ASP.NET-MVC 3 force log for every page - asp.net-mvc

I'm new to ASP.NET and not the most experienced of programmers.
I have recently been introduced to ASP.NET-MVC 3 for an application I'd like to build.
I have the basic functionality down but am not to familiar with the login.
The built-in login works for what I want (just something simple), but I want to ensure that a login must be used before any of the actual functionality appears.
What would be the best way of doing this?
Any help would be greatly appreciated.

in your controller you should make use of the Authorize attribute, this forces the authorization before doing the decorated action.
For instance, in your home controller add the following [Authorize] as such
[Authorize]
public ViewResult Index()
{
return View();
}
Also you can decorate an entire controller which will force ALL methods to be authroized prior to being used, as such:
[Authorize]
public class HomeController : Controller
{
public ActionResult Index()
{
return View();
}
}

Related

Asp.Net Mvc Identity Role Management

I am using Identity in my MVC project. Nowadays, i am trying to develop my authentication system and implement group-based identity.
I wonder what the way is, are you following to manage roles. IE. i have an action in one of my controller and named, CreateNewStudent. I am creating new role names, CanCreateStudent and write the related action filter, top of my action.
Is that the only way ? Should i need to put action filters one by one ?
Regards.
You could also have those attributes on controllers. In the code below for example, if the controller inherited from the base, the actions inside of that will require authentication. You can add roles in there.
[Authorize]
public class BaseController : Controller
{
//do some common operations
}
public class HomeController : BaseController
{
public virtual ActionResult Index()
{
ViewBag.Message = "Modify this template to jump-start your ASP.NET MVC application.";
return View();
}
}

OverrideAuthentication attribute not working? ASP.NET MVC 5

I have a super simple Authentication Attribute that I'm trying to implement in an ASP.NET MVC 5 application and I'm having some trouble. I want the attribute to be applied globally, except for specific actions within a controller (for example the login form and the home page).
I've tried decorating the action with the [OverrideAuthentication] attribute with no luck. It gives me a redirect loop error because the application is still running the authentication on the login form, and keeps trying to redirect back to the login form over and over.
Has anyone else seen this behaviour? Any idea what I've stuffed up here?
By way of example, I've created a super simple filter that is currently unimplemented:
public class BasicAuthenticationAttribute
: ActionFilterAttribute, IAuthenticationFilter
{
public void OnAuthentication(AuthenticationContext filterContext)
{
throw new NotImplementedException();
}
public void OnAuthenticationChallenge(AuthenticationChallengeContext filterContext)
{
throw new NotImplementedException();
}
}
If I decorate my controller/action like this:
[BasicAuthentication]
public class AccountController : Controller
{
[HttpGet]
[OverrideAuthentication]
public ActionResult Login()
{
return View();
}
}
I get a not implemented exception when I navigate to the Login action, even though that action shouldn't be running the authentication code at all. Have I misunderstood how overrides are supposed to work?
I think you have confused authentication with authorization (as many people do). It doesn't make sense to make a [BasicAuthenticationAttribute] and register it globally, because authentication only happens upon login, not on every request.
Authorization is what takes place after the user has logged in to check whether the user has the required privileges to do a specific action, and it makes sense to do authorization globally. Authorization in MVC is handled by the [AuthorizeAttribute] and you can inherit it if you need to customize the way the authorization check is done. You can also register it as a global filter.
The [AllowAnonymousAttribute] works in conjunction with [AuthorizeAttribute], and basically tells it to skip the authorization check. It should also be noted that the [AllowAnonymousAttribute] will have no effect unless it is used with the [AuthorizeAttribute].

ASP.NET MVC security: how to check if a controller method is allowed to execute under current user's perrmissions

Given an ASP.NET MVC Controller class declaration:
public class ItemController : Controller
{
public ActionResult Index()
{
// ...
}
public ActionResult Details()
{
// ...
}
[Authorize(Roles="Admin, Editor")]
public ActionResult Edit()
{
// ...
}
[Authorize(Roles="Admin")]
public ActionResult Delete()
{
// ..
}
}
I need to reflect a list of methods in this class which may be invoked with the current user's permissions.
Please share some ideas of what could be done in this case.
Well for the new question think something along the lines of:
new ReflectedControllerDescriptor(typeof(ItemController)).GetCanonicalActions()
could be used to return the list of all available actions. I don't have ASP.NET MVC available to me at work, so I can't really check to see if the ActionDescriptor's returned by that will contain some parameter which says which members are allowed to execute them.
http://msdn.microsoft.com/en-us/library/system.web.mvc.actiondescriptor_members%28v=VS.90%29.aspx
That is the members of the ActionDescriptor, you might be able to find something in there. I'll see tonight if I can figure it out, this has gotten me kind of intrigued.
There's no universal user login/authentication system for all applications, thus this really isn't possible to create a 'universal solution'. You could create your own user login and authorization classes which you then add your own annotations to methods to do, but its going to have the same restrictions that the asp.net mvc system has, its only for your login/authorization system (or whoever extends that system).

