ASP.NET MVC security best practice -- Add Authorize attribute for controller instead of individual actions when appropriate

Recently I was going through an ASP.NET MVC web application's source and noted that in some of the Controllers all of its Actions required authorization to access them. So Authorize attribute was added to all of the actions in the controller, as shown below .

    public class AdminSettingsController : Controller
    {
        //
        // GET: /AdminSettings/

        [Authorize]
        public ActionResult Index()
        {
            return View();
        }

        //
        // GET: /AdminSettings/Details/5

        [Authorize]
        public ActionResult Details(int id)
        {
            return View();
        }

        //
        // GET: /AdminSettings/Create

        [Authorize]
        public ActionResult Create()
        {
            return View();
        }


        //
        // GET: /AdminSettings/Edit/5

        [Authorize]
        public ActionResult Edit(int id)
        {
            return View();
        }


        //
        // GET: /AdminSettings/Delete/5

        [Authorize]
        public ActionResult Delete(int id)
        {
            return View();
        }

    }

But if all of the controller's actions need authorization then you can add [Authorize] attribute to the entire Controller itself. Doing this would avoid room for errors, as you may miss to add the Authorize attribute to individual actions and that could become a security vulnerability.

Below you can see I have removed the Authorize attribute from individual actions.

    [Authorize]
    public class AdminSettingsController : Controller
    {
        //
        // GET: /AdminSettings/

        public ActionResult Index()
        {
            return View();
        }

        //
        // GET: /AdminSettings/Details/5

        public ActionResult Details(int id)
        {
            return View();
        }

        //
        // GET: /AdminSettings/Create

        public ActionResult Create()
        {
            return View();
        }


        //
        // GET: /AdminSettings/Edit/5

        public ActionResult Edit(int id)
        {
            return View();
        }


        //
        // GET: /AdminSettings/Delete/5

        public ActionResult Delete(int id)
        {
            return View();
        }

    }

Also note that, if forms authentication is configured then if you add Authorize attribute to an action or controller then MVC will redirect the user to the login page, which is great.

Bookmark / Share

A little less cared ASP.NET’s NestedMasterPage

I have seen developers using user controls which will show and hide sections of site content based on the state of the web site. This is fine for some extent, you know when it becomes bad ? It becomes bad when only user controls are used even for site layout related stuff.

ASP.NET’s NestedMasterPage is a great thing, that, I should admit, I myself started using only recently earlier I was using other ways to display a set of pages in different layout in a website. NestedMasterPage is a master page which is based on another master page, you can have as many levels of nesting as you wish, as far as you don’t confuse yourself.

You create a NestedMasterPage based on which other normal ASP.NET pages will be created. You can have a Main master page in which a website’s most common UI elements are present and create NestedMasterPages for different areas of a site like subsections of a site like web interface for post Member login, etc.

Below is a simple depiction of what could be done with a NestedMasterPage in ASP.NET web forms.

12

Now, below images will give you some idea on how the layout of a site can be less messy if we use NestedMasterPages.

(click to enlarge)

ProdCat

(click to enlarge)

Checkout

Hope it’s understandable.

Bookmark / Share

New ASP.NET project gives a great webapp template in Visual Studio 2010

(This post is part of Visual Studio 2010 series)

When you create a new ASP.NET web application in Visual Studio 2010, you are getting a project which has a good set of features built into it for you to get started quickly. In previous versions of Visual Studio, when you create a new ASP.Net project, you just get one .aspx page with a web.config file.

New-ASP.NET-WebAppTemplate

 

(Visual Studio 2010’s solution explorer showing the contents of a just created Web Application project)

Visual Studio 2010’s new project template has the following..

  • Master page – with menu, login view control, etc., has good div based layout with nicely used css styles. Along with two files based on master page(Default.aspx & About.aspx).
  • Stylesheet - with styles for most elements your web pages will be designed with, that you can customize as you wish
  • Forms authentication enabled – provides you with .aspx pages which implements forms authentication, like, login, register new user and change password, with necessary configurations in web.config
  • Web.config file with Debug and Release versions, including sample Web.config transformations that you most probably need
  • Web.config readily configured for ASP.NET Membership, Roles & Profiles
  • jQuery library .js files included with three versions of .js files – one with Visual Studio intellisense support, a normal one and a minified one-which is used for production.

 

This new project template would help beginners and people who are yet to get good overview on how a typical ASP.NET web site would be written.

Bookmark / Share

A tip when working with QueryStrings..

We still use QueryStrings for many reasons even though we have other methods to deal with HTTP requests to web applications. And when working with QueryStrings, I hate to type Request.QueryString(“blah”), Request.QueryString(“blahblah”), Request.QueryString(“blahblahblah”), etc., again and again when I need to. This is more tiring if there are more number of QueryString items to deal with.

If you note, Request.QueryString is actually a NameValueCollection. So in suitable situations I would love to use a NameValueCollection object with a short name instead of Request.QueryString(“blah”) ;) as shown below. This saves time and provides a little better coding experience.

NameValueCollection q = Request.QueryString;

Response.Write("name" + q["name"]);
Response.Write("address1" + q["address1"]);
Response.Write("address2" + q["address2"]);
Response.Write("city" + q["city"]);
Response.Write("country" + q["country"]);
Bookmark / Share