Security is an important part of any web application. An important component of security are the Authentication and the Authorization process.Authentication is the process of verifying the identity of a user while authorization determines which parts of the application the user is allowed to access.
In MVC we can easily implement authentication and authorization using the action attributes.One such attribute is Authorize attribute.We can use this inbuilt attribute for implementing both authentication as well as authorization.
Implementing Authentication in MVC application
There are different types of authentication options available in ASP.NET applications .We can use forms and windows authentication.Passport authentication was used previously and is not much used these days.To configure the authentication we can use the <authentication> element in web.config.
The following configuration section is added by default in a new mvc application and enables forms authentication.This will redirect all the unauthenticated users to the Login url.
<authentication mode="Forms"> <forms loginUrl="~/Account/Login" timeout="2880" /> </authentication>
We can apply the authorize attribute to the action methods to restrict access to the authenticated users only.The following will restrict the Index() action method to be accessed by authenticated users only.
[Authorize] public ActionResult Index() { return View(); }
As authorization filter runs before other action filters so it can make authentication and authorization decisions.
We can restrict only authenticated users to access our controller actions by applying the attribute at the controller level.We can exclude specific action methods by using the “AllowAnonymous” attribute.
[Authorize] public class HomeController : Controller { public ActionResult Index() { return View(); } public ActionResult About() { ViewBag.Message = "Your application description page."; return View(); } [AllowAnonymous] public ActionResult Contact() { ViewBag.Message = "Your contact page."; return View(); }
In the above example only the Contact() action method can be accessed by unauthenticated users.
MVC 5 includes new type of filters authentication filters by which we can implement authentication in our application rather than using the authorization filters.There is an IAuthenticationFilter interface which we need to implement for custom authentication MVC 5.
public interface IAuthenticationFilter { void OnAuthentication(AuthenticationContext filterContext); void OnAuthenticationChallenge(AuthenticationChallengeContext filterContext); }
Implementing Authorization
We can use Authorize attribute for performing authorization as well as authentication.We saw how to use it for Authentication in the last point.To perform authorization we need to use the named parameters of the authorize attribute as:
[Authorize(Roles = "admin", Users = "Mark,John")] public ActionResult Admin(int id) { return View(); }
The above will restrict the Admin method to be accessed by the users Mark and John provided they are in the Admin role as well.This is called role based authorization.
Leave a Reply