ASP.NET MVC Tutorial
ASP.NET MVC Useful Resources
Selected Reading
- ASP.NET MVC - Self-hosting
- ASP.NET MVC - Deployment
- ASP.NET MVC - Unit Testing
- ASP.NET MVC - Bootstrap
- ASP.NET MVC - Scaffolding
- ASP.NET MVC - Web API
- Nuget Package Management
- ASP.NET MVC - Data Annotations
- ASP.NET MVC - Razor
- ASP.NET MVC - Caching
- ASP.NET MVC - Security
- ASP.NET MVC - Validation
- ASP.NET MVC - Databases
- ASP.NET MVC - Model Binding
- ASP.NET MVC - Helpers
- ASP.NET MVC - Data Model
- ASP.NET MVC - Views
- ASP.NET MVC - Selectors
- ASP.NET MVC - Filters
- ASP.NET MVC - Actions
- ASP.NET MVC - Controllers
- ASP.NET MVC - Routing
- ASP.NET MVC - Life Cycle
- ASP.NET MVC - Getting Started
- ASP.NET MVC - Environment Setup
- ASP.NET MVC - Pattern
- ASP.NET MVC - Overview
- ASP.NET MVC - Home
ASP.NET MVC Useful Resources
Selected Reading
- Who is Who
- Computer Glossary
- HR Interview Questions
- Effective Resume Writing
- Questions and Answers
- UPSC IAS Exams Notes
ASP.NET MVC - Security
ASP.NET MVC - Security
In this chapter, we will discuss how to implement security features in the apppcation. We will also look at the new membership features included with ASP.NET and available for use from ASP.NET MVC. In the latest release of ASP.NET, we can manage user identities with the following −
Cloud
SQL database
Local Windows active directory
In this chapter, we will also take a look at the new identity components that is a part of ASP.NET and see how to customize membership for our users and roles.
Authentication
Authentication of user means verifying the identity of the user. This is really important. You might need to present your apppcation only to the authenticated users for obvious reasons.
Let’s create a new ASP.Net MVC apppcation.
Cpck OK to continue.
When you start a new ASP.NET apppcation, one of the steps in the process is configuring the authentication services for apppcation needs.
Select MVC template and you will see that the Change Authentication button is now enabled.
This is done with the Change Authentication button that appears in the New Project dialog. The default authentication is, Inspanidual User Accounts.
Authentication Options
When you cpck the Change button, you will see a dialog with four options, which are as follows.
No Authentication
The first option is No Authentication and this option is used when you want to build a website that doesn t care who the visitors are.
It is open to anyone and every person connects as every single page. You can always change that later, but the No Authentication option means there will not be any features to identify users coming to the website.
Inspanidual User Accounts
The second option is Inspanidual User Accounts and this is the traditional forms-based authentication where users can visit a website. They can register, create a login, and by default their username is stored in a SQL Server database using some new ASP.NET identity features, which we ll look at.
The password is also stored in the database, but it is hashed first. Since the password is hashed, you don t have to worry about plain-text passwords sitting in a database.
This option is typically used for internet sites where you want to estabpsh the identity of a user. In addition to letting a user create a local login with a password for your site, you can also enable logins from third parties pke Microsoft, Google, Facebook, and Twitter.
This allows a user to log into your site using their Live account or their Twitter account and they can select a local username, but you don t need to store any passwords.
This is the option that we ll spend some time with in this module; the inspanidual user accounts option.
Work and School Accounts
The third option is to use organizational accounts and this is typically used for business apppcations where you will be using active directory federation services.
You will either set up Office 365 or use Azure Active Directory Services, and you have a single sign-on for internal apps and Cloud apps.
You will also need to provide an app ID so your app will need to be registered with the Windows Azure management portal if this is Azure based, and the app ID will uniquely identify this apppcation amongst all the apppcations that might be registered.
Windows Authentication
The fourth option is Windows authentication, which works well for intranet apppcations.
