Custom Authentication on a Controllers Action Methods - asp.net-mvc

I'm new to asp.net mvc and I was wondering if there was any clean non repetitive way of running a check to see whether a user is logged in when any Action Method on a particular controller is invoked? Also is there a way to stop that method from being invoked and redirecting the user to a specified page?
I'm using a custom authentication method (not Membership Provider) and i'm having trouble finding examples for this type of implementation.
Thanks in advance

Check the [Authorize] attribute System.Web.Mvc.AuthorizeAttribute. Also, the template ASP.NET MVC application created in Visual Studio contains a controller illustrating authorization/authentication techniques.

Related

ASP.Net membership for MVC3 Project only from Web.config just like in websites

I want to apply ASP.Net membership on areas in MVC3.0 project, but I dont want to put [Authorize] in controller. Is this possible if so then how can I achieve this.
You can implement the security checks yourself on the call to each method by overriding OnActionExecuting in a base controller (or each one if you don't want to implement a base controller) and decide whether to allow the call or not. Just out of curiosity why not use [Authorize]?
Yes you can implement global authorization in mvc3. You do this by first writing a global filter that overrides the default AuthorizeAttribute, then registering your custom filter in global.asax
Check out this blog post for more details

classic asp page posting to mvc3 controller action

I am currently working with integrating a classic asp site with MVC3. I have some questions on some areas of the integration that I would like some feedback on.
Firstly, I have a asp page posting to an MVC controller action. I have very little scope to modify the asp page. I want to take the form fields posted from the asp page and map them in to a model object. The posted values have obscure names such as "my_name" which I want to map to Name property on the model object. Is the best way of doing this via a Model Binder or is there an alternative?
Next question I have is a follow on from the previous, I am concerned with any cross site scripting so want to check the values of the posted variables to be valid and contain no strange characters etc. Is there something built in to MVC3 that does this out of the box?
When the asp page posts to the controller action, I would like to show a waiting icon while the controller action is processing as the controller action could take 10 seconds plus as it must call external systems etc. Therefore I don't want the post to seem as its hanging. Is it possible to wire up the controller action to return a view with a waiting icon, while the main body of the action is processing in the background and once complete redirects to another page?
Is the best way of doing this via a Model Binder or is there an
alternative?
The best way of doing is a model binder. You can have a custom model binder to take care of the ASP scenario that maps the my_name to Name. Mostly you should have a separate action to handle the requests coming from classic asp and you can link the custom model binder to only this action.
Is there something built in to MVC3 that does this out of the box?
The request validation is enabled as default in MVC. So if an user tries to post a script block to the action MVC will throw exception. Of course you can switch off request validation by decorating the action with ValidateInput(false) if you need.
For long running actions you have to use asynccontrollers.

Forms Authentication (restrict an area)

I'm developing an website using asp.net mvc with MySQL and I need to make a simple restrict area for the user update some informations in website. So, I had created an area in mvc application called "Admin", and I know how to protect it using Forms authentication and Autorize attribute! It works fine, but in each controller of my area I have to set the Autorize attribute to protected them. Is there any way to protected all Area in Web.config? How can I do that?
Thanks
Cheers
You must not use Web.config location-based authorization in an MVC application. Doing so will lead to security vulnerabilities in your site.
The easiest way to get the behavior you're looking for is to have an AdminBaseController which has an [Authorize] attribute on it, then have each controller in your Admin area subclass this type directly. The attribute will flow from the base type to the subclassed types.
A bit off your question as you want to use Web.config, but you can use PostSharp (an aspect oriented framework) to inject attributes on methods.

asp.net mvc : can i write AuthorizeAttribute in model

in asp.net MVC architecture,
can i write AuthorizeAttribute on the method of model class?
i am trying to do this but its not working.
please let me know how can i do this..?
No, you can apply authorization to controller's actions only.
You should check there if the user can access the actions performed on the model and then do it. Putting authorization on the model is not good, because the same model may be used in different actions, and the user may be authorized to some, and denied some other.

Custom Authentication asp.net MVC

At what point should I be checking for my cookie in my mvc app? Basically what I wish to do for each request is check to see if there is a cookie and if so show their name on the screen somewhere if not and the page requires the user to be logged in redirect them to a login page.
I DON'T want to use FormsAuthentication as I wish to create and use my own IPrinciple object I 'm just not sure whether I should be setting these in a base controller class or creating my own Authorize attribute and doing the checks in there.
My initial thoughts are that I should be doing this in the base controller class as this is similar to the base page in webforms where I override oninit.
Do not attempt to do authentication in a base controller class. In a situation where an action result is cached, your action will not run at all, and no controller will ever be instantiated. Therefore, authentication done inside the controller is broken by design.
The correct way to customize authentication, for many reasons, is to create a custom authentication provider. I've explained the reasons why and given links to simple examples of how to do this in the post linked above.
In short, using this method:
Has the right level of modularity
Works with caching
Works with regular ASP.NET, as well as with MVC

Resources