What's inside the package: Understanding different pieces ASP Security Kit is comprised of

ASP Security Kit consists of the following:
Note – Standard package lacks in features compared to premium package, therefore, some of the things described below do not apply to standard package.


This is the primary library that implements the core services provided by ASP Security Kit – authentication, activity-based, instance-aware authorization, localization ETC. these are implemented using service pattern – each service has a corresponding interface and all services communicate with each other through interfaces. This makes it fairly easy to replace any service with your own implementation or to create mocks to test application in isolation. Implementation of UserDAL and logger service’s installs as source code in your Mvc project because those are the likely two things you would customize first. Following services are provided:

Interface Implementation Description
IUserService<TId, TUser> UserService<TId, TUser> Provides authentication, verification and activity-based, instance-aware authorization logic for consuming application.
ILocaleService LocaleService Implements user specific locale for both formatting and converting time in user time zone. UserService does not directly call DateTime.UtcNow – instead it uses ILocaleService.
ISessionService HttpSessionService HttpContext.Session based provider to Store and retrieve user data for an online user session. UserService stores and retrieves session data using ISessionService.
IUserDAL<TId> Implementation resides in the application project Provides an interface to implement database/data access technology specific DAL service for UserService.
ILoggerService Implementation resides in the application project Provides a simple interface for writing application logs. Used by UserService for writing diagnostic information.
IContextServices Implementation resides in the application project This aggregates services mentioned above and is initialized for each http request. You pass it as a constructor parameter while initializing UserService.

Decoupling of Security Models

ASP Security Kit keeps its promise of ultimate flexibility by decoupling security models from the services that operate on those models. It does so defining following interfaces which you implement in your application project (The default Entity Framework based implementation is installed as part of ASP Security Kit package).

IUser<TId, TUser> Implementation resides in the application project Provides a strongly typed interface to implement user model for the application.
IPermit<TId> Implementation resides in the application project Provides a strongly typed interface to implement user permission model for the application.


This library provides Mvc attributes and other types to make it super easy to implement activity based, instance aware authorization in your application.

Type Description
ActAuthorizeAttribute Mvc filter for activity-based, instance-aware authorization.
IUnauthorizeAction Implemented by a controller ; it provides a callback (HandleUnauthorizedRequest) that ActAuthorizeAttributes calls when authentication, verification or permission based authorization fails.
AuthActionAttribute Attribute to indicate the complete permission code or action part of the permission code for activity-based authorization checks.
AuthEntityAttribute Attribute to indicate the complete permission code or entity type part of the permission code for activity-based authorization checks.
IDParameterAttribute Attribute to indicate the name for the parameter that ActAuthorizeAttribute should use to look for entity instance unique identifier.
SkipActionAuthorizationAttribute Attribute to indicate that the given controller or action doesn't require activity-based authorization checks.
AllowNotVerifiedAttribute Attribute to indicate that a given controller or action is accessible to users who aren't yet verified. Once defined on a controller, cannot be reset for a specific action in that controller.
PossessesPermissionCodeAttribute Attribute to indicate that ActAuthorizeAttribute should only check the existance of a permission code and skip entity instance-based check.


This is the main authorization attribute that you define on a controller. It manages authentication, authorization and verification for your application. It requires an instance of IContextServices (which we saw above) to inquire about user identity and to validate actions.

[ActAuthorize(ServicesKey = "ContextServices")]
public class SiteControllerBase : Controller, IUnauthorizeAction

With this single line of code (ActAuthorize definition), you have enabled activity-based, instance-aware authorization for your application.
There are other helper attributes which you can use to modify ActAuthorizeAttribute behavior for a specific controller/action. To learn more, read Getting started with declaretive permission based authorization in ASP.NET Mvc guide.

Mvc project

Major portion of ASP Security Kit comes as source files and is installed directly in your ASP.NET Mvc project. This includes things that you likely to customize/modify to suit your particular case – remember the fundamental goal of ASP Security Kit is to give you re-usable, flexible starter kit that adapts to your need and does not dictate you to do things in a particular way.
Let’s walk through the structure of what is installed as source files in your Mvc project:

Content and Images

Consist of css files and images based on theme you chose during installation. Standard package has only the default ASP.NET Mvc theme.


Controller Implements
AccountController profile/login/registration/verification/forgot password
AdminController impersonation/adopt/drill Down/render permissions
HomeController about/contact/terms/privacy
OrganizePermissionController create/modify/delete/aggregate permission codes
PermissionController grant/revoke permissions to users
SiteControllerBase Base controller that provides ASP Security Kit services as properties, sets up authorization, implements redirect helper methods and much more.
UserController create/suspend/modify/delete users


This consists of Json.net converters for localization, extensions (context services/Razor helpers/string functions) and utilities such as email template builder, mailer ETC.


Models folder consists of source for view models and security models (implementing interfaces in the core library), TimeZone/culture models and DbContext. You can extend security models by adding more properties, dictating the validation logic and controlling exactly how the corresponding tables are created in the data storage of your choice.

Security models are implemented based on Entity Framework code first approach. The corresponding Sql Server database can be created within seconds by executing Entity Framework Migrations which are also installed as source files in the project. Finally, UserDAL provides the data access logic for security models by implementing core interface IUserDAL.
So as you can see, the entire data representation and access stack lives as source files in your project and you can modify them to fit to your prefered data access and data storage technologies.

Migrations and T-Sql logic

This consists of EF migrations for code first models mentioned above. In addition, there is a DbLogic class which contains T-Sql stored procedures, functions and triggers implemented for certain features.

After installation, by executing “update-database” (without quotes of course) in Package Manager Console, you immediately have a full-fledged Sql Server database ready to support storage needs of features provided by ASP Security Kit.


ASP Security Kit utilizes jTable to implement grid interfaces. You will find it installed in your scripts folder. There’s also an ASP Security Kit specific extension (jquery.jtable.ask.js) inside jtable/extensions. It extends jTable to implement a few features we found necessary.

In addition there’s jquery.validate.unobtrusive.plugin.js implemented to extend unobtrusive validation plugin of ASP.NET to show errors as popups.

Lastly, there’s permission.js that implements complex javascript logic to handle permission and implied permission flow.


This consists of useful application specific services:

AppService Provides general information for this application such as its title, default timezone/culture, administrator/support/bot email etc.
UserDAL Implements IUserDAL<TId> required by ASP Security Kit core library for data access.
LocalizationDAL Loads and caches timezone/culture data on app start.
TraceLogger Implements ILogger required by ASP Security Kit libraries for logging diagnostic information. It just writes to Trace class; You should modify it to work with your preferred logging library.


This consists of Razor views and templates based on the theme you chose during installation and implements UI logic for functions mentioned in the Controllers section above.