Asp.Net MVC 4 User is authenticated even if not authorized

asp.net-mvc authentication authorization

13,252

Solution 1

Authentication an Authorization are 2 different concepts. Authentication means you know who the person is. Authorization means they have specific permissions.

If you want to check if they are authorized to perform some action and provide them a button or link to perform that action (or access some data, whatever it may be), then you'll have to check if they have the permissions using other means. Some more specifics about the setup you have would help answer the question better.

Solution 2

To Authenticate, check on your web.config if you have this tag:

<authentication mode="Forms">//It cannot be "None"
    <forms loginUrl="~/MyLoginURL" timeout="2880" />
</authentication>

And in your LoginMethod, that authenticate the user, make sure you called any .NET method that authenticate the user on its Identity, example:

using System.Web.Security;
FormsAuthentication.SetAuthCookie(login, boolean to cookie) // Or others FormsAuthentication methods that authenticate.

There is an AuthorizeAttribute in System.Web.Mvc, that can be used with your actions or controllers, like:

[Authorize]
public ActionResult Index()
{ ... }

[Authorize]
public class HomeController 
{ ... }

This AuthorizeAttribute will check if the current user is Authorized. You can create your own attribute by just inheriting the AuthorizeAttribute and override OnAuthorization and AuthorizeCore

Solution 3

Once you perform a successful login (FormsAuthentication.SetAuthCookie), your user get authenticated so until you dont explicitly logoff (FormsAuthentication.SignOut) that's the correct behaviour, as said authentication and authorization are two different things.

I guess you want to show a menu only to users that have been authenticated through AD, in this case you can just restrict your resources with:

@if (User.Identity.IsAuthenticated)
{
   @Html.Partial("_Menu");   
}

If authorized, a user is also authenticated so no need to do the double check. You can then use the [Authorize] attribute, which relies on User.Identity.IsAuthorized.

Authorization comes handy when you can use Roles to group your users. Check if your ADusers belong to any group, if so you could do something like:

<authorization>
  <allow users="*" allow role="yourdomain\yourgroup" />
  <deny users="*" />
</authorization>

13,252

Author by

robsonrosa

A game developer enthusiast.

Updated on June 04, 2022

Comments

robsonrosa almost 2 years
I am working in my first MVC project and i am having troubles with authentication. I have a login page that correctly validates the user by my active directory. But, even authenticated not all users are authorized to access the system, so I use a section in web.config to check if user have permissions. Something like:
```
<authorization>
   <allow users="john,mary,paul,bill,jane,anna" />
   <deny users="*" />
</authorization>
```
It works fine and the user always is redirected to login if doesn't have permission. BUT, when I check if user is Authenticated, the result is always true. And, in login page, I want to check if I must show a message to logged AND authorized users. Something like:
```
@if (User.Identity.IsAuthenticated && User.Identity.IsAuthorized)
{
   @Html.Partial("_Menu");   
}
```
So... How I do it?