ASP.NET MVC security best practice -- Add Authorize attribute for controller instead of individual actions when appropriate

Recently I was going through an ASP.NET MVC web application's source and noted that in some of the Controllers all of its Actions required authorization to access them. So Authorize attribute was added to all of the actions in the controller, as shown below .

    public class AdminSettingsController : Controller
    {
        //
        // GET: /AdminSettings/

        [Authorize]
        public ActionResult Index()
        {
            return View();
        }

        //
        // GET: /AdminSettings/Details/5

        [Authorize]
        public ActionResult Details(int id)
        {
            return View();
        }

        //
        // GET: /AdminSettings/Create

        [Authorize]
        public ActionResult Create()
        {
            return View();
        }


        //
        // GET: /AdminSettings/Edit/5

        [Authorize]
        public ActionResult Edit(int id)
        {
            return View();
        }


        //
        // GET: /AdminSettings/Delete/5

        [Authorize]
        public ActionResult Delete(int id)
        {
            return View();
        }

    }

But if all of the controller's actions need authorization then you can add [Authorize] attribute to the entire Controller itself. Doing this would avoid room for errors, as you may miss to add the Authorize attribute to individual actions and that could become a security vulnerability.

Below you can see I have removed the Authorize attribute from individual actions.

    [Authorize]
    public class AdminSettingsController : Controller
    {
        //
        // GET: /AdminSettings/

        public ActionResult Index()
        {
            return View();
        }

        //
        // GET: /AdminSettings/Details/5

        public ActionResult Details(int id)
        {
            return View();
        }

        //
        // GET: /AdminSettings/Create

        public ActionResult Create()
        {
            return View();
        }


        //
        // GET: /AdminSettings/Edit/5

        public ActionResult Edit(int id)
        {
            return View();
        }


        //
        // GET: /AdminSettings/Delete/5

        public ActionResult Delete(int id)
        {
            return View();
        }

    }

Also note that, if forms authentication is configured then if you add Authorize attribute to an action or controller then MVC will redirect the user to the login page, which is great.

Bookmark / Share

Visual Studio 2013 New Features of the IDE

Update: I posted this article on Aug 10, 2013 on CodeProject and in this blog around the release of Visual Studio 2013 preview version(all the below mentioned features are still present in the final release). Even though I wrote this post for documenting and sharing the visual studio 2013 new features that I identified when I started exploring Visual Studio 2013, I recently noted many people, even Microsoft folks have talked about the new features in various Microsoft sites, I recommend everyone to check them out too (posting all those links will just make people lazy :-)).

Visual Studio 2013 Preview has been launched recently. Like I did with Visual Studio 2010 and Visual Studio 2012, I am writing this with several purposes in mind; I thought of documenting these cool new features of Visual Studio 2013 that I found, so that it will serve as an index for me and I could easily refer to this in talks I may give, or, when sharing these with friends.

(Note that one of the ultimate purposes of blogging/posting articles for me is that I can easily recall stuff when needed if I forget, that’s the reason even many guys who are greater than me blog :) it is kind of documenting your learning/taking notes, consolidating and keeping it in one page as a gist, and it may turn out to be useful to others. And, this will help people who are not privileged enough to install and checkout Visual Studio 2013 preview due to some reasons, like, if they don’t have a computer on their own or their organization doesn’t allow installing any software on their office machines by themselves(this sadly happens in India, the system is not smart enough to allow safe software to be installed without going through cumbersome authorization processes, you can’t even play ASP.NET site’s tutorial videos in some places :-).

Let me know if this was helpful for you, it will make me to post more such things here.

Note: This post talks about the Visual Studio 2013’s IDE new features. All non-IDE features, new language features, .NET Framework 4.5.1 features and specific code editor enhancements may be discussed in future articles.

Below are the list of Visual Studio 2013’s new features I found in the preview bits.

Roaming Settings

You will not miss noting this feature, because as soon as you launch Visual Studio 2013 for the first time you will get the below dialog prompting you to sign-in.

Screen_155 Jul. 08 15.00.26

You can sign-in to Visual Studio 2013 using your Microsoft account(hotmail.com,live.com,etc.). After you sign-in to Visual Studio 2013 your settings are sync’d with your Microsoft account. Next time when you use Visual Studio 2013 on another computer, you can use the same Microsoft account to sign-in and find your settings applied to it. This is pretty awesome if you have couple of computers, like, one at home and one in the office and if you use Visual Studio in it, I find this useful as I have faced problems in font and keyboard shortcuts settings that people(colleagues) have set differently. Now you don’t need to waste time to repeatedly configure these settings each time you use Visual Studio on a new machine(or in your colleague’s machine).

CodeMap – Visual Debugging

In Visual Studio 2013, when you are in a debugging session you will find an option called Code Map in the debug toolbar.

