How to Secure MVC3 Applications

This page describes how to manage security and access control for MVC3 Applications using the Razor view engine:

All the VG features - including VG Dynamic Permissions - are available to secure MVC3 Models and Controllers.
MVC3 / Razor Views are not built with classic C#/VB code, so we use other technics to secure them.

A few examples:
1 - If a link to the "About" page requires the permission "CanGoToAbout", you can type:

@Html.VGActionLink("canGoToAbout", "Go to about page", "About", "Home");

2 - Another (equivalent) solution is this:

@if (this.HasPermission("canGoToAbout"))
        @Html.ActionLink("Go to about page", "About", "Home");

3 - If this link depends on the Role "Manager", you can also type:

@if (this.IsInRole("Manager"))
        @Html.ActionLink("Go to about page", "About"
        , "Home");

You will find below more details about how to secure MVC3 applications with Visual Guard

1) Add the dll references:

  • Novalys.VisualGuard.Security.dll
  • Novalys.VisualGuard.Security.SQLServer.dll if you use SqlServer
  • Novalys.VisualGuard.Security.WebForm.dll
  • Novalys.VisualGuard.Security.WebMvc.dll

2) Compile your application

3) Add your application in the VGRepository

4) Generate the configuration file

5) Modify your Login Method: 

        public ActionResult LogOn(LogOnModel model, string returnUrl)
            if (ModelState.IsValid)
                if (MembershipService.ValidateUser(model.UserName, model.Password))
                    VGSecurityRuntime runtime = VGSecurityManager.Runtime;
                    VGFormsAuthenticationService.SignIn(runtime.Principal, true);
                    //FormsService.SignIn(model.UserName, model.RememberMe);
                    if (Url.IsLocalUrl(returnUrl))
                        return Redirect(returnUrl);
                        return RedirectToAction("Index", "Home");
                    ModelState.AddModelError("", "The user name or password provided is incorrect.");
            // If we got this far, something failed, redisplay form
            return View(model);

6) MVC3 views Security

  • You should use the Razor view engine.
  • You should add
    @using Novalys.VisualGuard.Security.Web
    in your *.cshtml

You can use / combine the following VG methods:

      @this.VGRuntime // accessing the VGRuntime if you need to call a VG API.

You can also use Helpers, developed specifically for MVC3 / Razor views:

For example:

@Html.VGActionLink(<Permission Name or ID>, parm1, parm2, parm3);

Instead of:
@Html.ActionLink(parm1, parm2, parm3);

As a result, a MVC3 / Razor view can look like this:

@using Novalys.VisualGuard.Security.Web;
    ViewBag.Title = "Home Page";
    To learn more about ASP.NET MVC visit <a href="" title="ASP.NET MVC Website">>.
    @Html.VGActionLink("canGoToAbout", "Go to about page", "About", "Home");
    @if (this.HasPermission("canGoToPage2"))
        @Html.ActionLink("Go to Page 2", "Page2", "Home");

    @if (this.IsInRole("canGoToPage3"))
        @Html.ActionLink("Go to Page 3", "Page3", "Home");


7) MVC3 Controller Security:

All types of permissions are supported for MVC3 Controllers and Models.

In particular, you can use VG Dynamic Permissions as follows:

  • Add VGISecurable interface on your class: 
  • public class HomeController : Controller, VGISecurable
  • Call VG methods from your constructor:
  • public HomeController()
  • Create and use business properties that VG can dynamically modify if needed:
  • public String Message
    public ActionResult Index()
                ViewBag.Message = Message;
                return View();
  • Compile your code

8) Define the Security data with the VG WinConsole

  • Declare Permissions, both for Views and Controllers
  • Create Property Actions to change properties of controller classes.
  • Define Permission Sets and select their Permissions
  • Define Roles and select their Permissions Sets
  • Define the User accounts and grant them Roles