Inject authorization logic before Dataportal_XYZ call

[ashishaon]

I want to run an authorization logic before any Dataportal_XYZ. Which place I can intercept in CSLA pipeline.

[ajj7060]

Are you looking for client side or server side? For client side, create a public static void AddObjectAuthorizationRules() method in your class and use Csla.Rules.BusinessRules.AddRule to add authorization rules for the type.

For server side, you can do the check yourself at the top of the DataPortal_XYZ method, but I think there's a way to do this prior too, although I'm don't recall at the moment. The ebooks should have all this documented.

[rockfordlhotka]

Yes, the Using CSLA 4 ebook covers this - there's an interface you can implement so your authorization logic runs immediately after the request to the server has been deserialized, and before any actual work occurs. The idea is that you have the opportunity to examine the deserialized request and decide whether to allow it to proceed.

[YugankNarula]

Thanks. I have implemented IAuthorizeDataPortal whose implementation logic is called on each Data portal request.

[ajj7060]

Yes, that interface only runs as Rocky said on the server side after deserializing the message.

I thought there was another location you could add the logic into the DP pipeline, but I could be mistaken. Or as I said you can put a check at the top of each DP_XYZ method and throw if the user lacks permissions.

This post shows how you can inject dependencies server side as part of the pipeline; maybe you can adapt it to do the security checks you want. https://magenic.com/thinking/abstractions-in-csla

[YugankNarula]

Hi, One suggestion I need in this approach. As I implementing some custom authentication in it & I need some dependency like DAL or command in the implementation class of authorization logic so how can I inject or resolve any dependency in it?

[ajj7060]

If you need to do data access from the authorizer, you could create a Csla command object and use it in the authorizer. The authorizer only runs when server side data portal code first starts running, so once you're on the server calling another Csla object won't trigger the authorizer again. This command object would likely not have any security associated with it so should be fine. Injecting dependencies can be done a few different ways, one is documented in the blog link. Another (and the way I'm using) is to use a service locator pattern within the DP_XYZ methods only.

[YugankNarula]

Thanks. I have completed the implementation part, Now I want to unit test it. I tried simply by having a data portal call in a test method but it is not routing to my authorization implementation logic. So, how can I unit test it?

[rockfordlhotka]

Which part are you trying to test? The IAuthorizeDataPortal implementation, or the command object you are invoking to do the work?