MVC newbie question: I’ve got my project up & running, and all working fine. Now I want to start restricting access to certain views – and even whole controllers. I know that the VS 2010 package comes with a standard, built-in security module, including a little shrink-wrapped database that stores your usernames and passwords for you, lest – Heaven forfend! – you use a non-standard approach.
Well, I don’t want to use the built-in security. I’ve got my own user tables, and I know how to encrypt the passwords myself, thank you very much. All I want to do is have a login method, and if I determine that the login was successful, then I want to set the session as authenticated, and allow the user to access the restricted views. Shouldn’t be too difficult, right?
I’ve Googled for MVC security; the problem is not lack of information, but rather too much of it… so if anyone can just cut through my personal OutOfMemoryException and give me a “Quick Start” applicable to my situation, I’d really appreciate it…
One of the nice things about ASP.NET is that it is very extensible. Yes, the default model for authentication and authorization is to use the ASP.NET provided membership tables (either in a separate database or added to your own). Luckily, there is a way around that.
The easiest (and proper) way to achieve what you’re looking to do is to create a custom MembershipProvider that uses your existing database. Doing so will allow you to plug your custom authentication logic into the existing ASP.NET MVC authorization framework which means you can still control access to your Actions via attributes in your Controllers:
MSDN – Implementing a Membership Provider