I’m at a point where I’m really confused about how to go about handling security in my ASP .NET MVC application. Here’s what I know I want to do:
1) I want my own schema layout so I can implement security how I want it and not be tied to Microsoft’s default db schema (which I’ve seen next to no support for on other dbms’s).
2) This is going to sound like a contradiction, but I want to use Entity Framework, and, yes, MS Sql Server 2005. Just because I am doing this, does not mean I want to be locked into these decisions. I’ve seen a number of other dbms vendors provide EF support, so this seems like a much better way to go.
The basic security setup is rather simple. There are users. Users have roles. I have 3 basic tables from this: User, Role, UserRoles.
So, if this was a professional web application I was contracted to create, what would be a good way to do this? Creating a custom membership provider implementation seems the most thorough and it seems like it’s a rather portable solution. I have seen several articles talk about just creating an ActionFilter or CustomAttribute. It might be the two are the same thing; like I said, I’m really confused.
The bottomline here is I’m trying to get my feet wet on this technology, but I want the foresight of knowing how this would be done in the real world. I’ve gone over the nerd diner example and that uses the default membership provider setup (schema included), which is not what I want here.
I’ve googled this. I’ve read dozens of articles and found a great many implementations. I’ve gone through ASP .NET Unleashed, which just has the standard Membership provider explanation. I’m really just trying to find some solid professional advice here from those of you whom have been in industry and done this a time or to.
Thanks for your time.
Update.
I’ve managed to get the CSS file to be exempt from authentication. I added the following to the web.config (app level).
<location path="Content">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="~/Views/Account">
<system.web>
<authorization >
<allow users="*" />
</authorization>
</system.web>
</location>
Now there is a logic issue. I’ve instructed the application earlier in the web.config that the login url is: LogOn.aspx. Since, I’ve implemented a custom membership and provider, I figured I’d go w/ the default account logon page. The page gives you the option to Register for a new account; however, clicking the Register hyperlink just keeps you on the LogOn page. Obviously new users won’t be very happy about that. I tried to make all pages in the Views/Account folder not be authenticated with the xml above, but it doesn’t seem to have worked. Thoughts?
**************************************** UPDATED AGAIN ****************************************
Apparently, the Location tag just needs the directory name and not the directory tree. At least that seems to be the case for me. I changed the 2nd location tag to look like this:
<location path="Account">
<system.web>
<authorization >
<allow users="*" />
</authorization>
</system.web>
</location>
And now I can access all files in the Account views folder, as well as all Account controller actions. There’s an interesting irony here: I’ve gone about and created a custom membership provider implementation (which I’m very glad I did), so I can use the vanilla Register & LogOn pages that ship with ASP .NET MVC. I suppose, if it’s not broken, don’t fix it. So tell me…how comfortable would any of you be putting theses pages into a production environment with minimal changes? Just curious. I’m at a point where I’m just trying to figure out HOW to do this stuff; I can’t really assess if doing or using X is a good thing or not quite yet.
As far as I know you should be able to do what you are talking about without too much fuss…
Because ASP.Net MVC is built on top of ASP.Net you should be able to take advantage of ASP.Net’s ability to put in your own custom membership provider as you described. Once created, to get ASP.Net MVC to use this provider all you should have to do is register your provider in the web.config and simply add the existing Authorize attribute to what ever controllers you want to lock down.
This existing Authorise attribute isn’t tied to a given provider it just looks to see which provider is current and in your case your custom provider will be the current on.
You said that you have read articles on creating custom providers so I wont go into detail there and you shouldn’t have to create a custom attribute/filter (which an ActionFilter is an attribute but an attribute isn’t always an ActionFilter – ActionFilter’s are an MVC concept, attributes are a .Net concept – hope that helps).
So it looks like you should have everything you need to implement.
Let me know if you need more.
UPDATE:
I would have it a guess that the following is what is wrong with css – I have just gone through a very similar problem… In short I think MVC is trying to authenticate the getting of the CSS file and becasue you are not logged in yet, its not letting you download the CSS.
The way to verify this is by doing something similar to the following (note the code goes in the global.asax):
When you debug your app, try putting a break point in here and see how many times it gets called per load of the login page and what the “Request.Path” is for each… If you see that it is trying to authenticate these assets then at is your problem.