Wednesday, December 9, 2009

Implementing Custom Security in ASP.NET MVC framework

Securing a web site and web page is the most critical task a developer has to accomplish and get it right. In ASP.NET MVC, we are presented with membership and role providers to achieve the security. We can also use authorization attributes and write our own to lock down controller actions.

Security can be broken down to two aspects. First one is authentication, which is validating you are who you say you are. This is typically done through a username and password against a common repository. Second one is authorization, which is you, as an authenticated user, are allowed/denied certain actions on a given website/webpage.

ASP.NET MVC framework allows custom membership (authentication piece) and role (authorization piece) providers. Although this is fine for most applications, creating/editing roles can require a recompile of the whole application and redeployment. To get around this, you can create another layer, let's call, Context (or Features) if you will, and associate each role with multiple features.

I have done a sample application, and published the CodePlex. You can find the link here

Let me know if/when you check it out and what you think about it. Thanks for reading and happy coding!