.NET Tips and Tricksby Peter Vogel

Blog archive

A Best Practice for Authenticating Users in ASP.NET MVC 4

If your site has even one or two actions where access is restricted to particular users, the smart thing to do is to restrict access to all the actions on your site and then selectively permit access to those actions that all users are allowed to request. That way, an error of omission (forgetting to make a method available) simply prevents users from accessing some action.

Unfortunately, by default ASP.NET MVC works exactly the opposite way: all actions are accessible to all users unless you specifically restrict access by applying the Authorization action filter to the method. Under this scenario, an error of omission (forgetting to put an Authorize attribute on a method) allows all users access to the action. It's literally the worst thing that can happen in a secure environment: unauthenticated and unauthorized access to a resource that should have been secured.

Global Filters provided a solution to this by allowing you to apply the Authorize attribute to all of your action methods, locking non-authenticated users out of your actions by default. You can then selectively override that setting by applying the Authorize attribute to individual methods, specifying specific roles and users authorized to use that action. That works, unless you have some action methods that don't require authentication, methods intended to be accessible to the general public. In that scenario, you can't use Global Filters to secure all of your action methods -- until ASP.NET MVC 4.

Implementing the best practice is possible in ASP.NET MVC 4 with the new AllowAnonymous action filter. The first step is to use the Global Filters in the FilterConfig class in the App_Start folder to apply the Authorize attribute to every action method:

public class FilterConfig
{
  public static void RegisterGlobalFilters(GlobalFilterCollection filters)
  {
    filters.Add(new AuthorizeAttribute);
  }
}

The next step is to selectively allow access to actions that don't require authentication by decorating them with the AllowAnonymous attribute:

[AllowAnonymous]
Public ActionResult Get()
{

Posted by Peter Vogel on 06/05/2013


comments powered by Disqus

Featured

  • AI for GitHub Collaboration? Maybe Not So Much

    No doubt GitHub Copilot has been a boon for developers, but AI might not be the best tool for collaboration, according to developers weighing in on a recent social media post from the GitHub team.

  • Visual Studio 2022 Getting VS Code 'Command Palette' Equivalent

    As any Visual Studio Code user knows, the editor's command palette is a powerful tool for getting things done quickly, without having to navigate through menus and dialogs. Now, we learn how an equivalent is coming for Microsoft's flagship Visual Studio IDE, invoked by the same familiar Ctrl+Shift+P keyboard shortcut.

  • .NET 9 Preview 3: 'I've Been Waiting 9 Years for This API!'

    Microsoft's third preview of .NET 9 sees a lot of minor tweaks and fixes with no earth-shaking new functionality, but little things can be important to individual developers.

  • Data Anomaly Detection Using a Neural Autoencoder with C#

    Dr. James McCaffrey of Microsoft Research tackles the process of examining a set of source data to find data items that are different in some way from the majority of the source items.

  • What's New for Python, Java in Visual Studio Code

    Microsoft announced March 2024 updates to its Python and Java extensions for Visual Studio Code, the open source-based, cross-platform code editor that has repeatedly been named the No. 1 tool in major development surveys.

Most   Popular

Subscribe on YouTube