Menu
I'm working on a site that uses Forms Authentication. I was interested in how the authentication system was working, since when I initially open any page in the site, it redirects me to a login, and none of the controllers/actions have any authorization logic placed in them.
Websites web.config Technology: MVC 3, Entity Framework 4.1 (Code first), ASP.NET 4
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Index" timeout="2880" />
</authentication>
<membership defaultProvider="CodeFirstMembershipProvider">
<providers>c
<clear />
<add name="CodeFirstMembershipProvider" type="Vanguard.AssetManager.Services.Security.MembershipService" applicationName="/" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="CodeFirstRoleProvider">
<providers>
<clear />
<add name="CodeFirstRoleProvider" type="Vanguard.AssetManager.Services.Security.RoleService" applicationName="/" />
<add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
</system.web>
<location path="Admin">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Content/packages">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Home">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="CheckIn">
<system.web>
<authorization>
<allow roles="CheckIn, Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Assignment">
<system.web>
<authorization>
<allow roles="Assignment, Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<configuration>
The site uses MVC areas, which I assume is what the section refers to.
226
The Authorize Attribute In ASP.NET MVC, any incoming request is bound to a controller/method pair and served. This means that once the request matches a supported route and is resolved to controller and method, it gets executed no matter what.
Forms authentication flow: When a user requests a page for the application, ASP.NET checks session cookie. If the cookie exists and valid, ASP.NET assumes the user is authenticated and processes the request. If session cookies does not exists or not valid then it redirect to login form.
Via the configuration below, does MVC or ASP.NET automatically determine if you're authenticated? (Like I said, there is no code in the controllers to "redirect" or make sure that the user is authorized.
Yes, it uses the <location> section in your web.config to allow only users that have the Admin role to access the /Admin/* path.
If ASP.NET handles this, in what situations do you need to authorize your actions/controllers? (i.e. [Authorize] attribute)
In ASP.NET MVC using the [Authorize] attribute is the prefered method to control which actions need authorization instead of using the <location> tag in your web.config as you did. The reason for this is that ASP.NET MVC uses routing and you shouldn't be hardcoding paths in your web.config which is what happens with the <location> section. So always use the [Authorize] attribute to decorate controllers/actions that require authentication.
How does forms authentication work? I'm especially interested in how the "authorization" is persisted? (i.e. cookies??)
Cookies, yes. You might also checkout the following article on MSDN which explains how Forms Authentication works.
126
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
