.NET Tips and Tricks

Blog archive

A Best Practice for Authenticating Users in ASP.NET MVC 4

If your site has even one or two actions where access is restricted to particular users, the smart thing to do is to restrict access to all the actions on your site and then selectively permit access to those actions that all users are allowed to request. That way, an error of omission (forgetting to make a method available) simply prevents users from accessing some action.

Unfortunately, by default ASP.NET MVC works exactly the opposite way: all actions are accessible to all users unless you specifically restrict access by applying the Authorization action filter to the method. Under this scenario, an error of omission (forgetting to put an Authorize attribute on a method) allows all users access to the action. It's literally the worst thing that can happen in a secure environment: unauthenticated and unauthorized access to a resource that should have been secured.

Global Filters provided a solution to this by allowing you to apply the Authorize attribute to all of your action methods, locking non-authenticated users out of your actions by default. You can then selectively override that setting by applying the Authorize attribute to individual methods, specifying specific roles and users authorized to use that action. That works, unless you have some action methods that don't require authentication, methods intended to be accessible to the general public. In that scenario, you can't use Global Filters to secure all of your action methods -- until ASP.NET MVC 4.

Implementing the best practice is possible in ASP.NET MVC 4 with the new AllowAnonymous action filter. The first step is to use the Global Filters in the FilterConfig class in the App_Start folder to apply the Authorize attribute to every action method:

public class FilterConfig
{
  public static void RegisterGlobalFilters(GlobalFilterCollection filters)
  {
    filters.Add(new AuthorizeAttribute);
  }
}

The next step is to selectively allow access to actions that don't require authentication by decorating them with the AllowAnonymous attribute:

[AllowAnonymous]
Public ActionResult Get()
{

Posted by Peter Vogel on 06/05/2013 at 7:36 PM


comments powered by Disqus

Featured

  • Move Over, Stack Overflow: Microsoft Launches Q&A for .NET

    Stack Overflow probably isn't worried, but Microsoft has launched its own Q&A site for all things .NET, seeking to provide a one-stop-shop for getting .NET technical questions answered by the community.

  • Developer Decries WinForms-to-Blazor Performance Degradation

    Since shipping .NET 5, Visual Studio 2019 v16.8 and more goodies recently, Microsoft has been touting speed improvements in many components -- including the red-hot Blazor project -- but some real-world developers are finding different results.

  • Google Cloud Functions Supports .NET Core 3.1 (but not .NET 5)

    Google Cloud Functions -- often used for serverless, event-driven projects -- now supports .NET, but the new support is a release behind Microsoft's latest .NET offering.

  • Binary Classification Using PyTorch: Model Accuracy

    In the final article of a four-part series on binary classification using PyTorch, Dr. James McCaffrey of Microsoft Research shows how to evaluate the accuracy of a trained model, save a model to file, and use a model to make predictions.

  • Visual Basic in .NET 5: Ready for WinForms Apps

    With the milestone .NET 5 and Visual Studio 2019 v16.8 releases now out, Microsoft is reminding Visual Basic coders that their favorite programming language enjoys full support and the troublesome Windows Forms Designer is even complete -- almost.

Upcoming Events