So I just read Rob Conery’s blog post on Securing Your Controller Actions in MVC. I was a little perplexed about why guys at Microsoft love to reinvent stuff they have already done. I know Rob Conery is a really smart guy and has a wonderful grasp of the .NET framework, so I would have to assume he knows about what I have outlined below. My only guess is that he just wanted to re-invent something that is already built in to the framework using his own code.

Basically what Rob did was the following, created two attributes for attaching on the MVC Controller Action:

RequiresAuthenticationAttribute

[RequiresAuthentication]public void Index () {
    RenderView("Index");
}

RequiresRoleAttribute

[RequiresRole(RoleToCheckFor = "Member")]public void Index () {
    RenderView("Index");
}

I have accomplished the same thing using an attribute that has been apart of .NET since 1.0. The attribute is called PrincipalPermissionAttribute and is part of the System.Security.Permission namespace. The best thing about it is that it is integrated in to the run time, so there is no chance of unwanted people getting through. It also accomplishes both of Robs attributes up above, plus more. Using the examples up above I will demonstrate how to use PrincipalPermissionAttribute to secure and protect your Controller Actions.

RequiresAuthenticationAttribute

[PrincipalPermission(SecurityAction.Demand, Authenticated = true)]public void Index () {
    RenderView("Index");
}

RequiresRoleAttribute

[PrincipalPermission(SecurityAction.Demand, Role = "Member")]public void Index () {
    RenderView("Index");
}

In addition if you were inclined you can restrict things to just one user name with PrincipalPermissionAttribute. So for instance if you wanted to restrict adding and removing roles and their permissions to only the username “SiteAdmin”, you would do the following.

[PrincipalPermission(SecurityAction.Demand, Name = "SiteAdmin")]public void RolesAdmin () {
    RenderView("RolesAdmin");
}

As you can see this is very powerful. Built in to the run time, by extending the CodeAccessSecurityAttribute, so it operates at a lower level than Rob’s solution. Only requires the use of one attribute, and throws only one exception called SecurityException.

I really hope that ASP.NET MVC doesn’t turn in to a lets-redo-everything-that-already-works framework, because they still have many issues that they need to achieve before ASP.NET MVC is usable, and focusing on things that are already implemented in the .NET framework doesn’t seem like the right course of action when developing a new offering.

Read the rest of this entry »

Tags: ASP.NET, C#, CodeAccessSecurityAttribute, MVC, PrincipalPermissionAttribute, Security, SecurityException

Posted in ASP.NET, C#, How To, Programming, Rant | | | View blog reactions | 13 Comments »

Just saw this article over at The Register about the virus turning 25.

Elk Cloner, which spread between Apple II computers via infected floppy disks, has the dubious distinction of the first computer virus1 to spread in the wild. The malware is thought to be the work of Rich Skrenta, a 15-year-old high school student from Pittsburgh, who released it in July 1982.

So when ever a fan boy starts talking about how secure OS X is, you can remind the that it was Apple that had the first unsecured computer in the world.

Tags: Apple, Security

Posted in Programming, Rant | | | View blog reactions | 2 Comments »

Steve Jobs must have been kicking ass and taking names. Because only 3 days after the initial release, of Apple’s Safari Web Browser for Windows that had 6 security bugs known as of this article, Apple has released an updated version, version of the Safari software. According to Engadet the following bugs have been fixed with this new release.

CVE-ID: CVE-2007-3186
Available for: Windows XP or Vista
Impact: Visiting a malicious website may lead to arbitrary code execution
Description: A command injection vulnerability exists in the Windows version of Safari 3 Public Beta. By enticing a user to visit a maliciously crafted web page, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional processing and validation of URLs. This does not pose a security issue on Mac OS X systems, but could lead to an unexpected termination of the Safari browser.

CVE-ID: CVE-2007-3185
Available for: Windows XP or Vista
Impact: Visiting a malicious website may lead to an unexpected application termination or arbitrary code execution
Description: An out-of-bounds memory read issue in Safari 3 Public Beta for Windows may lead to an unexpected application termination or arbitrary code execution when visiting a malicious website. This issue does not affect Mac OS X systems.

CVE-ID: CVE-2007-2391
Available for: Windows XP or Vista
Impact: Visiting a malicious website may allow cross-site scripting
Description: A race condition in Safari 3 Public Beta for Windows may allow cross site scripting. Visiting a maliciously crafted web page may allow access to JavaScript objects or the execution of arbitrary JavaScript in the context of another web page. This issue does not affect Mac OS X systems.

This is a nice turn around time indeed, but my heart goes out to the Safari developers because they probably worked night and day for the last 72 hours, with the watchful eye of Steve Jobs over them. Good job Apple, now get some rest.

So if you feel inclined and don’t think you already have too many web browsers:

Download Safari

Tags: Apple, Internet Browser, Safari, Security

Posted in Programming, Rant | | | View blog reactions | 1 Comment »

Apple has just released a public beta of its Safari browser for Windows yesterday. And there have been already 6 zero day exploits and many, many crashes for the browser. You can read about them here here here and here. Which makes the following image from the Apple website, borrowed from aviv.raffon.net, all the more funny.

Also Apple has the following to say under the Security tab of their website:

Security

Now you can enjoy worry-free web browsing on any computer. Apple engineers designed Safari to be secure from day one.

For starters, Safari uses robust encryption to ensure that your private information stays that way. When you browse a secure site, Safari displays a lock icon in the upper-right corner of the browser. If you want to know more about the credentials of a secure site, click the lock icon and Safari displays detailed information about the site’s security certificate.

Safari supports SSL versions 2 and 3, as well as Transport Layer Security (TLS), the next generation of Internet security. Safari uses these technologies to provide a secure, encrypted channel that protects all your information from online eavesdroppers. And Safari lets you use standards-based authentication such as Kerberos single sign-on and X.509 personal certificates, or proprietary protocols like NTLMv2 to log in to secure sites.

Safari also supports a variety of proxy protocols — services that help firewalls control what flows in and out of the network — including Automatic Proxy configuration, FTP Proxy, Web Proxy (HTTP), Secure Web Proxy (HTTPS), Streaming Proxy (RTSP), SOCKS Proxy, and Gopher Proxy.

I don’t know about you, but it’s one thing to say that you have designed your browser to be secure from day one, but it’s another to actually prove it. Apple has fallen flat on its face with this release, and I know it is only a beta, but Fire Fox and IE have both been in beta before and haven’t nearly had this many problems.

All that I have to say is when you venture out in to the Windows world Apple, where the market share is at 90% you are not protected by your small margins anymore.

Tags: Apple, Internet Browser, Microsoft, Performance, Safari, Security, Windows Vista, Windows XP

Posted in Programming, Rant | | | View blog reactions | 1 Comment »