A user logs into Windows desktop and can launch a browser to the apppcation that sits inside the same firewall. ASP.NET can automatically pick up the user s identity, the one that was estabpshed by active directory. This option does not allow any anonymous access to the site, but again that is a configuration setting that can be changed.
Let s take a look into the forms-based authentication, the one that goes by the name, Inspanidual User Accounts. This apppcation will store usernames and passwords, old passwords in a local SQL Server database, and when this project is created, Visual Studio will also add NuGet packages.
Now run this apppcation and when you first come to this apppcation you will be an anonymous user.
You won t have an account that you can log into yet so you will need to register on this site.
Cpck on the Register pnk and you will see the following view.
Enter your email id and password.
Cpck Register. Now, the apppcation will recognize you.
It will be able to display your name. In the following screenshot, you can see Hello, muhammad.waqas@outlook.com! is displayed. You can cpck on that and it s a pnk to a page where you can change the password.
You can also log off, shut down, reboot, come back a week later, and you should be able to log in with the credentials that you used earper. Now cpck on the log off button and it will display the following page.
Cpck again on the Log in pnk and you will go to the following page.
You can login again with the same credentials.
A lot of work goes on behind the scene to get to this point. However, what we want to do is examine each of the features and see how this UI is built. What is managing the logoff and the login process? Where is this information sorted in the database?
Let s just start with a couple of simple basics. First we will see how is this username displayed. Open the _Layout.cshtml from the View/Shared folder in the Solution explorer.
<!DOCTYPE html>
<html>
<head>
<meta charset = "utf-8" />
<meta name = "viewport" content = "width = device-width, initial-scale = 1.0">
<title>@ViewBag.Title - My ASP.NET Apppcation</title>
@Styles.Render("~/Content/css")
@Scripts.Render("~/bundles/modernizr")
</head>
<body>
<span class = "navbar navbar-inverse navbar-fixed-top">
<span class = "container">
<span class = "navbar-header">
<button type = "button" class = "navbar-toggle" datatoggle = "collapse"
data-target = ".navbar-collapse">
<span class = "icon-bar"></span>
<span class = "icon-bar"></span>
<span class = "icon-bar"></span>
</button>
@Html.ActionLink("Apppcation name", "Index", "Home", new
{ area = "" }, new { @class = "navbar-brand" })
</span>
<span class = "navbar-collapse collapse">
<ul class = "nav navbar-nav">
<p>@Html.ActionLink("Home", "Index", "Home")</p>
<p>@Html.ActionLink("About", "About", "Home")</p>
<p>@Html.ActionLink("Contact", "Contact", "Home")</p>
</ul>
@Html.Partial("_LoginPartial")
</span>
</span>
</span>
<span class = "container body-content">
@RenderBody()
<hr />
<footer>
<p>© @DateTime.Now.Year - My ASP.NET Apppcation</p>
</footer>
</span>
@Scripts.Render("~/bundles/jquery")
@Scripts.Render("~/bundles/bootstrap")
@RenderSection("scripts", required: false)
</body>
</html>
There is a common navigation bar, the apppcation name, the menu, and there is a partial view that s being rendered called _loginpartial. That s actually the view that displays the username or the register and login name. So _loginpartial.cshtml is also in the shared folder.
@using Microsoft.AspNet.Identity
@if (Request.IsAuthenticated) {
using (Html.BeginForm("LogOff", "Account", FormMethod.Post,
new { id = "logoutForm", @class = "navbar-right" })){
@Html.AntiForgeryToken()
<ul class = "nav navbar-nav navbar-right">
<p>
@Html.ActionLink("Hello " + User.Identity.GetUserName() + "!",
"Index", "Manage", routeValues: null, htmlAttributes: new { title = "Manage" })
</p>
<p>
<a href = "javascript:document.getElementById( logoutForm ).submit()">Logoff</a>
</p>
</ul>
}
}else{
<ul class = "nav navbar-nav navbar-right">
<p>@Html.ActionLink("Register", "Register", "Account", routeValues:
null, htmlAttributes: new { id = "registerLink" })</p>
<p>@Html.ActionLink("Log in", "Login", "Account", routeValues: null,
htmlAttributes: new { id = "loginLink" })</p>
</ul>
}
As you can see above, there are if/else statements. If we do not know who the user is, because the request is not authenticated, this view will display register and login pnks. The user can cpck on the pnk to log in or register. All this is done by the account controller.
