It doesn't need to know if you're authenticated for the AllowAnonymous. But to answer your questions, the framework knows if you are authenticated based on a concept called a session. When you're authenticated, your browser receives a cookie which is usually a hash that is a key to the server side session. The session can hold your user details. Once your session expires or is removed, the cookie is no longer valid.
OK got that, but something on the server needs to dump the cookie on the browser. But somehow this needs to be triggered from somewhere on the server side. That is still the gap in my mind.
My Auth API has a method LoginResult Login(string username,string password);
When the login is successful, the LoginResult contains my own SessionKey. After that all calls to any API needs the SessionKey as 1st parameter. The SessionKey is used to id the (previously logged-in) user that initiates the call and some other info. E.g.
ServiceResult result = myApi.GetData(SessionKey sessionKey,otherParams);
The entire domain model and back-end sits behind a services layer that exposes several APIs. The controllers will only talk to the services layer. It is designed like this to serve many different channels of interaction. So after login, my SessionKey will have to be stored in the Session if I read correctly so that the View can post that back to the controller Action, so that the controller Action method can use it in calls to the services layer
Also the logout api is:
ServiceResult Logout(SessionKey sessionKey);
After the call to logout, my SessionManager will remove the SessionKey and all calls with that SessionKey will fail. Obviously something in the ASP.NET framework needs to happen as well. E.g. flush cookie.
Also, with regards to the permissions model, are you talking about claims based authentication?
Not sure. The permissions model is based on user configurable Permissions. You then assign a set of Permissions to a User. You also assign a set of Actions to each Permission. Each action is basically an action on the front-end. So out of the total set of Actions in the application, each Permission would represent a subset of Actions (typically a business function). Permissions could overlap in their assigned Actions. So when you assign Permissions to Users, the User can execute the Actions that correspond to the union of all Permissions' Actions. E.g. View Users but not edit them. Don't know if I explain clear enough. It allows very fine grained control over what users can do and not and also easy to change profiles on the fly.
It also allows fine-grained control over Delegation of Authority where a User can (temporarily) delegate certain functions to another user and then revoke afterwards.
The Permissions also make provision for field level control. Each field on each entity can be Invisible/Visible/Visible&Editable. This is attached to Permissions so you can set up who sees what and who edits what fields.
Permissions also control the subsets of Reports, Pivots and Dashboards a particular User can run.
