Comments on: ASP.NET MVC: Securing Your Controller Actions (The .NET Framework Way)

By: Matt Dwyer

Matt Dwyer — Mon, 15 Sep 2008 17:23:47 +0000

Obviously I have to respect your opinion on that, but I just don’t see it, consider your quote:

>>>My only guess is that he just wanted to re-invent something that is already built in to the framework using his own code<<<

Who hasn’t reinvented something in a/the framework with their own code at some point?

By: Nick Berardi

Nick Berardi — Mon, 15 Sep 2008 17:03:35 +0000

Matt, Everything else left aside, I was in the wrong on this.

By: Matt Dwyer

Matt Dwyer — Mon, 15 Sep 2008 16:00:28 +0000

“That was unnecessary. I know you probably didn’t mean to insult, but that’s what it is.”

Pretty thin-skinned considering the troll jobs I’ve seen you do on other people. I hope some Hawaiian beats you senseless with your sunscreen bottle while you’re floundering in the shorebreak trying to get another action pic for your blog.

By: ASP.NET MVC Archived Buzz, Page 1

ASP.NET MVC Archived Buzz, Page 1 — Sun, 13 Jul 2008 15:06:15 +0000

[...] [FriendFeed] ASP.NET MVC: Securing Your Controller Actions (The .NET Framework Way) (7/13/2008)Sunday, July 13, 2008 from http://www.coderjournal.com [...]

By: Nick Berardi

Nick Berardi — Mon, 17 Mar 2008 16:34:19 +0000

Sorry about that I left the following two pieces of code out of SVN.

http://code.google.com/p/coderjournal/source/browse/trunk/ManagedFusion.Web.Mvc/MvcExtensions.cs
http://code.google.com/p/coderjournal/source/browse/trunk/ManagedFusion.Web.Mvc/WebExtensions.cs

By: SubC

SubC — Mon, 17 Mar 2008 16:17:28 +0000

In ExceptionFilterAttribute, OnActionExecuted method used “filterContext.RedirectToAction” which is not supported in the March 2008 MVC release. How should the code be updated to reflect this?

Thanks.

By: Rob Conery

Rob Conery — Thu, 13 Mar 2008 22:23:53 +0000

Nick I wrote a whole post on using PrinciplePermission but didn’t post it because I thought it was hitting a tack with a sledgehammer. You have to catch the Exception that is thrown (which some people do in Global.asax) or, like you did, come up with a secondary Filter. This isn’t a very good solution in my mind - more code for what payoff? They do the same thing - difference is that you can do more with a filter.

Like redirects - even custom ones. You can also test to see if a user is logged in before tossing an Exception. If you noticed in my sample where I check a Role, I first see if the user’s logged in - if they aren’t redirect them while appending the proper Return. Your example above throws an Exception - which you’d have to code your way out of to handle properly.

Finally - I’m not sure why you’d suggest the code is “Nasty” because it references FormsAuthentication. This is by way of example of course, so if you wanted to use a different Auth Scheme you could.

>>>My only guess is that he just wanted to re-invent something that is already built in to the framework using his own code<<<

That was unnecessary. I know you probably didn’t mean to insult, but that’s what it is.

By: Nick Berardi

Nick Berardi — Thu, 13 Mar 2008 19:07:34 +0000

It is clear that I need to provide a little more insight in to my solution and what I am doing to redirect the user to the login page. I have created an exception handling attribute that will turn specified exceptions in to specific response codes. In the case of SecurityException, it gets turned in to a “401 Unauthorized” response code.

Source for ExceptionHandlerAttribute:
http://code.google.com/p/coderjournal/source/browse/trunk/ManagedFusion.Web.Mvc/ExceptionHandlerAttribute.cs

Also Rob’s solution had the nasty habit of assuming everybody was using Form Authentication, if I tried Passport, Windows, or Basic authentication I would be out of luck. That is why as demonstrated in the example below that set the status code to “401 Unauthorized” and then let whatever authentication module that I am using pick up on the status code and redirect me to a login page for Forms Authentication or pop open a Windows dialog for my credentials or take me off to a Microsoft Password authentication page.

So I would do the following to my method to let the 401 float down to the EndResponse and then let the FormsAuthenticationModule or WindowsAuthenticationModule pick up the HTTP 401 Status Code and do what ever it does depending on what type of authentication you are using.

[PrincipalPermission(SecurityAction.Demand, Name = "SiteAdmin")]
[ExceptionHandler(401, "Unauthorized", typeof(SecurityException)]
public void RolesAdmin () {
RenderView(”RolesAdmin”);
}

Or I can redirect them to the correct action depending on the exception that is thrown

[PrincipalPermission(SecurityAction.Demand, Name = "SiteAdmin")]
[ExceptionHandler("Login", "User", typeof(SecurityException)]
public void RolesAdmin () {
RenderView(”RolesAdmin”);
}

Thanks,
Nick

By: ryan

ryan — Thu, 13 Mar 2008 18:30:52 +0000

So, with your method, is there a way to redirect the user to the login page, and subsequently to the page they were trying to reach after they login?

By: Jesse

Jesse — Thu, 13 Mar 2008 17:36:27 +0000

This post would make sense if the PrinicipalPermission actually did what Rob’s attributes accomplish. The PrinicpalPermission will always throw exceptions if the user isn’t authenticated or doesn’t have the required role. Rob’s attributes redirect an unauthenticated user to the login page. So if your goal is to throw always throw an exception then use the Principal Permission, otherwise if you want to go down the path of what asp.net does for unauthenticated users then follow the advice in Rob’s article. Nick, maybe you should fully understand what others are trying to accomplish before talking smack.