0

Within an MVC5 app we have introduced a security model which will authorise the user logged in against the requested Url. I have been looking at ways to auto generate a list of available Urls within the application on start up.

I first entertained the idea of using reflection to build up relative Urls from the area/controller/action names similar to this post

This will work if all the urls match the standard convention within MVC however; we have some routes that do not match this convention so an auto scan using reflection will not cover all grouds.

Is there a way (on application_start event) I can possibly use the route table to determine what Urls are available?

Note:

I understand the Http Context is not yet available at this point but I do not need the whole Url, only the relative url after the domain.

Community
  • 1
  • 1
Andy Clark
  • 3,363
  • 7
  • 27
  • 42
  • Routing only works with constraints. There can be infinite URLs that matches to these URLs. Also there can be two actions that will respond the same URL(GET and POST) if you want to go with the Reflection route. I think you should define permissions for each action and model your security around them. – Ufuk Hacıoğulları Aug 14 '15 at 08:38
  • What you have "introduced" is a potential security flaw, since when using .NET routing there is no guarantee that only 1 URL will be able to access a resource. MVC security is based on the [AuthorizeAttribute](https://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute(v=vs.118).aspx) because it is the only way to lock down the resource (controller action method) at its source, regardless of the URL that it is accessed through. – NightOwl888 Aug 14 '15 at 11:33

0 Answers0