Any example? I am curious to know that if i ignore a route then how it is possibe to route this.
Say you have a FooController inside your Blog area. Normally you would access this via /Blog/Foo/Action. However, with the default {controller}/{action}/{id} route, you could also probably access this via just /Foo/Action (without the
Blog prefix). You may or may not be able to repro this on your own machine depending on your route configuration, but it's one of many examples.
Additionally, what happens if in a theoretical future version of MVC we add a handler MvcActivation.svc that is specifically meant to make your MVC application easier to consume by a WCF client? That wouldn't go through routing at all, so any decisions
made at the routing level would not affect this. Remember, the controller is the resource you want to protect. It doesn't matter how you get there - via a route, a WCF activation path, some other external component calling into the controller directly -
the controller should secure itself.
Additionally, what happens if in a theoretical future version of MVC we add a handler MvcActivation.svc that is specifically meant to make your MVC application easier to consume by a WCF client? That wouldn't go through routing at all, so any decisions made
at the routing level would not affect this. Remember, the controller is the resource you want to protect. It doesn't matter how you get there - via a route, a WCF activation path, some other external component calling into the controller directly - the controller
should secure itself.
This make much sense and Thanks to pointing out.
levib
Say you have a FooController inside your Blog area. Normally you would access this via /Blog/Foo/Action. However, with the default {controller}/{action}/{id} route, you could also probably access this via just /Foo/Action (without the
Blog prefix). You may or may not be able to repro this on your own machine depending on your route configuration, but it's one of many examples.
This can also be easily handled using constarint,
http://forums.asp.net/p/1578533/3971547.aspx
"And whoever is removed away from the Fire and admitted to Paradise, he indeed is successful." (The Holy Quran)
Excellent Windows VPS Hosting Imran Baloch MVP, MVB, MCP, MCTS, MCPD
But i don't know; what happen if an unauthorized user try to access that view? Will he/she be redirected to login page? I don't want to control if the users has logged in or not in all of the views.
"And whoever is removed away from the Fire and admitted to Paradise, he indeed is successful." (The Holy Quran)
Excellent Windows VPS Hosting Imran Baloch MVP, MVB, MCP, MCTS, MCPD
Marked as answer by ricka6 on Aug 20, 2010 09:01 PM
I think I see that it's not feasible to restrict a URL using the "location" and "authorization" tags in Web.config, since a Controller may be hit from multiple and unpredictable routes. However, it seems like it would quickly become a manegerial nightmare
to manage security in code.
It seems much more elegant to be able to specify (in Web.config) that only "admin" roles can access .../admin/, or only authenticated users can access .../restrictedarea/. If more fine-grained security is required, such as if someone can edit a specific
record, then that can be handled at the Controller level.
levib
Star
7702 Points
1099 Posts
Microsoft
Re: Forms Authentication with ASP.Net MVC
Jul 30, 2010 05:48 AM|LINK
Say you have a FooController inside your Blog area. Normally you would access this via /Blog/Foo/Action. However, with the default {controller}/{action}/{id} route, you could also probably access this via just /Foo/Action (without the Blog prefix). You may or may not be able to repro this on your own machine depending on your route configuration, but it's one of many examples.
Additionally, what happens if in a theoretical future version of MVC we add a handler MvcActivation.svc that is specifically meant to make your MVC application easier to consume by a WCF client? That wouldn't go through routing at all, so any decisions made at the routing level would not affect this. Remember, the controller is the resource you want to protect. It doesn't matter how you get there - via a route, a WCF activation path, some other external component calling into the controller directly - the controller should secure itself.
imran_ku07
All-Star
45815 Points
7698 Posts
MVP
Re: Forms Authentication with ASP.Net MVC
Jul 30, 2010 07:00 AM|LINK
This make much sense and Thanks to pointing out.
This can also be easily handled using constarint,
http://forums.asp.net/p/1578533/3971547.aspx
Excellent Windows VPS Hosting
Imran Baloch MVP, MVB, MCP, MCTS, MCPD
BahadirARSLA...
Member
1 Points
4 Posts
Re: Forms Authentication with ASP.Net MVC
Jul 30, 2010 11:37 AM|LINK
Hi,
Thanks for your answers.
I will try [Authorize] attribute.
But i don't know; what happen if an unauthorized user try to access that view? Will he/she be redirected to login page? I don't want to control if the users has logged in or not in all of the views.
imran_ku07
All-Star
45815 Points
7698 Posts
MVP
Re: Forms Authentication with ASP.Net MVC
Jul 30, 2010 01:39 PM|LINK
Yes, with ReturnUrl Querystring.
Excellent Windows VPS Hosting
Imran Baloch MVP, MVB, MCP, MCTS, MCPD
redtiger80
Member
4 Points
5 Posts
Re: Forms Authentication with ASP.Net MVC
Sep 23, 2010 08:36 PM|LINK
I think I see that it's not feasible to restrict a URL using the "location" and "authorization" tags in Web.config, since a Controller may be hit from multiple and unpredictable routes. However, it seems like it would quickly become a manegerial nightmare to manage security in code.
It seems much more elegant to be able to specify (in Web.config) that only "admin" roles can access .../admin/, or only authenticated users can access .../restrictedarea/. If more fine-grained security is required, such as if someone can edit a specific record, then that can be handled at the Controller level.