AspNet MVC - apply security to views?
I would like to add integrated window protection to one of my views, is this possible?
In web forms, I'll just find the file in IIS and add the file protection features there. obv MVC not being a file doesn't work.
Site is using Forms Auth - Attempting to make this work for MVC http://beensoft.blogspot.com/2008/06/mixing-forms-and-windows-authentication.html
thank
source to share
You can use security attributes for Action methods called AuthorizeAttribute.
For example,
[Authorize(Roles = "Domain Users")]
public ActionResult Create(FormCollection collection)
To then restrict access to links or the like, or even hide them from users, we applied an extension method called SecurityTrimmedActionLink, which we mostly adapted / borrowed from http://www.inq.me/post/ASPNet-MVC-Extension- method-to-create-a-Security-Aware-HtmlActionLink.aspx .
public static string SecurityTrimmedActionLink(this HtmlHelper htmlHelper, string linkText, string action, object routeValues)
{
if (IsAccessibleToUser(action, htmlHelper.ViewContext.Controller))
{
return htmlHelper.ActionLink(linkText, action, routeValues);
}
return string.Empty;
}
public static string SecurityTrimmedActionLink(this HtmlHelper htmlHelper, string linkText, string action)
{
return SecurityTrimmedActionLink(htmlHelper, linkText, action, null);
}
private static bool IsAccessibleToUser(string action, ControllerBase controller)
{
ArrayList controllerAttributes = new ArrayList(controller.GetType().GetCustomAttributes(typeof(AuthorizeAttribute), true));
ArrayList actionAttributes = new ArrayList();
MethodInfo[] methods = controller.GetType().GetMethods();
foreach (MethodInfo method in methods)
{
object[] attributes = method.GetCustomAttributes(typeof(ActionNameAttribute), true);
if ((attributes.Length == 0 && method.Name == action) || (attributes.Length > 0 && ((ActionNameAttribute)attributes[0]).Name == action))
{
actionAttributes.AddRange(method.GetCustomAttributes(typeof(AuthorizeAttribute), true));
}
}
if (controllerAttributes.Count == 0 && actionAttributes.Count == 0)
return true;
IPrincipal principal = HttpContext.Current.User;
string roles = "";
string users = "";
if (controllerAttributes.Count > 0)
{
AuthorizeAttribute attribute = controllerAttributes[0] as AuthorizeAttribute;
roles += attribute.Roles;
users += attribute.Users;
}
if (actionAttributes.Count > 0)
{
AuthorizeAttribute attribute = actionAttributes[0] as AuthorizeAttribute;
roles += attribute.Roles;
users += attribute.Users;
}
if (string.IsNullOrEmpty(roles) && string.IsNullOrEmpty(users) && principal.Identity.IsAuthenticated)
return true;
string[] roleArray = roles.Split(',');
string[] usersArray = users.Split(',');
foreach (string role in roleArray)
{
if (role == "*" || principal.IsInRole(role))
return true;
}
foreach (string user in usersArray)
{
if (user == "*" || (principal.Identity.Name.Equals(user, StringComparison.InvariantCultureIgnoreCase)))
return true;
}
return false;
}
source to share
Since the site is already using forms authentication, you won't be able to validate roles or attribute names Authorize
on your controllers / actions. Because this will use the current provider (forms) and not Windows.
A quick and not so elegant solution would be to have a function like the one below and check it before returning the view.
bool IsWindowsAuthenticated() {
//the following classes are under System.Security.Principal
WindowsIdentity identity = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(identity);
return principal.Identity.IsAuthenticated;
}
Please note that there may be a better way to do this. I'll just provide this example in case it might be helpful.
source to share