0

I have an ASP.NET MVC 4 application with controllers like HomeController, ContactController, etc, that matches regular websites pages (views), etc.

I do have a special controller called LogicController, in this controller I have all my business logic in the form of functions and procedures that usually return JSON objects.

I consume this logic by using jQuery Ajax calls to /Logic/FunctionName.

So for example if I want to get a list of all customers I will consume /Logic/GetCustomerList, which in turn returns a list of customers in JSON format.

$.ajax({
        type: "POST",
        url: "/Logic/GetCustomerList",
        async: true
});

Nothing new here.

Now if in my web browser I navigate to www.mywebsite.com/Logic/GetCustomerList, I as suspected get a list of customers (JSON) rendered in the browser.

So my question is how can I protect access to this controller, so only calls from within the application (via jquery ajax) can hit the controller, but "external" or direct calls like in this case are rejected?

ekad
  • 14,436
  • 26
  • 44
  • 46
IGIT
  • 185
  • 1
  • 10
  • This is not how I would arrange things. But can't you just use the `[httpPost]` attribute on your method to make it limited to post operations? – Jonathan Wood Apr 08 '15 at 17:19
  • You can try to utilize the antiforgey token http://stackoverflow.com/questions/14473597/include-antiforgerytoken-in-ajax-post-asp-net-mvc – Paritosh Apr 08 '15 at 17:22
  • See [this](http://stackoverflow.com/questions/6558758/is-there-any-attribute-relating-to-ajax-to-be-set-for-asp-net-mvc-controller-act) – Iswanto San Apr 08 '15 at 17:22
  • Have a look at this http://blogs.msdn.com/b/rickandy/archive/2011/05/02/securing-your-asp-net-mvc-3-application.aspx – Reena Apr 08 '15 at 17:32
  • I thought there was an easy way to protect business logic code in MVC. It looks like by default anyone can make arbitrary calls to business logic then? – IGIT Apr 08 '15 at 17:56
  • Perhaps I am doing this the wrong way? I think what I should ideally have is an external Web API and perform Authentication and Authorization instead of having business logic crammed inside a controller in the same application ??? – IGIT Apr 08 '15 at 18:43

2 Answers2

0

In addition, if only a logged in user can access this method you could decorate it with 

[Authorize]

Or you could decorate the entire class with this attribute if all the actions should only be accessible to logged in users.

KDizzle
  • 51
  • 6
0

Here is a simple way of ensuring your action is only accessible to an Ajax call (at least to anyone without technical knowledge of how to create a manual HTTP call):

using System.Web.Mvc;

public class AjaxOnlyAttribute : ActionMethodSelectorAttribute
{
    public override bool IsValidForRequest(
        ControllerContext controllerContext, 
        MethodInfo methodInfo)
    {
        return controllerContext.HttpContext.Request.IsAjaxRequest();
    }
}

And now you can simply decorate your action methods with the new attribute:

[AjaxOnly]
public ActionResult DoStuff()
{
    //snip
}
DavidG
  • 113,891
  • 12
  • 217
  • 223