technical debt may not only incur costs due to rework of the original item, but also by making more difficult changes that are dependent on the original item.

Deferring bug fixes is a form of technical debt as is deferring automation of recurring support tasks.

Dependencies can be a source of technical debt, both in regard to debt they carry and in terms of their fitness to your purpose.

The platform that hosts your application is yet another potential source of technical debt if not maintained.

As noted above, the “interest” on technical debt can manifest as the need for rework and/or more effort in implementing changes over time. This increase in effort can come through the proliferation of code to compensate for the effects of unresolved debt or even just through increased time to comprehend the existing code base prior to attempting a change.

In short, technical debt is any technical deficit that involves a risk of greater cost to expand the application and/or end user dissatisfaction.

What to do about it?

Becoming aware of existing debt is a critical first step, but is insufficient in itself. Taking steps to actively manage the system’s debt portfolio is essential. The first step should be to stop unconsciously taking on new debt. Latent debt tends to fit into the immediate, unexpected payback model mentioned above. Likewise, steps taken to improve the quality up front (unit testing, code review, static analysis, process changes, etc.) should reduce the effort needed for detection and remediation. Architectural and design practices should also be examined. Too little design can be as counter-productive as too much.

Just as the taking on of new debt should be done in a rational manner, so should be the retirement of old debt.

Think of technical debt as credit card debt and you’ll realize why it is important to account for it, be aware of it and pay it off before funding any new features.

Domain Modeling, why it is replacing Data Modeling and bottom up designs

Complexity is the driving force for the adoption of the Domain Model pattern. Complexity should be measured in terms of the current requirements and what processes are modeled or automated by the application.

A domain model is a collection of plain old classes, each of which faithfully represents a significant entity in the business domain. These classes are data containers and can expose public properties, but they also are expected to expose methods. The term POCO (Plain Old CLR Object) is often used to refer to classes in a domain model. At some point, the classes in the domain model needs to be persisted. Persistence is not a responsibility of the domain model, and it will happen outside of the domain model through repimageositories connected to the infrastructure layer.

The conversion between the model and relational store is typically performed by ad hoc tools— specifically, Object/ Relational Mapper (O/ RM) tools, such as Microsoft’s Entity Framework or NHibernate. The unavoidable mismatch between the domain model and the relational model is the critical point of implementing a Domain Model pattern.

For decades (1980 to 1990s), relational data modeling was the most effective way to model the business layer of software applications. In the .NET space, the turning point came in the early 2000s, when more and more companies that still had their core business logic carved in the rough stone of mainframes took advantage of the Microsoft .NET Framework and Internet breakthroughs to renovate and modernize their systems. In only a few years, this poured an incredible amount of complexity on the shoulders of developers. RAD (Rapid Application Development) and relational modeling then— we’d say almost naturally— appeared worn out and their limits were exposed.


All the text above was taken from “Esposito, Dino; Saltarello, Andrea (2014-08-28). Microsoft .NET – Architecting Applications for the Enterprise (2nd Edition) (Developer Reference)” with permission from the authors.

Complexity is tackled best using classes that model the business with ubiquitous language. Language that is understood by the technical modelers (software architects/developers) and by the business counterparts or system matter experts. Domain Services encapsulate services that can be consumed by other applications or different GUIs. The focus now is in modeling the domain and modeling the behavior, rather than modeling the data (RDBM) model without events or behavior. The data model, as a starting point in the design, falls short without modeling the sequence of events (behavior) and the flow of information.

Should I use sessionID to uniquely identify users?

Should I use sessionID to uniquely identify users?
NO, that’s why UserId/UserName or LoginID and password combinations are for.
SessionID is a “random” string and can be repeated (e.g. when IIS is restarted or the server is rebooted, the sequencing scheme that generates SessionID values is reset). So if you store information for a user based on the SessionID value, be very aware that a new person next week might happen to get the same SessionID value–this will either violate a primary key constraint, or mix two or more people’s data.

However in ASP.NET, the SessionID is 120 bits in length, so like a GUID, is virtually guaranteed to never repeat.

But in classic ASP, this built-in mechanism is not a good strategy for identifying users over the long term. A better methodology would be to generate a key value in a database that is guaranteed to be unique (e.g. IDENTITY or AUTOINCREMENT) and store that in a cookie on the client. Then you can identify them not only for the life of their current session, but during future visits as well (of course, only until the next time they delete their cookies).

As usual, it depends, on the technology you inherit, how the old modules were built and so on.

Storing ASP.NET SessionId and at the same time storing a SessionGUID generated from the SessionId in ASP.NET doesn’t make much sense.


Selling my book collection at Amazon…

I recently moved to a smaller place and can’t keep all my technical book collection.

I’m selling the books that I already read, no longer need or have duplicates. Some of them are for old .NET frameworks, but if you are maintaining legacy applications with these framework versions, the books from Microsoft Press can be helpful.

There are also books about SOA and SOAP, SQL Server specific books etc. The books are selling pretty fast.

You can access my seller’s collection at Amazon here.

All the prices are set for shipping within the USA only.

Happy coding!