Decoupling Your Security Model Revisited
I while back I wrote an article " Decoupling You Security Model From The Application Model With SimpleMembership ". In this article I proposed a design change to how the AuthorizeAttribute is used that provides a decoupled security model that is more flexible as your ASP.NET MVC application evolves. One reader provided good comments on what he did not like about the design, with one major issues being the use of magic strings to define the resources and operations that we are authorizing against. If you recall from the previous article we define the custom AuthorizeAttribute like this. [SimpleAuthorize(Resource = "UserProfile", Operation = "modify")] public ActionResult ModifyUserProfile() { ViewBag.Message = "Modify Your Profile"; return View(); } This is a valid concern so I revisited this design and came up with a solution that eliminates magic strings and will actually perform better. Here is what our S...