Coding Programming

How I Implemented Authorization to an already built Website

April 18, 2018
Interactions between server and application through middle-ware

This story is mainly for the authorization of  an ASP .NET based website. But feel free to read it anyway.

This story is mainly for ASP .NET background. But feel free to read it anyway.
As many of you already know the identity framework. It’s really a great ASP.Net framework for authentication and authorization. Most of the task is handled by this framework. But to implement this on a small website, it is kind of like an Overkill. (Where security is not the “biggest” issue!)

A few days ago I had stumbled upon in the same kind of problem. I had a website, which runs on an intranet. It was already built. All I had to do is to implement an authentication and authorization system. Now you might think, it’s a great place for identity framework!! Right?

Well… I know that too. But I was searching for something simple which will do the same thing for me. Because the user table was already built, and the project was tightly coupled with the DB. So if I implement identity I had to do a lot of refactoring. I was trying to find if there is some other cookie-based authentication and authorization system.

For authentication, all I had to do is to check if the user exists and the input password is the same as stored in DB. This simple task can be done manually without the help of any framework at all. So all I need is to set up the authorization system, which will restrict some specific controllers to users who have some specific roles. Like a person with “admin” roles will be able to create a new user, whereas a person with “normal” role will not.

For this, I was searching a cookie-based authorization system and I came up with OWIN. “Open web server interface for .Net”. It’s really easy to configure, I was wondering why I didn’t see that before!? It’s middleware, which is added between the server and the application We can add as many middle-ware as we want. But it’s best to add only those you need most.

Interactions between server and application through middle-ware

Interactions between server and application through middle-ware


I’ll gonna tell you how I implemented authorization system in my project.
So, to do this first opened up my project in visual studio. then I opened the package manager console. then selecting the right project ( as I had 4 projects in that solution) I ran these commands.


After successful installation, I created an owin start-up class. to create this right click on the project then click “add” > “new item”. in the window write owin in the search box. and named that as startup.cs. it’s a normal class specific to owin. when the web server loads it search for an owin startup class and then implement those rules/commands in the server pipeline.

so I added these commands in the start-up class

Configuration class's code

Configuration class’s code


in the global filter, I added the authorize attribute, which means that all the controller in this project will be marked as [authorized], making all the controllers are not accessible by default. the user needs to sign in.

now I need to enable a cookie-based authentication system. in that last 4 lines all I did is saying the web server that I need cookie-based authentication system, if the user is not unauthenticated then the user will be redirected to the login page. that’s it.

Now I need to authenticate User. I created a controller named as “AuthController” and wrote this code.

Authentication Controller codes

Authentication Controller codes


make sure you add [AllowAnonymous] above the controller. so when a user tries to access this website the user is redirected to the login page (which is located in http://websitename/auth/login) on that page there is a form to enter the login credentials. after the form post, I get the details and call the _userService.Login(model); the method to check if the user exists and the password is the same. if the user exists and the password is correct all I have to do is to make this user as authenticated.
OWIN acts like a middle-ware in the IIS. this middle-ware marks a user authenticated or not. If you understand this you know that all I have to do is to tell the Middle-ware that mark this user as authenticated. You can also assign various user related details to the user as I did. these are called claims. I added the username, his role, and the user ID with the claims, then I made the user as ‘signed in’.

Log out code

Log out Code


The Log out process is much simpler than that. it’s all written in the using the comment.

Now, whenever I need to restrict a controller or method to be only accessed by a user who has admin roles all I do is add an [Authorize(Roles= “admin”)] just above the controller/method. That’s it!

So, that’s how I implemented authorization on that website.

Here’s the complete list of the codes necessary to implement. Feel free to ask me anything related to this topic.




You Might Also Like

1 Comment

  • Reply October 18, 2018 at 11:32 pm

    Have you ever thought about adding a little bit more than just your articles?
    I mean, what you say is valuable and all. However just imagine
    if you added some great photos or videos to give your posts more, “pop”!
    Your content is excellent but with pics and video clips, this website could definitely be one of the most beneficial in its niche.
    Very good blog!

  • Leave a Reply