ASP.NET MVC

Re: Security in asp.net MVC application

MeetNet — Mon, 17 Mar 2008 19:05:31 GMT

The code mentioned in this thread appears to want to deal with HttpContext, but my test framework doesn't use that, it uses System.Threading.Thread.CurrentPrincipal to house a custom GenericPrincipal that is set for particular tests. I'm taking a harder look at what has to happen here....

Re: Security in asp.net MVC application

robconery — Wed, 12 Mar 2008 20:56:03 GMT

I wrote this up here:

http://blog.wekeroad.com/2008/03/12/aspnet-mvc-securing-your-controller-actions/

Re: Security in asp.net MVC application

tgmdbm — Wed, 12 Mar 2008 17:36:20 GMT

override OnActionExecuted, if no error occured then Exception will be null, if you handle the exception (by rendering an error view) set ExceptionHandled to true.

Re: Security in asp.net MVC application

MeetNet — Wed, 12 Mar 2008 17:21:19 GMT

The latest MVC release does not have an override bool for OnError. What is the right way to catch things (pun intended) now?

ironside14:

...snip...

public class MembershipAwareController : Controller
    {
        protected override bool OnError(string actionName, System.Reflection.MethodInfo methodInfo, Exception exception)
        {
            if (exception is System.Reflection.TargetInvocationException &&
                exception.InnerException is System.Security.SecurityException )
       ...snip...

Re: Security in asp.net MVC application

JoshuaStroup — Thu, 21 Feb 2008 15:14:31 GMT

Good to know. Thank you Sliderhouserules I'm looking forward to that. Also I want to thank you Angus for the response to my email in which he stated and I'll paraphrase:

--------------------------------------------

You can simply create base functions in your controller that check user security permissions for example:

isSiteAdmin()
isCustomer()
isShopUser()
isCustomerAdmin()

Then create a logic trap at beginning of methods that need to be secured. (He used VB I'll translate to C# as I'm more familiar with the syntax)

if ( isAdmin() ) { 

   Throw New System.Security.SecurityException("Access Denied. User is unable to view this page.");

} 

RenderView("Index");

--------------------------------------------

Alternatively you could also (I took this from Maarten Balliauw) http://blog.maartenballiauw.be/post/2007/12/ASPNET-MVC-framework---Security.aspx

try {
    PrincipalPermission permission = new PrincipalPermission(User.Identity.Name, "Administrators", true);
    permission.Demand();
} catch (SecurityException secEx) {
    // Handle the Exception here...
    // Redirect to Login page, for example.
}

But I personally like Angus's method better. Anyway this is just me trying to give back because of the great answers I receive from people willing to take time out and help our professions.

Re: Security in asp.net MVC application

sliderhouserules — Wed, 20 Feb 2008 19:17:30 GMT

In Scott Guthrie's roadmap he showed the first look at what they're calling Filters that he said will be in the next preview. It's essentially PrinciplePermission, but you get to write your own filter and you can have it do whatever you want. You can apply it to the class and then everything inside that class (your controller) is subject to that, or you can apply it to individual methods/actions. That's my take at least. Read his section 5) New Filter Attribute Support for Controllers and Action Methods for more details.

Re: Security in asp.net MVC application

JoshuaStroup — Wed, 20 Feb 2008 19:09:36 GMT

Does anybody have a way of implementing some type of security inheritance. For example, it would be nice to call .Demand() on just my class and every Controller Action and View is authenticated and authorized if the user authenticates. I would like to use Code Access Security for overriding specific Actions or Views, but I also like the <location> tag functionality that applies system wide. Do I build a large global.asax that handles every exception and reroutes, then I just need to track what exceptions I use throughout the application? Or is there a better way? Maybe I'm missing something here for a solution or not understanding previous posts.

Respectfully,

Josh

Re: Security in asp.net MVC application

tgmdbm — Wed, 02 Jan 2008 21:52:09 GMT

i entered a competition to write the best pun, there were only 10 contestants and mine was clearly the best. I thought mine would win but... no pun in ten did.

