Geek Answers Handbook

Resolution asp.net mvc

What is the best way to protect certain areas of your web application in asp.net mvc. I know that we can put the [Authorization] attribute on every action, but it seems very tedious, since you have to put it everywhere. I use a membership provider and try, as I did in the postback model, by setting this protection based on the folder. I am using the web.config <location> section to protect some folders. I tried this in mvc, it seems to work, but most manuals use the [Authorization] method.

Which one is the best method?

+3
source share
5 answers

I would highly recommend not putting it in web.config. In fact, Conery, Hanselman, Haack, and Guthrie - although not very (p223 from Professional ASP.NET MVC 1.0)

Routes are subject to change, especially in MVC. In the WebForm model, routes are physically represented in the file system, so you did not have to worry about that. In MVC, routes are "dynamic" due to the lack of a better term.

As a result, you can display several routes for one controller, which will lead to pain in maintenance in web.config. Even worse, you may accidentally call the controller manager or forget to update web.config after adding / changing routes and leave yourself open.

If, however, you protect your controller instead of the actual route, then you do not need to worry about keeping web.config in sync with the controllers and changing routes.

Only my 2 cents.

+5
source

One possible solution is to create a “secure controller” and use it as a base class for all areas of your application that you want to protect.

 [Authorize] public class ProtectedBaseController : Controller { } public class AdminController : ProtectedBaseController { ... } public class Admin2Controller : ProtectedBaseController { ... }
+4
source

put [Login] at the top of the controller class. which blocks all actions of controllers.

+3
source

You can put [Authorize] for each controller that you want to protect.

You can add the GlobalFilters.Add filter (new AuthorizeAttribute ()); in your Startup.cs (or Global.asax) and place the [AllowAnonymus] attribute on any controller or action that you allow unregistered users.

If you decide to put [Authorize] on each protected controller, you need to be sure that any controller added by you or anyone else in the team will be safe. For this requirement, I use a test like this:

 [Fact] public void AllAuth() { var asm = Assembly.GetAssembly(typeof (HomeController)); foreach (var type in asm.GetTypes()) { if (typeof(Controller).IsAssignableFrom(type)) { var attrs = type.GetCustomAttributes(typeof (AuthorizeAttribute)); Assert.True(attrs.Any()); } } }

I think this method is better than creating a ProtectedContoller, because it does not guarantee that your system will be protected by all controllers. Also, this method does not use inheritance, which makes the project more difficult.

0
source

Authorization is one way to protect your application; - apply the attribute to each controller. Another way is to use the new AllowAnonymous attribute for login and registration actions. Creating secure solutions based on the current area is a very bad thing and will open your application to vulnerabilities.

The code you can get here

Since ASP.NET MVC 4 includes the new AllowAnonymous attribute, you no longer need to write this code.
After installing AuthorizeAttribute globally in global.asax, then a whitelist will suffice. These methods that you want to exclude from authorization are considered the best practice in ensuring the security of your actions. Thank you

0
source

More articles:


All Articles