CodeMap1

When you are in Debug mode, clicking this will open a window which shows the visual representation of the execution flow as shown below.

Visual Studio 2013 New Features - CodeMap2

You can call this window as a Visual Call Stack, which shows the sequence of methods that are invoked. People who have spent hours on debugging will realize the potential of this tool, it will help you visualize the code structure better and will speed up your debugging pace. This also helps newcomers to dev teams to grasp existing code easily if they execute and turn this thing on.

You can add comments as shown below.

Visual Studio 2013 New Features - CodeMap3

You can group items as shown below.

Visual Studio 2013 New Features - CodeMap4

There are a bunch of other things that you can do with the CodeMap window, like, highlight the references to a method box, change colors of the method boxes, change the layout from top-down to left to right, etc.

Peek Definition – Alt+F12

In Visual Studio 2013, you have something called Peek Definition above the Go To Definition command.

ScreenHunter_88 Jul. 20 17.13

Unlike the Go To Definition command, which shows the definition by opening the actual code file where the definition is present as a new tab(or in preview tab); the Peek Definition shows the definition by displaying an inline frame containing the section of the actual source code file containing the definition as shown below.

(click to enlarge image)

ScreenHunter_90 Jul. 20 18.45

This allows the user to get a quick glimpse of the definition without leaving the current code location.

You can also use Peek Definition command again inside the peek definition frame which opens the definition in the same frame but displays a dotted breadcrumb band at the top right of the peek frame as shown below. This frame allows you to navigate back and forth the open definitions(source files). You can use Ctrl+Alt+- and Ctrl+Alt+= to navigate back and forth respectively.

(click to enlarge image)

Visual Studio 2013 New Features-PeekDefinition0

Code Lens

You wont miss noting this feature when using Visual Studio 2013. There will be indicators sitting atop of every method in the code editor. Clicking them will show information about the code section as shown below.

Visual Studio 2013 New Features - CodeLens

Here you can see that a method’s references are shown and seems this info indication doesn’t stop with just references, it has a bunch of things it could show, I found these capabilities of this feature by digging into Visual Studio Options. It looks like it will show Unit test related stuff, Authors, changes made by them, etc. You can find the options at Text Editor>All Languages>Code Information Indicators. I haven’t tried to make it show all the information that it could show, in future I may post more about it.

Browser Link

In Visual Studio 2013, you will find an icon near the Start command as shown below.

ScreenHunter_260 Aug. 09 11.21

This icon is the door to the new feature in Visual Studio 2013 called Browser Link, this provides you a two way link between Visual Studio and your browsers. As a basic functionality it allows you to refresh the browser window that runs your web application from within Visual Studio. As of now Browser Link just refreshes the browser window and I couldn’t find any other use of it apart from this, but I hope more cool features will be added to it in the full release of Visual Studio 2013. To try this just launch your web application and after it gets displayed in your browser, do some modifications to your web app in Visual Studio and click the above shown Browser Link icon, you will find your browser updated with the changes you made in Visual Studio, shortcut Ctrl+Alt+Enter.

You might remember that I wrote here about launching your ASP.NET web applications on multiple browsers at the same time from Visual Studio, now you can interact with all of them in Visual studio 2013 with this Browser Link feature. Browser Link is going to be a great feature and it could include a great bunch of options in it later.

New Blue Theme

Due to the popularity of white on black color schemes, in Visual Studio 2012 a dark theme was introduced. For those who preferred the classic black on white theme a Light theme was also present. In Visual Studio 2013, a new IDE color theme named as Blue is introduced(this is also available with Visual Studio 2012 Update 2).

ScreenHunter_91 Jul. 21 15.34

 

Visual Studio 2013 Light Theme

Visual Studio 2013 Blue Theme

ScreenHunter_90 Jul. 21 15.27  ScreenHunter_91 Jul. 21 15.27

(click to enlarge image)

UI Icons

There have been some debates on the decision of making all the icons in Visual Studio 2012 single colored(Light theme - black on white OR Dark theme - white on black ) some liked the simplicity and some hated to lose the familiarity towards the icons they have been using for years in past versions of Visual Studio. You will immediately note that Visual Studio 2013 has become more colorful. Some of the single colored icons are replaced with colored icons as shown below, click to enlarge the below images.

Visual Studio 2012 - Dark Theme

Visual Studio 2013 – Dark Theme

Visual Studio 2012 - Dark Theme Icon Colors  Visual Studio 2013 New Features - Dark Theme Icon Colors

(click to enlarge image)

Visual Studio 2012 – Light Theme

Visual Studio 2013 – Light Theme

Visual Studio 2012 - Light Theme Icon Colors  Visual Studio 2013 New Features - Light Theme Icon Colors

(click to enlarge image)

I personally like this version of icons than Visual Studio 2012’s, but I too kind of miss the old icons which were there till Visual Studio 2010, mostly the Debugging section’s code stepping icons. When I first started using Visual Studio 2012, I felt I have to put at least some tiny effort to get used to these icons, but I am a shortcut guy so majorly these icon changes don’t affect me much :).