ASP.NET MVC Account Controller usage guidelines?

I'm looking at the MVC account controller, and it seems to be from ASP.NET webforms. Is there any good background information on how to use it?
Can you map it to a user database table or is it better to roll your own user management?
How do you make use of it in MVC to restrict what pages a logged in user can view? Do you have to roll all of that on your own?
What resources on the web can help with understanding the ASP.NET Membership?
I'm looking at the MVC account
controller.... it seems to be from
asp.net?
Scott Guthrie explains this quite well in his blog entry about ASP.NET MVC Preview 4. He basically says that the Account Controller from the MVC sample uses the ASP.NET membership provider, so you can use any of those. (I think you can find out more about ASP.NET membership providers on the internet.) If you do not want to implement/use one of those, modifying the application to use your own user management would probably be the best option.
How do you make use of it in MVC to
restrict what pages a logged in user
can view? Do you have to roll all of
that on your own?
You can add the Authorize attribute to the controller class or action method. (Same source as above.)
// Only logged in users can access this controller.
[Authorize]
public class SomeController : Controller
{
#region Not really important for this example. :]
// Maybe rather use a BLL service here instead of the repository from the DAL, but this example is already more verbose than required.
private IStuffRepository stuffRepository;
public SomeController(IStuffRepository stuffRepository)
{
if (null == stuffRepository)
{
throw new ArgumentNullException("stuffRepository");
}
this.stuffRepository = stuffRepository;
}
#endregion
// The authorize attribute is inherited - only logged in users can use the index action.
public ActionResult Index()
{
return View();
}
// Moderators can flag stuff.
[Authorize(Roles="Moderator")]
public ActionResult Flag(int id)
{
this.stuffRepository.Flag(id);
return RedirectToAction("Index");
}
// Admins ans SysOps can delete stuff.
[Authorize(Roles="Admin,SysOp")]
public ActionResult Delete(int id)
{
this.stuffRepository.Delete(id);
return RedirectToAction("Index");
}
// Only joed can change the objects stuff. ;)
// (This is probably bullshit, of course, but I could not make any better example. I blame the fact it is late at night. :))
[Authorize(Users="COMPANY\\joed")]
public ActionResult ChangeId(int oldId, int newId)
{
this.stuffRepository.ChangeId(oldId, newId);
return RedirectToAction("Index");
}
}

How do I handle page flow in MVC (particularly asp.net)

If you had to provide a wizard like form entry experience in mvc how would you abstract the page flow?
Investigate the post-redirect-get pattern.
http://weblogs.asp.net/mhawley/archive/tags/MVC/default.aspx
http://devlicio.us/blogs/tim_barcz/archive/2008/08/22/prg-pattern-in-the-asp-net-mvc-framework.aspx
Use that along with a robust domain model (for tracking steps or form completion state or whatever you call it) and you're golden.
In order to keep the steps you could implement a page flow action filters, which provide an experience like this one:
[RequiredStep(FlowStart = true)]
public ActionResult Confirm()
{
return View();
}
[RequiredStep (PreviousStep = "Confirm")]
public ActionResult ExecuteOrder()
{
return RedirectToAction("ThankYou");
}
[RequiredStep(PreviousStep = "ExecuteOrder")]
public ActionResult ThankYou()
{
return View();
}
I left the page flow up to the view, where I believe it belongs, so different views could have different page flows (e.g. for desktop browser clients or mobile phone clients etc.) I wrote it up on my blog: A RESTful Wizard Using ASP.Net MVC… Perhaps?
public class CreateAccountWizardController : Controller
{
public ActionRresult Step1()
{
}
public ActionResult Step2()
{
}
}
There are a couple ways, create an action for each step of the wizard process, or create a parameter that is passed in to the action method. Like step that will allow you to know what the state of the wizard is in.

Resources