Menu
I know it is possible to decorate a controller with the Authorize attribute to control access, what I don't know is the accepted or proper way to enforce security across all the controllers/views in an Area.
Is there something in web.config, area registration or some other place to apply authorization security?
777
Creating Area To add an area to an MVC application, right-click on the project item with in the Solution Explorer window and select Add>Area option as shown below. Now a new prompt will appear, with in give the name of the area like "Department" and click Add button.
MVC provides a lot of infrastructure support for Forms Authentication. Forms authentication is highly customizable, you can customize everything from the sign in form, to where the credentials are stored and how those credentials are validated. Forms Authentication in ASP.NET relies on cookies by default.
An area is effectively a structure inside an app. In an ASP.NET Core web project, logical components like Pages, Model, Controller, and View are kept in different folders. The ASP.NET Core runtime uses naming conventions to create the relationship between these components.
Areas allows you to separate your modules and organize Model, View, Controller, Web. config and Routing registration file into separate sections. In live MVC Project implementation we can use Areas concept for organizing project in better manageable way. Area separate logical section like Model, View, Controller, Web.
A convenient way is to create a new base class
[Authorize]
public abstract class AuthorizeBaseController : Controller
{
}
and make sure that all of your controllers for which you require authorization (in your case, everything in the area that you're concerned about) descend from AuthorizeBaseController.
public class HomeController : AuthorizeBaseController
{
public ActionResult Index()
{
return View();
}
}
The [Authorize] attribute should affect all of the descendents of the new base class.
Edit The issue that I have with using the <location path="" > approach is that, since the routing engine makes it's possible for any route to call any controller, setting authorization based on the url (and thus a specific route) instead of the controller actions makes it possible to call a controller that should be protected and skip the authorization. That wasn't an issue in webforms since a page was a page (and not a method call), but the separation between page/path and code in MVC makes this a huge security hole.
57
The only safe way of doing this in an MVC application is to do what David suggests - attributing a base controller and having all controllers in the area subclass that base controller.
Using a <location> tag for authorization in MVC will open security holes in your application. You're not interested in securing URLs or routes. You want to secure the controllers themselves, since they're the actual resources you're trying to protect. Therefore the protections need to be placed directly on the controllers.
Furthermore, remember that an area is really just a fancy way of grouping routes, not controllers. Trying to use fancy logic to detect the current area and infer authorization settings will also open security holes in your application.
25
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
