How A Progressive Software Development Studio Uses .NET

Microsoft .NET Logo

Our New .NET Open Source Library: Hero

Here at Skookum Digital Works, we love open source software. There are many advantages to utilizing code that is built by a community of people, and we would feel remiss if we did not give back to the community we love so much.

SDW is proud to introduce a new open source product for the .NET community to handle user authorization. It's called Hero, because who doesn't want a big strong man...I mean code save them?

Hero's Purpose

Hero is an ability based authorization library for .NET MVC and WepAPI projects. It was inspired by the Rails project CanCan and by Derick Bailey.  Hero can be installed via NuGet.

Hero Install

Ability (or activity) based authorization provides a more flexible and maintainable approach to the traditional .NET authorization technique. Hero decouples the permissions and the code. By associating a role to a method or action in .NET (through typical Authorization attribute), you are creating a tight coupling between a role and an action. However, what happens when your role name changes? What if new roles are added into the system? Now you are required to update all code that references that role name or go through and add the new role. Instead, if you assign ability names to an action or method you abstract the functionality and the permissions can be done programmatically. This allows for a loose coupling between functionality and roles/users.

When the user and roles requirements change, you only need to update one section of code rather than going through your entire project looking for those tight couplings. Permissions are effectively encapsulated within a single, refactorable file similar to the ability.rb in CanCan.

Hero additionally supports Razor views to support hiding or disabling page sections based on a users' effective permissions.

Finally, Hero also includes a Javascript component to more easily support Single Page Applications (SPA). The client side version of Hero allows the injection of security authorization into javascript functions through AOP techniques.

Server Side Example

For a full example of how to take advantage of ability based authorization in your MVC or WebApi project, you can view the Sample project here.

In the sample, we are creating a vanilla todo list application. The initialization and configuration of Hero should occur in one location, for instance, in the Global.asax file. This makes it easy to quickly review the abilities, roles, and their combinations all in one spot. We have setup Hero such that it will create a HeroConfig.cs that lives in your App_Start folder when you install the Nuget package. You just need to add the following line to your Global.asax file to perform initialization of Hero:


A user can perform basic CRUD operations on a list and it's items. Registering abilities to users is extremely simple in Hero.  The following code will will create a Delete ability and associate it to a role (AdminRole):


Once you have created an ability and registered it with a role (or user), you can then begin using our custom authorization attributes in your code. The following code will require a user to have the Delete role to perform the Delete action in this controller.  If you are working in a WebApi project, the attribute name is AbilityWebApiAuthorization instead of AbilityMvcAuthorization:


That is all the code you need to perform authorization on the server.  For an example of how to utilize the client side version of Hero, see our example below.

Razor View Helpers

In addition to performing authorization checks through the Attribute helpers, if you need, you can also access Hero directly from your views.  You can do this with the follow code snippet:


Single Page App Example

Hero has a corresponding client side library to help control visibility of functionality on the client. This makes single page apps easier to work with and control visibility based on a users effective permissions. For example, in the ToDo applicatio,n we do not want users to see the Delete button if they do not have access to that ability. Through a simple module to encapsulate the buttons available in the system, this can be performed on the client:


The previous code works by injecting a security check into the showDeleteButton function of the TestModule.  If the current user does not have the ability to Delete, the function will not be allowed to run (and thus the button will never be shown).


The new open-source, .NET library Hero allows you to quickly and easily integrate an authorization system into your .NET project. At SDW, we have worked hard to create a modular system that is both easy to configure and easy to maintain long term. Based on our previous two articles on continuous integration through Team City and code reuse through NuGet, we have developed a module that we can both integrate into our future projects and release to the .NET community as well.

Happy programming.