Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Security and Access control in a MVC application

Tags:

security

model-view-controller

access-control

I have only recently started working with the MVC approach, so I suppose this is an easy one for you gurus here:

Where do I put access control?

  1. In a view? I don't want to have any logic besides switches and flags in my templates, so that sounds like the least viable option
  2. In the model? Should each business object decide what data it will reveal about itself based on who's asking?
  3. In the controller? That's where I have it now but it makes it hard to keep business rules consistent

Or is there another option?

like image 978
Tomas Kohl Avatar asked Nov 14 '08 20:11

Tomas Kohl

People also ask

How will you implement authentication and authorization in MVC?

For form authentication the user needs to provide his credentials through a form. Windows Authentication is used in conjunction with IIS authentication. The Authentication is performed by IIS in one of three ways such as basic, digest, or Integrated Windows Authentication.

Is MVC secure?

MVC provides a lot of infrastructure support for Forms Authentication. Forms authentication is highly customizable, you can customize everything from the sign in form, to where the credentials are stored and how those credentials are validated.

Why is MVC secure?

In the MVC world, the security is put inside the controller object. Because the interface to the customer is driven through the controller object, there is a single entry point and a single location for the security checks to be performed.

1 Answers

This will depend on what framework you're using as that and the language will dictate a lot of the tools you have available to you.

From a high level, you should have access security configured at points-of-entry. And you should double-check access security at every level that could be considered autonomous or reused from multiple parts of your application (who knows if security was checked by your co-worker's portal that uses your logic layer? etc.). The other thing to worry about is data security, and that belongs as close to your data as possible (so, yes to your #2 above, but understand that it's separate).

This is akin to the difference between application logic and domain logic, which I'm fond of talking about. If there is any logic that is specific to one particular application (web app compared to a windows service, or whatever) then that logic should be defined in that application only. If some logic crosses the boundary between applications (is reusable between applications) then it qualifies as domain logic and should be defined in your model. Your applications can make use of domain logic, but they should not own it.

like image 101
sliderhouserules Avatar answered Sep 19 '22 00:09

sliderhouserules
Sign in to Comment

Related questions

Why is it not a security hole that PostgreSQL by default stores user passwords in an MD5 hash?
how to secure and encrypt setting.xml paswords file in maven?
Secure way of storing Secret credentials
Securely storing auth token in React Frontend
How to find out if there is Javascript code that is listening to keyboard events?
Make secure connection with a nodejs server providing API on Android
How to get Linkedin OAuth working in Spring Boot
Flush & Reload cache side channel attack
Block user access to internals of a site using HTTP_REFERER
live asp.net web.config settings
Why can't a malicious site obtain a CSRF token via GET before attacking?
Are there more modern Membership/Security implementations than ASP.NET Membership Provider
How do I get the @RolesAllowed annotation to work for my Web application?
AccessController.doPrivileged
Generating the CSR using BouncyCastle API
Is it possible to store secrets on the stack in java?
Using DPAPI with Python?
Why the error 404 happens when I access *.mp4 file by HTTP?
What is the best way to protect sensitive data in the code?
Best way to avoid code injection in PHP

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!