Role-Based Security Stinks: How to Implement Better Authorization in ASP.NET & WebAPI

Benjamin Day

Ballroom 2

11:00 - 12:00

In .NET, if your user permissions are simple, you’re in luck. Access the IPrincipal for the current user, call IsInRole(), and you’re done in about 3 lines of code. It works great…until it doesn’t and then you’re hosed.

When your application’s user permissions model starts getting complicated, you’ll instantly run into problems with .NET’s role-based security. The good thing is that it’s not that hard to write your own custom authorization system.

In this session, we’ll start by discussing what role-based security is all about and what it’s limits are in a typical ASP.NET or WebAPI application. From there, we’ll start going “off road” to talk about how to design, build, and test custom authorization schemes that handle more complex authorization scenarios. Along the way, we’ll talk about how to handle tricky details like user administration, creating arbitrary logical groupings of items & users, load testing your security code, and (most importantly) how to make all this code maintainable in the long term.