Using FluentSecurity along with ASP.NET Identity?

[SirwanAfifi]

Hi, I'm new to this project. it appears great. As far as I know this project is just for authorizing. right?, Now I want to use it in one of my project that uses ASP.NET Identity 2. Is it possible? Or How can I replace this with the default authorizing system in ASP.NET Identity?

[tiesont]

Just out of curiosity, have you visited the project site at http://www.fluentsecurity.net/?

To answer your question, yes, FluentSecurity (which I'll shorten to FS from now on) is primarily intended for authorization. ASP.NET Identity (which I'll shorten to AI from now on) is primarily an authentication API. In other words, FS lets you define what a role (or claim) can access, and AI can be used to provide the roles (or claims) for the current user.

At a high level, using FS is no different than using the AuthorizationAttribute, though in my experience FS gives you more fine-grained control. If you need a starting point, there are examples included in the source. I also started a project to demonstrate using FS with Castle Windsor, here: https://github.com/tiesont/CastleWindsorFluentSecurity

Does any or all of that make sense?

[SirwanAfifi]

Thanks a lot . Great. One more question: With FS Can we get Roles from database? As you know in default authorize attribute we have something like this:

Authorize(Roles = "Administrator")]  
public ActionResult Foo()  
{  
    return View();  
}

The problem with this approach is that all permissions must be set up and assigned as attributes at design time. I want to get that role at run time. For example I want to list all controllers or actions for admin then admin be able to define role for each of controllers or actions. Is it possible with FS?
Thanks.

[tiesont]

I think you could do that with a custom ISecurityPolicy implementation. Its API looks like

PolicyResult Enforce(ISecurityContext context)

And you typically do something like

public class YourCustomPolicy : ISecurityPolicy
{
    public PolicyResult Enforce(ISecurityContext context)
    {
        bool isAllowed = false;

        // Run your authorization logic here...

        return isAllowed ? PolicyResult.CreateSuccessResult(this) : PolicyResult.CreateFailureResult(this, "Your error message goes here...");
    }
}

You can apply policies in one giant configuration class, or use a custom SecurityProfile to assign your policy to only those controllers that are configurable. @kristofferahl might have a better suggestion for you if that doesn't work, but I would try it yourself first and then update this thread if you run into issues. If you get most of the way there and get stuck, you can also post a question to StackOverflow (although, fair warning, you should only do so if you have something to show that you've made a good-faith effort to figure it out on your own).