Best free way to use AOP style MVC-like authorization in business logic


I like the authorization attribute in ASP.NET MVC. Not so much the attribute itself, but the way you apply it.

I want to use it in my non-ASP MVC services layer preferably in my plain C# business logic library or at least but less preferably at the endpoints of my WCF service endpoints. Is <a href="http://www.postsharp.org/" rel="nofollow">PostSharp</a> my only answer or is there a free similar solution?


I am in a similar situation and have recently researched quite a few options.

There are a few open source projects for AOP with .NET but most seems to be abandoned or not very active. PostSharp is by far the most mature of them. There is a community edition which is free and can be used for commercial development.

Other static weavers (such as PostSharp):

<ul><li>AspectDNG (abandoned)</li> <li>Gripper-LOOM (not updated since 2008)</li> <li>AOP.NET (seems to be abandoned)</li> </ul>

The other option would be to used Dynamic Proxies instead. There are a few libraries which uses this technique but with the exception of Spring.NET they seem to be more or less dead as well.

<ul><li>Spring.NET AOP (<a href="http://www.springframework.net/doc/reference/html/aop-quickstart.html" rel="nofollow">http://www.springframework.net/doc/reference/html/aop-quickstart.html</a>)</li> <li>AspectSharp </li> <li>Rapier-LOOM.NET </li> </ul>

I believe Spring.NET AOP can be used without the rest of the Spring.NET stack but I'm not entirely sure.

If you don't mind to work on a lower level there are always Mono.Cecil which allows you to rewrite assemblies just like PostSharp does but I wouldn't recommend it. It will be a lot of work and hard to get right.

Generating dynamic proxies with for example Castle.DynamicProxy or LinFu is probably a better approach then but it will still be quite a lot of plumbing to make everything to work. Also, unless you are already using an IoC-container you might want to consider that as it will make it much easier to inject the proxies where needed. Compared to using an OnMethodInvocationAspect or similar from PostSharp it will be a lot more work.

I currently leaning towards using PostSharp (Community Edition) since it does everything I need and is very easy to use. Spring.NET seems somewhat interesting but a dynamic proxy based solution won't be quite as elegant or easy to use as PostSharp.


There's a few solutions out there -- here's a <a href="http://csharp-source.net/open-source/aspect-oriented-frameworks" rel="nofollow">list</a> of open source and commercial products. The only one that doesn't seem to exist anymore is AspectSharp - that link is broken. Most of these don't seem to have been updated in a year or so, but it could be a start. PostSharp is also on the list.

Hope this helps.


Microsoft's Unity provides the ability to write AOP code through method interception. If your interception methods examined the attributes on the intercepted method you should be able to do precisely what you want.

You can read about Unity interception <a href="http://msdn.microsoft.com/en-us/library/ff647107.aspx" rel="nofollow">here</a>


NDecision makes decision-tree business logic quite simple to implement, and if you're a fan of Gherkin syntax and Fluent coding practices you'll feel right at home using it. The code snapshot below is from the project site, and demonstrates how business logic could be implemented. <a href="http://bradygaster.com/ndecision-with-aop" rel="nofollow">NDecision.Aspects</a> is the AOP layer on top of NDecision. <a href="http://bradygaster.com/ndecision-with-aop" rel="nofollow">NDecision.Aspects</a> makes use of PostSharp attributes, in fact, and dynamically intercepts code execution to apply business rules on the objects being passed as parameters (or the objects that own the methods being executed).

The code in the following screenshot demonstrates how you would write your business logic in a separate class:

<img alt="enter image description here" class="b-lazy" data-src="https://i.stack.imgur.com/kQeI9.png" data-original="https://i.stack.imgur.com/kQeI9.png" src="https://etrip.eimg.top/images/2019/05/07/timg.gif" />

Then you activate the autonomous application of the specifications (the business rules) using one of the NDecision.Aspects attributes:

<img alt="enter image description here" class="b-lazy" data-src="https://i.stack.imgur.com/5g1IR.png" data-original="https://i.stack.imgur.com/5g1IR.png" src="https://etrip.eimg.top/images/2019/05/07/timg.gif" />

Or by applying the attributes to the method on the target type to which your specifications apply:

<img alt="enter image description here" class="b-lazy" data-src="https://i.stack.imgur.com/MxdaN.png" data-original="https://i.stack.imgur.com/MxdaN.png" src="https://etrip.eimg.top/images/2019/05/07/timg.gif" />

There's no reason why you can't have another assembly with your "decision tree." NDecision was written with that in mind, to separate the logic into one independent layer, and the NDecision.Aspects portion allows for the application of these rules wherever you need.


<a href="http://msdn.microsoft.com/en-us/library/system.security.permissions.principalpermissionattribute.aspx" rel="nofollow">PrincipalPermissionAttribute</a> is about as close as it gets to ASP.NET MVC's own AuthorizationAttribute. You use it the same way, except you decorate methods instead of actions. It allows you to demand access by user role, by user name, or simply by whether she has authenticated or not:

<strong>User belongs to <em>Administrators</em> role:</strong>

[PrincipalPermission(SecurityAction.Demand, Role = "Administrators")] public void YourMethod() { // do something }

<strong>User name is <em>john</em>:</strong>

[PrincipalPermission(SecurityAction.Demand, Name = "john")] public void YourMethod() { // do something }

<strong>User is authenticated:</strong>

[PrincipalPermission(SecurityAction.Demand, Authenticated = true)] public void YourMethod() { // do something }

These throw System.Security.SecurityException when Thread.CurrentPrincipal does not match your access specification.


  • Listing all the classes in a DLL
  • How to debug a hanging action
  • Avoiding image upload on a refresh
  • How to update Docker container PATH using commit “--change” flag?
  • How to Delay Execution of Code For X Amount of Time in Android
  • Audio Recording iPhone - values of AudioStreamBasicDescription
  • Hitting breakpoints in MonoDevelop 2.2 Beta 1 on OSX
  • How to use CompletableFuture without risking a StackOverflowError?
  • Dart HTTP server and Futures
  • Haskell permutation library function - please clarify?
  • Using Regex to split XML string before and after match
  • RewriteCond and rewriteRule to redirect depending on the domain
  • Help with mod_rewrite
  • replacing while loop with list comprehension
  • CSS Grid, position absolute an element in a css grid item: IMPOSSIBLE
  • help('modules') crashing? Not sure how to fix
  • Refactoring advice: maps to POJOs
  • Regex for URL rewrite with optional query string parameters
  • Efficient & Pythonic way of finding all possible sublists of a list in given range and the minim
  • Where these are stored?
  • How can we prepend rows to a react native list-view?
  • How to get latest version of a artifact on Bintray using JSONP
  • Tell Git to stop prompting me for conflicts when none really exist?
  • DIV instruction jumping to random location?
  • Do I need to seed any random number generator before using EVP_PKEY_keygen of OpenSSL?
  • Apache RewriteRule redirection with url encoded
  • What's the purpose of QString?
  • uniform generation of points on 3D box
  • Display images in Django
  • Jackson Parser: ignore deserializing for type mismatch
  • Problem deserializing objects from cache on MyBatis 3/Java
  • Use of this Javascript
  • Can Jackson SerializationFeature be overridden per field or class?
  • Redux, normalised entities and lodash merge
  • jqPlot EnhancedLegendRenderer plugin does not toggle series for Pie charts
  • Run Powershell script from inside other Powershell script with dynamic redirection to file
  • Comma separated Values
  • Android Studio and gradle
  • How to get NHibernate ISession to cache entity not retrieved by primary key
  • How to load view controller without button in storyboard?