I am testing RSA secureID(Token) to use for security in my asp.net mvc project.
It protects the url that i assigned and it will prompt to insert
UserName and password when we browse that url.
For eg,if we assigned **Http://SamlpleApp/Sales/main.aspx** to protect,
RSA will prompt to set username and password when we browse it.
That one is working properly in normal asp.net projects.
But,i don't know
how to use in my asp.net mvc prj,i want to protect one view,physical
address may be **Http://SampleApp/Views/Sales/Index.aspx** ,but we have to call the
controller index action first and that wil redirect to view in mvc.
So,is it possible
to get physical url of view like "Http://SampleApp/Views/Sales/Index.aspx"
when we browse controller action? I mean i want to get that url when we call
controller action.
Please give me the the right way.
Best Regards,
Indi
It's not possible to go directly to the view. If you look in the web.config file in your Views directory, you will notice it blocks all requests.
If you want to secure a page you have to do it by securing the controller or the action by using the authorize attribute (or implement your own authorisation).
Related
I have a .Net MVC application. I use Asp.net Identity for login and roles.
Every controller I have is decorated with [Authorize]
I have not done anything else in the code to protect the application.
Is there anything Else that must be done in ordet to protect the site? And im not takling protection of the webserver. Only the website.
Thanks
Add MVC's anti-forgery support, this basically writes a unique value to an HTTP-only cookie and then the same value is written to the form. When the page is submitted, an error is raised if the cookie value doesn't match the form value.
It's important to note that the feature prevents cross site request forgeries.
How to use it:
Decorate every controller action used to post data with this: [ValidateAntiForgeryToken] and add the unique value to your form posting the data by adding the following to your form #Html.AntiForgeryToken()
I currently have an intranet site that is accessed by external customers. I therefore set this up using Forms Authentication. However the powers that be (my bosses) want all our domain users to not have to enter their username and password to access the site.
I've done a bit or reading and everything seems to point to setting up a WinLogin.aspx page that you alter to use WindowAuthenthication and then redirect from there.
I have a problem with this as I don't like the idea of putting an aspx form in my mvc application.
Can anyone tell me how to achieve mixed authentication using a strictly MVC Controller/Action setup without a second application?
NOTES: running MVC 3 on an IIS 7 box.
Forms Authentication is not related to the URL or physical structure of your files. What matters is that a URL should ultimately map to a physical (or virtual) resource on the server, and be processed, and be returned back to the user.
Thus, somewhere in between for each incoming call (each HTTP request, even those for CSS and JavaScript files), you have to see if the current user has enough permission to access it or not. If no, then you might redirect him to the login page.
If you want, you can have a URL like /user/windowslogin where user is the name of the controller, and windowslogin is the name of your action method. Then you can create a custom authentication attribute (something like [WindowsAuthentication]) on your windowslogin action, and in that attribute (which is an MVC filter in essence), you can see if the current request comes from within your domain, and if so, talk to Active Directory for authentication or stuff like that, and on case of successful authentication, create an authentication cookie using FormsAuthentication class, and the rest of the story.
However, I don't think this would be an easy task. Others might introduce better solutions.
I was looking over some ASP.NET MVC 1 code (C#) in search of the mechanisms that the site was using to log in a user. This is what I found...
FormsAuthentication.SetAuthCookie(authenticatedUser.UserName, false);
followed by a redirect. Is it REALLY that simple?
I couldn't find any other code after the redirect that would be responsible for this.
FormsAuthentication.SetAuthCookie creates an authentication ticket for the supplied user name and adds it to the cookies collection of the response, or to the URL if you are using cookieless authentication.
This will "log in a user" but you need to actually make sure the user exists somehow. You can use the built in membership providers which will by default target a SQL Express database in your App_Data folder called ASPNETDB.mdf.
If the default membership provider does not work for you then you can create a custom membership provider by inheriting from the base MembershipProvider class. If you don't want to do this then you can roll your own solution and still issue an authentication ticket, but at the very least you need to do something to actually make sure a user is who he says he is.
How would you go about redirecting in ASP.NET MVC to take into account some external URL rewriting rules.
For example:
What the user enters: http://www.example.com/app/route
What ASP.NET MVC sees: /route
What I want to redirect to: http://www.example.com/app/other_route
What actually happens when I do a simple RedirectToAction: http://www.example.com/other_route (which doesn't exist, from the outside anyway)
This seems like it should be simple, but I'm drawing a blank.
Just use
RedirectToAction("NewAction", "Controller-Required-If-Diferent-From-Current-Controller");
I have an MVC app that is working fine, but I now want to add in an SSL site to the app.
This is a separate site in IIS, with the SSL certificate, but for re-use, I'm just pointing the SSL site to the same directory as the regular site.
What I'd like to do now, is direct the user to a certain controller (payment) if they come in on the secure url. Otherwise, they can continue on as they were.
What is the best way to do this?
Routing? Filters? Custom BaseController?
How can I ensure that no matter what route they try, if their Request.Url.Host is my secure url, then they'll get redirected. In the future if I add new controllers and actions, I don't want to have to put this in every controller.
Is there a way, application wide, that I can tell all controllers to redirect if a certain url is found?
Decorate your method with:
[RequireSsl(Redirect = true)]
[RequireHttps] is now part of ASP.NET MVC 2