Comprehensive security solution for ASP.NET MVC app

Question

If you were planning and preparing for a big ASP.NET MVC project how would you approach it to design and build comprehensive, extensible and maintainable security solution that requires

• users,
• roles,
• controller-level and action-level security,
• item-level security (applying users or roles to items),
• security trimming (hiding some menu options based on the above settings).

If you were to estimate the time and effort to produce this and would have to issue a qoute to the client, what would it be? You don't have to give a number in money, only billable hours.

Answer 1

You don't have to give a number in money, only billable hours.

You want someone to do your work for free? Come on...

Authorization

Anyway, I would use Code Access Security and impersonation to implement security in all my services. Check the PrinicpalPermission attribute.

Controller/Action level

As for MVC, simply use the Authorize attribute to provide authorization. Derive it to provide a more finegrained control.

Security trimming

if (System.Thread.Threading.CurrentThread.CurrentPricinpal.IsInRole("Administrator"))
   //show menu item

Item level

Not possible with default MVC implementation. You need to do a manual check in your actions.

if (!System.Thread.Threading.CurrentThread.CurrentPricinpal.IsInRole(item.RequiredRole))
  return View("AccessDenied", null); //return accessdenied view.

Authentication

I don't know what kind of users you got. Are all registered in a AD domain? Then use Windows Authentication to authenticate your users. It's just a IIS setting..