This page describes how to manage security and access control for MVC3 Applications using the Razor view engine:
All the VG features - including VG Dynamic Permissions - are available to secure MVC3 Models and Controllers.
MVC3 / Razor Views are not built with classic C#/VB code, so we use other technics to secure them.
A few examples:
1 - If a link to the "About" page requires the permission "CanGoToAbout", you can type:
@Html.VGActionLink("canGoToAbout", "Go to about page", "About", "Home");
2 - Another (equivalent) solution is this:
@if (this.HasPermission("canGoToAbout"))
{
@Html.ActionLink("Go to about page", "About", "Home");
}
3 - If this link depends on the Role "Manager", you can also type:
@if (this.IsInRole("Manager"))
{
@Html.ActionLink("Go to about page", "About"
, "Home");
}
You will find below more details about how to secure MVC3 applications with Visual Guard
1) Add the dll references:
- Novalys.VisualGuard.Security.dll
- Novalys.VisualGuard.Security.SQLServer.dll if you use SqlServer
- Novalys.VisualGuard.Security.WebForm.dll
- Novalys.VisualGuard.Security.WebMvc.dll
2) Compile your application
3) Add your application in the VGRepository
4) Generate the configuration file
5) Modify your Login Method:
[HttpPost]
public ActionResult LogOn(LogOnModel model, string returnUrl)
{
if (ModelState.IsValid)
{
if (MembershipService.ValidateUser(model.UserName, model.Password))
{
VGSecurityRuntime runtime = VGSecurityManager.Runtime;
VGFormsAuthenticationService.SignIn(runtime.Principal, true);
//FormsService.SignIn(model.UserName, model.RememberMe);
if (Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl);
}
else
{
return RedirectToAction("Index", "Home");
}
}
else
{
ModelState.AddModelError("", "The user name or password provided is incorrect.");
}
}
// If we got this far, something failed, redisplay form
return View(model);
}
6) MVC3 views Security
You can use / combine the following VG methods:
@this.HasPermission()
@this.IsAuthenticated()
@this.IsInRole()
@this.VGRuntime // accessing the VGRuntime if you need to call a VG API.
You can also use Helpers, developed specifically for MVC3 / Razor views:
For example: @Html.VGActionLink(<Permission Name or ID>, parm1, parm2, parm3);
Instead of: @Html.ActionLink(parm1, parm2, parm3);
As a result, a MVC3 / Razor view can look like this:
@using Novalys.VisualGuard.Security.Web;
@{
ViewBag.Title = "Home Page";
}
<h2>@ViewBag.Messageh2>
<p>
To learn more about ASP.NET MVC visit <a href="http://asp.net/mvc" title="ASP.NET MVC Website">http://asp.net/mvca>.
@Html.VGActionLink("canGoToAbout", "Go to about page", "About", "Home");
@if (this.HasPermission("canGoToPage2"))
{
@Html.ActionLink("Go to Page 2", "Page2", "Home");
}
@if (this.IsInRole("canGoToPage3"))
{
@Html.ActionLink("Go to Page 3", "Page3", "Home");
}
p>
7) MVC3 Controller Security:
All types of permissions are supported for MVC3 Controllers and Models.
In particular, you can use VG Dynamic Permissions as follows:
- Add VGISecurable interface on your class:
Example:
public class HomeController : Controller, VGISecurable
Call VG methods from your constructor:
Example:
public HomeController()
{
VGSecurityManager.SetSecurity(this);
}
Create and use business properties that VG can dynamically modify if needed:
public String Message
{
get;
set;
}
public ActionResult Index()
{
ViewBag.Message = Message;
return View();
}
Compile your code
8) Define the Security data with the VG WinConsole
- Declare Permissions, both for Views and Controllers
- Create Property Actions to change properties of controller classes.
- Define Permission Sets and select their Permissions
- Define Roles and select their Permissions Sets
- Define the User accounts and grant them Roles
 |
