Security Auth

< < < < <

Get flash to fully experience Pearltrees

I continue to be pleased with the many plug-points within ASP.NET. Recently, I had a student with an interesting ASP.NET security challenge. He wanted to use integrated windows authentication, but wanted to assign custom roles for the windows principals. He was building an intranet site.

http://weblogs.asp.net/bhickman/archive/2003/02/07/2018.aspx

Custom roles for WindowsPrincipals in ASP.NET - Ben Hickman's Blog

Securing your ASP.NET MVC 4 App and the new AllowAnonymous Attribute - RickAndMSFT on Azure & MVC

http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx

2 Aug 20 June 2012 Update: Removed prerelease code 20 June 2012 Update: Cookieless Session and Authentication not supported in ASP.NET MVC. Executive Overview You cannot use routing or web.config files to secure your MVC application. The only supported way to secure your MVC application is to apply the Authorize attribute to each controller and use the new AllowAnonymous attribute on the login and register actions.

Custom Authorization in the ASP.NET MVC Framework and Authorize Attribute

ASP.Net MVC3 user authentication tutorials

c# - Is it possible to override the default behavior of [Authorize] in ASP.NET MVC

How to Extend/Architect the ASP.NET MVC 3 Authorize Attribute to Handle This Scenario

Conditional Filters in ASP.NET MVC 3

http://haacked.com/archive/2011/04/25/conditional-filters.aspx

Say you want to apply an action filter to every action except one. How would you go about it? For example, suppose you want to apply an authorization filter to every action except the action that lets the user login. Seems like a pretty good idea, right? Currently, it takes a bit of work to do this. If you add a filter to the GlobalFilters.Filters collection, it applies to every action, which in the previous scenario would mean you already need to be authorized to login.

Executive Overview You cannot use routing or web.config files to secure your MVC application. The only supported way to secure your MVC application is to apply the [ Authorize ] attribute to each controller and action method (except for the login/register methods). Making security decisions based on the current area is a Very Bad Thing and will open your application to vulnerabilities. In ASP.NET MVC 2, it was recommended that you create a base controller with an [ Authorize ] attribute, and derive each controller (except the Account/Login controller) from that base class. That strategy has one big flaw: nothing prevents you from adding a new controller that doesn't derive from the [ Authorize ] protected base controller.

Securing your ASP.NET MVC 3 Application - Ricka on MVC and related Web Technologies

http://blogs.msdn.com/b/rickandy/archive/2011/05/02/securing-your-asp-net-mvc-3-application.aspx