Following the Evaluating a move from Monorail over to ASP.NET MVC post, I started to dig deeper into the authorization mechanism in ASP.NET MVC. There were some core differences, in ASP.NET MVC they had taken a step further with authorization and created a specific filter Authorize implementing the IAuthorizationFilter interface. This enables you to specify users and roles that are authorized to invoke a certain action on a controller. For example if you require that only users in the "Administrators" role are allowed to invoke Index() it would like this:

Where you decorate the controller with a special [Authorize(Roles="Administrators")] filter attribute. This [Authorize] filter would check the user before invoking the Index() method. If the user did not had the specific role it would output an error. If the user is not logged in it would be redirected to the login page etc.

This is very nice, you can do the same in Monorail since filters exists in both ASP.NET MVC and Monorail. However, in Monorail you had to specify that the filter would be executed before the action is invoked and there is no special treatment for the filter. It's treated just like any other filter. In my application it looks like this (the selected line):

You explicitly has to specify that the filter should be executed before the action, it wouldn't make much sense otherwise for an authorization filter, if it would be invoked after the action has been executed. To make sure that you don't miss this they specifically created an interface IAuthorizationFilter which always will be executed before any action. Personally I really like this approach, this way you won't accidentally forget to specify it should be executed before any action.

So far so good, in ASP.NET MVC there's no need to explicitly specify it should be executed before and there's no question about what the filter does, just read the name of the filter. Unfortunately, since the Authorize filter in ASP.NET MVC only works with users and roles I either has to change my Monorail authorization and permission scheme or implement a new feature in ASP.NET MVC. In my application I do not specify Users or Roles in the application, instead I use permissions after a suggestion from Christer. I must say it's been great, the system feels a lot more flexible when I can define different permissions. For example my job advertisement controller has five actions: Create, Update, Delete, Read and Approve. Which gets translated into five different permissions CreateAdvertisement, UpdateAdvertisement, DeleteAdvertisement, ReadAdvertisement and ApproveAdvertisement. The actions on the controller are decorated with the suitable permission. This way I can manage the permissions so that any user can read advertisements. Any logged in user can create and update their own job advertisement. Only administrators can approve new job advertisements and delete existing advertisements. In the administration view it's possible to change these permissions.

Of course, this can be done using roles only. Hard coding in roles into the application. But this way, there's another layer of abstraction which hopefully doesn't need to change after all permissions are specified. Another advantage using this permission approach is that whenever you need to add another role to the system you only need to specify it and then go into the administrations view and determine which rights the role should have. No need to browse through each action for each controller in the system, and hoping that you didn't miss any.

Fortunately, the team behind ASP.NET MVC has made it super easy to just create a new authorization filter. All you need to do is create a class that implements the IAuthorizationFilter and inherits from the FilterAttribute class (actually, I'm not sure it needs to be derived from the FilterAttribute class). For example I created the RequirePermission attribute, which implements the IAuthorizationFilter. The only method in IAuthorizationFilter is the void OnAuthorization(AuthorizationContext filterContext). After that I could decorate my Delete() method with the new AuthorizationFilter: RequirePermission.

Which would enable the system to verify the role of the user against the relation between role and permission.

I must say that ASP.NET MVC has made some progress regarding authorization, comparing to Monorail. They are almost implemented identically, however there are some subtle differences that makes a huge difference in my opinion. It's impressive how easy it is to implement new filters in ASP.NET MVC.