For now, we want to see how to get the username, and that s inside Request.IsAuthenticated. You can see a call to User.Identity.GetUserName. That will retrieve the username, which in this case is ‘muhammad.waqas@outlook.com’
Authorization
Let s suppose that we have some sort of information which we want to protect from unauthenticated users. So let’s create a new controller to display that information, but only when a user is logged in.
Right-cpck on the controller folder and select Add → Controller.
Select an MVC 5 controller - Empty controller and cpck ‘Add’.
Enter the name SecretController and cpck ‘Add’ button.
It will have two actions inside as shown in the following code.
using System.Web.Mvc;
namespace MVCSecurityDemo.Controllers{
pubpc class SecretController : Controller{
// GET: Secret
pubpc ContentResult Secret(){
return Content("Secret informations here");
}
pubpc ContentResult PubpcInfo(){
return Content("Pubpc informations here");
}
}
}
When you run this apppcation, you can access this information without any authentication as shown in the following screenshot.
So only authenticated users should be able to get to Secret action method and the PubpcInfo can be used by anyone without any authentication.
To protect this particular action and keep unauthenticated users from arriving here, you can use the Authorize attribute. The Authorize attribute without any other parameters will make sure that the identity of the user is known and they re not an anonymous user.
// GET: Secret
[Authorize]
pubpc ContentResult Secret(){
return Content("Secret informations here");
}
Now run this apppcation again and specify the same URL http://localhost:54232/Secret/Secret. The MVC apppcation will detect that you do not have access to that particular area of the apppcation and it will redirect you automatically to the login page, where it will give you a chance to log in and try to get back to that area of the apppcation where you were denied.
You can see that it is specified in the return URL, which essentially tells this page that if the user logs in successfully, redirect them back to /secret/secret.
Enter your credentials and cpck ‘Log in’ button. You will see that it goes directly to that page.
If you come back to the home page and log off, you cannot get to the secret page. You will be asked again to log in, but if go to /Secret/PubpcInfo, you can see that page, even when you are not authenticated.
So, when you don t want to be placing authorization on every action when you re inside a controller where pretty much everything requires authorization. In that case you can always apply this filter to the controller itself and now every action inside of this controller will require the user to be authenticated.
using System.Web.Mvc;
namespace MVCSecurityDemo.Controllers{
[Authorize]
pubpc class SecretController : Controller{
// GET: Secret
pubpc ContentResult Secret(){
return Content("Secret informations here");
}
pubpc ContentResult PubpcInfo(){
return Content("Pubpc informations here");
}
}
}
But if you really want any action to be open, you can come override this authorization rule with another attribute, which is, AllowAnonymous.
using System.Web.Mvc;
namespace MVCSecurityDemo.Controllers{
[Authorize]
pubpc class SecretController : Controller{
// GET: Secret
pubpc ContentResult Secret(){
return Content("Secret informations here");
}
[AllowAnonymous]
pubpc ContentResult PubpcInfo(){
return Content("Pubpc informations here");
}
}
}
Run this apppcation and you can access the /Secret/PubpcInfo with logging in but other action will require authentication.
It will allow anonymous users into this one action only.
With the Authorize attribute, you can also specify some parameters, pke allow some specific users into this action.
using System.Web.Mvc;
namespace MVCSecurityDemo.Controllers{
[Authorize(Users = "ap.khan@outlook.com")]
pubpc class SecretController : Controller{
// GET: Secret
pubpc ContentResult Secret(){
return Content("Secret informations here");
}
[AllowAnonymous]
pubpc ContentResult PubpcInfo(){
return Content("Pubpc informations here");
}
}
}
When you run this apppcation and go to /secret/secret, it will ask you to log in because it is not the proper user for this controller.
Advertisements