Customise Security

Hi Team,
Your documentation refers to setting Page security but I am unable to find details on how to protect the controllers and API. For example if I login to your RadzenCRM example as John Doe Sales Representative I am unable to see the users and roles options. I can however still access the url direct and make changes.

Hi @mumfie,

Good catch. We forgot to set the access of those page. The demo has been updated accordingly.

You can set the roles that can access certain Radzen page from its settings.

thanks @korchev.
that does fix the app but it still appears to be possible to access the API direct using Postman etc without authentication. Do we need to manually add [Authorize( to the generated controllers or test if authenticated ?

Yes, if you add the Authorize attribute those actions will not be available to anonymous users:

[Authorize(AuthenticationSchemes="Bearer")]

If you want only specific roles to have access use this:

[Authorize(Roles="Administrator", AuthenticationSchemes="Bearer")]

Thanks again @korchev
Creating a custom file for each controller and Adding the Authorize attribute now correctly returns a status of 401 unauthorised for unuathenticated users.

In a future release we will allow configuring this from the Radzen GUI.

3 Likes

Instead of creating a custom file for each controller you can create a Startup.Custom.cs with:

public partial class Startup
{
    partial void OnConfigureServices(IServiceCollection services)
    {
        services.AddMvc(options =>
        {
            var policy = new AuthorizationPolicyBuilder()
            .RequireAuthenticatedUser()
            .AddAuthenticationSchemes("Bearer")
            .Build();
            options.Filters.Add(new AuthorizeFilter(policy));
        });

    }

}
2 Likes

Has this been added to the GUI yet?