How to do authorization in ASP.net MVC 4 today?

Question

I've been working with ASP.net MVC for several years now. Most applications I've developed in the past have been accessed thru a link from a legacy web application. When users arrive on one of my applications, my application simply reads a cookie from the browser that indicates that the user was authenticated by the legacy application.

Now, I'm finally working on a brand-new web application that needs to be able to perform authentication and authorization. I'm sure I can make something work, but I want to know what today's best practices are.

From ASP.net WebForms, I am familiar with the MembershipProvider and RoleProvider classes. I also have a little bit of familiarity with Windows Identity Foundatioin (WIF).

However, when I look at the default ASP.net MVC 4 application, the "AccountController" class uses something called the WebSecurity class. I'm wondering if this is meant to depreciate the MembershipProvider and RoleProvider classes.

This should be a basic setup with username/password authentication provided by another server and role-based access to privileged resources.

What are the best practices for implementing these in ASP.net MVC 4 today?

Answer 1

Authentication has been in flux for the last few years and is stabilizing in Visual Studio 2013 on something called the ASP.NET Identity, which offers a claims based Identity approach. However, this is still in beta and not yet released.

In MVC4 in either VS2010 or 2012 (.net 4 or 4.5) the default templates are based on the Webmatrix Web Pages technology WebSecurity classes, which are in turn based on the SimpleMembershipProvider which is itself based on MembershipProvider.

Let me say that again. WebSecurity uses MembershipProvider, however many of the newer features can only be used by casting the provider to an ExtendedMembershipProvider or by using the WebSecurity API.

You can still use the old SqlMembershipProvider that was used in ASP.NET or MVC3, or any of the other providers MS has released, such as the Universal Providers.

The key here is that all of these (except ASP.NET Identity) are based on Membership, and they all at some level just plug into the Membership API.

Membership, however, is really just about providing a database of users and the ability to validate credentials. Other than logging in, it has little to do with Authenticating the web page, or authorizing the web page. This is where FormsAuthentication or WindowsAuthentication (or others) come in, and these provide the implementations of IIdentity and IPrincipal, which are the basic building blocks upon which ASP.NET (and MVC) authentication are built.

When you use FormsAuthentication, it's basically just an IIdentity implemtation. And when you use a RoleProvider, it's basically just an IPrincipal implementation.

These provide the tools in MVC to use the Authorize attribute to control access to pages, and provide the ability to use the User.IsInRole() method to determine the role a user is in.

Answer 2

"Claim-based authorization is a new model of authorization introduced in Windows Communication Foundation. This model addresses more scenarios than the popular role based security model (IIdentity, IPrincipal). This is useful when an application requires complex and fine grained control on expressing access control decisions."

A Guide to Claims-Based Identity and Access Control

Allternative: SimpleMembership

Since MVC5 APS.NET Identity is most recomended http://www.asp.net/identity