.NET WebAPI centralized Authorization

Question

In .NET WebAPI, I\'ve created a way to have all of the authorization rules in a central location, rather than scattered throughout controllers. I\'m curious why this centralizat

Answer 1

Your approach is a good one. You should separate concerns. This means separating business logic from non-functional logic/requirements (e.g. logging, authentication, and of course authorization).

The reason why this hasn't been done more broadly is because it's much easier to externalize authentication or logging than it is to externalize authorization which is more related to your business.

Different programming frameworks provide externalized authorization today. Microsoft has claims-based authorization, Java has several frameworks e.g. Spring Security, SunXACML... PHP has Yii, Ruby has CanCan... These frameworks let you implement role-based access control and even attribute-based access control. If you're not familiar with these terms, check out NIST's webpage:

• NIST RBAC
• NIST ABAC

If you want a solution that is technology-neutral, i.e. something you can use for Java, .NET, PHP... you can use XACML, the eXtensible Access Control Markup Language. It's an OASIS standard just like SAML is (SAML focuses on federated id and SSO; XACML focuses on fine-grained authorization). You can read more on XACML on the OASIS website and on Wikipedia where I try to maintain the page. In addition to externalizing authorization, XACML also defines a policy-based approach to authorization which makes a very scalable approach.

There are several open source options (JBoss, SunXACML, OpenAM...) for XACML as well as vendors such as the one I work for, Axiomatics.

HTH