ServiceStack Authorization - Access Route Information

The documentation for ServiceStack says the best practice is:

Usually ServiceStack calls bool HasPermission (permission string) method in IAuthSession. This method checks if the list of Permissions in the IAuthSession contains the required permissions.

The IAuthSession is stored in the client cache as described above. You can populate this list in the OnAuthenticated method that you overridden in the first part of this tutorial.

I am integrating with an existing system and running my BasicAuthProvider workflow (inherited from basic BasicAuthProvider). Authentication works fine, now I am creating the authorization part. I am planning on using a list of permissions as above, but I need access to the route information to determine if a user has access to a specific resource. I see that there is an IRequestContext in the IAuthServiceBase which has an absolute url, but before going through and parsing this I figured there must be a way to access the Routing ServiceStack structure to give me either the service class name or the requested service DTO.

Here is the OnAuthenticated method from my BasicAuthProvider class:

public override void OnAuthenticated(IServiceBase authService, IAuthSession session, IOAuthTokens tokens, Dictionary<string, string> authInfo)

        UserSession sess = (UserSession)session;

        Model.User currentUser = UserRepository.GetUserByUsername(session.UserAuthName);

        //Fill the IAuthSession with data which you want to retrieve in the app eg:
        session.FirstName = currentUser.Person.FirstName;
        session.LastName = currentUser.Person.LastName;
        session.UserName = currentUser.User1;
        sess.CurrentUser = currentUser;
        //Important: You need to save the session!
        authService.SaveSession(session, TimeSpan.FromDays(1));


In MVC, I have used some of the raw request data to get the controller name and action earlier to determine resource authorization, but this is the first project I use ServiceStack with since.


source to share

1 answer

You can find the [RequiredPermission] attribute or even an implementation to help you for example. the third parameter passed to the RequestFilter is the DTO request.

And as the DTO-query requests 1: 1 with the service, you can be sure that a request for IService<TRequest>

(or its subclasses, for example ServiceBase<T>

, RestServiceBase<T>

). You can access the service type programmatically, as done in the FilterAttributeCache :

var serviceType = EndpointHost.Metadata.GetServiceTypeByRequest(requestDtoType);


I'm not sure about the exact context / use case you are trying to support, but using the [RequiredPermission] or [RequiredRole] attributes it might be that you are checked by default for the list of roles and permissions available in the built-in UserAuth table .

Externally, you can use the / assignroles and / unassignroles web services (as part of the AuthorizationFeature plugin) to assign roles and permissions to users (it requires a user with an admin role by default).

For more information, see. Page document authentication / authorization and Validation in the wiki project GitHub ProjectStack .



All Articles