Feedback & Notifications

In Visual Studio 2013, you will be able to easily give feedback about the product to Microsoft using the icon shown below.

ScreenHunter_260 Aug. 09 23.401

Notifications about product updates, etc. are shown in the small area beside this feedback icon. Clicking this flag like icon will open the notifications in a separate pane showing you the list of notifications as shown below.

ScreenHunter_260 Aug. 10 00.21

 

Conclusion

I am sure I would have missed some of the new features of Visual Studio 2013. Let me know in the comments if so. I will include them(of course crediting you :)

Happy Coding !

Bookmark / Share

Launching your ASP.NET web applications on multiple browsers at the same time from Visual Studio(2012)

Visual Studio 2010 offered option to view a particular .aspx page on multiple browsers when you right-click the file and chose Browse With… but it didn’t provide storing the setting and allowing to launch the web page on multiple browsers at the same time when you execute every time.

In this article we will see how this feature is enhanced in Visual Studio 2012; you can set multiple browsers as default and store this setting permanently and when you Debug(F5) you will get a dialog to choose the browser you’d like to debug with or when you Execute without debugging (Ctrl+F5) you will be able to launch the web application in multiple browsers.

As you may have noted from my earlier article about Visual Studio 2012 new features, Visual Studio 2012 has a browser drop down that lets you select the browser that will be used to launch your ASP.NET web application when you debug it (F5) as shown below, as I mentioned in my article, this was achievable in earlier Visual Studio versions via other not-so-quick menu/context menu commands.

Visual-Studio-2012-Browser-Drop-Down

 

If you click the Browse With… menu option shown above, you will be presented with the below dialog.

Visual-Studio-2012-Browse-With-Dialog

This window shows all the names of the browsers installed in your machine. As indicated by the dialog, you can select more than one browser and click Browse to launch the web application in the chosen browsers, this will not launch your web application in Debug mode.

Also, you can select multiple browsers and click Set as Default to make this setting permanent, so that whenever you execute the web application without debugging(Ctrl+F5) it will be launched in these browsers at the same time. The Execute command in Visual Studio 2012 will be captioned as Multiple Browsers instead of the default browser name.

Visual-Studio-2012-MultipleBrowsers-ExecuteButton

 

If you click the Execute command(which will execute your web application in debug mode) you will get the below prompt.

Visual-Studio-2012-DebugMode-ChooseBrowser

You can choose which browser you wish to use for debugging.

I think this particular feature will be a productivity enhancer for web developers who work on achieving browser compatibility and tackle issues arising when providing multiple browser support for their ASP.NET Web Applications.

 

Happy Coding !

isin
Bookmark / Share

Try jsFiddle.net, it’s cool

Whenever someone explains some issue they are facing by sending some snippets of code which contains HTML with Javascript or CSS. I use this cool tool called jsFiddle.net and paste the code they send me in the relevant boxes for HTML, Javascript & CSS in the site and work on the issue.

I do this even if I have the full file set of code in which the issue is present in one part of the code set, this helps much in issue isolation.

So checkout jsFiddle.net!

Bookmark / Share

A new feature in ASP.NET 4: Shorthand syntax for Html Encoding

So far if we need to HTML encode content that we throw out to the response stream we will use Server.HtmlEncode() method as below.

<%= Server.HtmlEncode(“Content”) %>

Now in ASP.NET 4 we have a new code syntax, which comes handy whenever you want to emit content with HTML encoding, the new syntax is <%: … %> the “=” character is replaced in this new syntax by the “:” character, as shown below.

<%: “Content” %>
Bookmark / Share

A little less cared ASP.NET’s NestedMasterPage

I have seen developers using user controls which will show and hide sections of site content based on the state of the web site. This is fine for some extent, you know when it becomes bad ? It becomes bad when only user controls are used even for site layout related stuff.

ASP.NET’s NestedMasterPage is a great thing, that, I should admit, I myself started using only recently earlier I was using other ways to display a set of pages in different layout in a website. NestedMasterPage is a master page which is based on another master page, you can have as many levels of nesting as you wish, as far as you don’t confuse yourself.

You create a NestedMasterPage based on which other normal ASP.NET pages will be created. You can have a Main master page in which a website’s most common UI elements are present and create NestedMasterPages for different areas of a site like subsections of a site like web interface for post Member login, etc.

Below is a simple depiction of what could be done with a NestedMasterPage in ASP.NET web forms.

12

Now, below images will give you some idea on how the layout of a site can be less messy if we use NestedMasterPages.

(click to enlarge)

ProdCat

(click to enlarge)

Checkout

Hope it’s understandable.

Bookmark / Share