Reputation: 17814
How do I handle application security? using ActionFilterAttribute and/or SiteMap authorization..?
i created the following ActionFilterAttribute to check if a user is granted access to a page. I also created two custom Exceptions to handle different scenarios: NotLoggedInException and InsufficientPrivilegeException.
ActionFilterAttribute
Public Class ValidateAuthentication : Inherits ActionFilterAttribute
Private _page As BLL.Page
Public Sub New(ByVal Page As BLL.Page)
Me._page = Page
End Sub
Public Overrides Sub OnActionExecuting(ByVal filterContext As System.Web.Mvc.ActionExecutingContext)
Select Case Me._page.IsAccessibleToUser(filterContext.HttpContext.User)
Case -1
Throw New NotLoggedInException()
Case 0
Throw New InsufficientPrivilegeException()
Case 1
//access granted
End Select
End Sub
End Class
I also have a custom SiteMapProvider where I implemented my own IsAccessibleToUser() function. So I also have securityTrimming.
SiteMapProvider
Public Overrides Function IsAccessibleToUser(ByVal context As System.Web.HttpContext, ByVal node As System.Web.SiteMapNode) As Boolean
Dim p As New BLL.Page
p.LoadFromSiteMapNode(node)
Select case p.IsAccessibleToUser(context.User)
Case 1
Return true
Case else
Return false
End Select
End Function
The questions:
- Where do I catch the exceptions to for instance redirect users if not authorized?
- Should I perhaps use the SiteMap authorization somewhere else instead of using the ActionFilterAttribute and throwing Exceptions..?
note: as you can see I'm using a custom class for BLL.Page. This is a ORM page which has Role based security stored in the database. SiteMap is also populated based on this data
Upvotes: 1
Views: 1543
Answers (1)
Reputation: 126587
Do not reinvent AuthoriazeAttribute. Your version won't handle cached actions; the built in AuthorizeAttribute will. If you need to customize your authentication, then customize the membership provider or subtype AuthorizeAttribute, rather than reinventing MVC security.
Upvotes: 4
Related Questions
- ASP.NET MVC Authorization Filter
- How implement security with the mvcSiteMapProvider?
- ASP.NET MVC SiteMap and/or Security Trimming
- Handling Security in Asp.net MVC pages with ActionFilters and sessions
- How to restrict access to certain actions in controller in ASP.net MVC
- ActionFilterAttribute for Authorization
- Enforce security check in ASP.NET MVC?
- ASP.NET MVC application security
- Site Security/Access management for asp.net mvc application
- Handling mvc security...override membership provider, action filter, or something else? Not sure how to handle this