Re: Security in asp.net MVC application

ironside14 — Wed, 02 Jan 2008 15:57:29 GMT

I'm taking the PrinicipalPermission route (no pun intended :) ).

By creating a base controller class that's security aware, I didn't see the need for a special [ExceptionHandler] attribute for my simple case.

As an example, a redirecting base controller that blindly redirects security exceptions to the login action of the "security" controller:

public class MembershipAwareController : Controller
    {
        protected override bool OnError(string actionName, System.Reflection.MethodInfo methodInfo, Exception exception)
        {
            if (exception is System.Reflection.TargetInvocationException &&
                exception.InnerException is System.Security.SecurityException )
            {
                // Use TempData as a container for a display message when redirecting the user to login.
                // I tried setting ViewData but it was always empty by the time the 
                // Login action is executed. TempData is meant for use on the next request only, so it seems a fitting spot for it.
                // There is some coupling here as this code assumes the Login controller will do something with TempData (like tell a view to render it).
                TempData["ErrorMessage"] = "You must login to access this section of the site."; 
                RedirectToAction("Login", "Security");
            }
            else base.OnError(actionName, methodInfo, exception);
            return false;
        }
    }

Re: Security in asp.net MVC application

cromwellryan — Wed, 02 Jan 2008 13:49:15 GMT

There is a post out here which describes setting up the ASP.Net Membership provider with the MVC framework. It uses the <location/> config elements in the samples, but you can easily use declarative or explicit authorizations. I'll look at adding a short extension post about those two options. I would agree that the <location/> config is poorly chosen as it's dependent on the route configuration.

Re: Security in asp.net MVC application

Angus McDonald — Tue, 11 Dec 2007 00:34:54 GMT

We allow security permission settings to throw exceptions all the time, and then catch them in our base page and define how to handle a security permission error there (which for a non-logged in user is to re-direct them to the login page). This has the advantage of logging the access attempt as well as cleaning up your code.

In MVC the idea of having a base controller that you extend makes perfect sense to me. That way you get to write your security handling code once, whilst each individual controller (or even <gasp!> model) can decide what constitutes an unsecured attempt itself and just throw the right error at that point.

Re: Security in asp.net MVC application

pwelter34 — Mon, 10 Dec 2007 18:45:50 GMT

In my experimenting, I couldn't get the<location> element to work. I like the idea of using PrincipalPermission. However, that throws an exception. The controller should redirect to login instead. It should be easy enough to create a base controller to do this. Would be really nice if this was built in to the framework though. Also, throwing an exception doesn't seem very efficient.

Re: Security in asp.net MVC application

DavidHogue — Mon, 10 Dec 2007 18:38:49 GMT

I just tried the <location>, and it kind of works, but I wouldn't use it. I think the PrincipalPermission attribute (or just using some code like Mike343 suggested) will be the way to go with this.

I tried it with the default app that is generated that has a Home controller with Index and About actions. When path="Home" it does block /Home/anything, but you can still see / which is the same as /Home/Index. Also setting path=Home/About did not stop me from going to /Home/About at all. Plus the routes can be changed as Rob said.

Re: Security in asp.net MVC application

robconery — Mon, 10 Dec 2007 18:28:00 GMT

You can indeed lock down your location using this method, but keep in mind we're not using a "file request" scheme here anymore - this is all about RPC (in a sense). Additionally, users of your system might/can/will change the routes at some point, and if/when they do, they can break this FormsAuth security using <location>.

Your best bet is to use PrinciplePermission on the contoller or method (with many thanks to Phil for this):

[PrincipalPermission(SecurityAction.Demand,Role="Administrator")]
[ControllerAction]
public void Index(){
...
}

I have a blog post coming on this today.

Re: Security in asp.net MVC application

DavidHogue — Mon, 10 Dec 2007 18:07:48 GMT

I haven't tried yet, but I sould assume the <location> and <authorization> tags in the web.config would do it.

Something like this:
<location path="SomeController/SomeAction">
   <system.web>
     <authorization>
       <allow users="SomeUser" />
       <deny users="*" />
     </authorization>
   </system.web>
</location>

Once I get the CTP installed I'll try it and see what happens.