Get flash to fully experience Pearltrees
I continue to be pleased with the many plug-points within ASP.NET. Recently, I had a student with an interesting ASP.NET security challenge. He wanted to use integrated windows authentication, but wanted to assign custom roles for the windows principals. He was building an intranet site.
2 Aug 20 June 2012 Update: Removed prerelease code 20 June 2012 Update: Cookieless Session and Authentication not supported in ASP.NET MVC. Executive Overview You cannot use routing or web.config files to secure your MVC application. The only supported way to secure your MVC application is to apply the Authorize attribute to each controller and use the new AllowAnonymous attribute on the login and register actions.
Say you want to apply an action filter to every action except one. How would you go about it? For example, suppose you want to apply an authorization filter to every action except the action that lets the user login. Seems like a pretty good idea, right? Currently, it takes a bit of work to do this. If you add a filter to the GlobalFilters.Filters collection, it applies to every action, which in the previous scenario would mean you already need to be authorized to login.
Executive Overview You cannot use routing or web.config files to secure your MVC application. The only supported way to secure your MVC application is to apply the [ Authorize ] attribute to each controller and action method (except for the login/register methods). Making security decisions based on the current area is a Very Bad Thing and will open your application to vulnerabilities. In ASP.NET MVC 2, it was recommended that you create a base controller with an [ Authorize ] attribute, and derive each controller (except the Account/Login controller) from that base class. That strategy has one big flaw: nothing prevents you from adding a new controller that doesn't derive from the [ Authorize ] protected base controller.