6

I have been doing a lot of research on the best way to secure my MVC 5 application.

We have one Web.csproj with many WebAPI Controllers and also an MVC site with two areas - one for Admin and then the public facing website.

After reading this article which states that the Base Controller is best way, I decided to go with that approach.

However, I am personally not OK with the use of base controllers (see this stackoverflow answer for some of my reasoning).

So, given that I am using MVC 5 (ASP.Net Identity and OWIN Authentication) - can anyone shed some light on the pros and cons of each approach?

Community
  • 1
  • 1
JTech
  • 3,420
  • 7
  • 44
  • 51
  • doesn't this article show how to use global filters? I believe base controllers were recommended for MVC 1 and 2.... – dima Apr 16 '14 at 16:20
  • @dima Yes, you're right...I got confused with the following quote at the bottom of the article: "Let me be perfectly clear on this. The only supported way of securing your MVC application is to have a base class with an [Authorize] attribute, and then to have each controller type subclass that base type. Any other way will open a security hole." However, I think was said in the context of attempting to secure an MVC app via Route Constraints...a serious 'no-no'. – JTech Apr 17 '14 at 16:13
  • he is right in some way, only it's supposed to say in regards to global filters.... I don't see why would you not take an advantage of global filters and make the whole site secure and only allow anonymous access for certain Actions like Login, Register etc – dima Apr 17 '14 at 16:20
  • 1
    so to answer your question - neither, nor base controller, nor putting Authorize attribute on every single controller or action... global filters is the way to go these days... you don't need to invent something that is already there – dima Apr 17 '14 at 16:23

2 Answers2

20

The current practice in MVC 5 is to apply the AuthorizeAttribute as a Global filter, and open up individual Actions/Controllers with the AllowAnonymousAttribute

So in App_Start\FilterConfig.cs add the following lines:

    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        ... existing filters

        // use the [AllowAnonymous] attribute to open up individual Actions/Controllers
        filters.Add(new System.Web.Mvc.AuthorizeAttribute());
        filters.Add(new RequireHttpsAttribute());
    }

note: for good measure I have also added the RequireHttpsAttribute as every authenticated request with ASP.Net Identity carries the auth cookie, which is vulnerable to Man In The Middle attacks if carried over regular HTTP.

Rudi
  • 3,124
  • 26
  • 35
0

I would always use a base controller, for more reasons than just authentication and authorization...

To get to your question, what we ended up doing was rolling our own custom Authorisation Attributes with complex rules that all inherit from AuthorizeAttribute. Its pretty simple, all you do is inherit from the given attribute and then overwrite the OnAuthorization and AuthorizeCore methods.

Generally, all our controllers do not allow anon access, based on our baseController class. From there it gets as complicated as needed. But it always makes sense to use a base class for things like this and build on top of that. If you ever need to make a very wide system change quickly you tap it into the baseClass and thats it.

spaceman
  • 1,628
  • 1
  • 16
  • 19