How to use Authorization in VB.NET and ASP.NET WebForms


#1

So, I did manage to get this working but I’m not sure it’s the most appropriate way of doing this. I wanted to have the authorization work when going to production.

Here is what I placed in my Global.asax.vb file:


Imports System.Web.Optimization
Imports Hangfire
Imports Hangfire.Annotations
Imports Hangfire.Dashboard
Imports Hangfire.SqlServer
Imports Microsoft.Owin
Imports Owin

<Assembly: OwinStartup(GetType(RouteDelivery.Startup))>

Namespace RouteDelivery

    Public Class Startup

        Public Sub Configuration(ByVal app As IAppBuilder)
            GlobalConfiguration.Configuration.UseSqlServerStorage("HangFireConnectionString")
            Dim options = New DashboardOptions With {.AppPath = VirtualPathUtility.ToAbsolute("~"), .Authorization = {New CustomAuthorizationFilter()}}
            Dim joboptions = New BackgroundJobServerOptions With {.WorkerCount = 5}
            app.UseHangfireDashboard("/admin/somepath/tosomewhere/hangfire", options)
            app.UseHangfireServer(joboptions)
        End Sub

    End Class


    Public Class CustomAuthorizationFilter
        Inherits Startup
        Implements IDashboardAuthorizationFilter

        Public Function Authorize(ByVal context As DashboardContext) As Boolean
            Return True
        End Function

        Private Function IDashboardAuthorizationFilter_Authorize(<NotNull> context As DashboardContext) As Boolean Implements IDashboardAuthorizationFilter.Authorize
            Return True
        End Function
    End Class

End Namespace

I created a CustomAuthorizationFilter class and this was the only way I could get it to work. I am in the process of building a DB configuration for user access which I can then include in this class.

But, right now, it works fine. There is very little information for vb.net, much less asp.net web forms, so I thought I would share this.


#2

I’ve seen no other way of doing it. Inside your filter you can make the rules you want. What we do is use the users’ claims to Active Directory groups and check if they’re a member of the correct group. We just decorate the controller that gets called with it but it could be more granular.