This page describes how to manage security and access control for MVC3 Applications using the Razor view engine:
All the VG features - including VG Dynamic Permissions - are available to secure MVC3 Models and Controllers.
MVC3 / Razor Views are not built with classic C#/VB code, so we use other technics to secure them.
A few examples:
1 - If a link to the "About" page requires the permission "CanGoToAbout", you can type:
@Html.VGActionLink("canGoToAbout", "Go to about page", "About", "Home");
2 - Another (equivalent) solution is this:
@if (this.HasPermission("canGoToAbout")) { @Html.ActionLink("Go to about page", "About", "Home"); }
3 - If this link depends on the Role "Manager", you can also type:
@if (this.IsInRole("Manager")) { @Html.ActionLink("Go to about page", "About" , "Home"); }
You will find below more details about how to secure MVC3 applications with Visual Guard
1) Add the dll references:
2) Compile your application
3) Add your application in the VGRepository
4) Generate the configuration file
5) Modify your Login Method:
[HttpPost]
public ActionResult LogOn(LogOnModel model, string returnUrl)
{
if (ModelState.IsValid)
{
if (MembershipService.ValidateUser(model.UserName, model.Password))
{
VGSecurityRuntime runtime = VGSecurityManager.Runtime;
VGFormsAuthenticationService.SignIn(runtime.Principal, true);
//FormsService.SignIn(model.UserName, model.RememberMe);
if (Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl);
}
else
{
return RedirectToAction("Index", "Home");
}
}
else
{
ModelState.AddModelError("", "The user name or password provided is incorrect.");
}
}
// If we got this far, something failed, redisplay form
return View(model);
}
6) MVC3 views Security
@using Novalys.VisualGuard.Security.Web
in your *.cshtmlYou can use / combine the following VG methods:
@this.HasPermission()
@this.IsAuthenticated()
@this.IsInRole()
@this.VGRuntime // accessing the VGRuntime if you need to call a VG API.
You can also use Helpers, developed specifically for MVC3 / Razor views:
For example:
@Html.VGActionLink(<Permission Name or ID>, parm1, parm2, parm3);
@Html.ActionLink(parm1, parm2, parm3);
As a result, a MVC3 / Razor view can look like this:
@using Novalys.VisualGuard.Security.Web; @{ ViewBag.Title = "Home Page"; } <h2>@ViewBag.Messageh2> <p> To learn more about ASP.NET MVC visit <a href="http://asp.net/mvc" title="ASP.NET MVC Website">http://asp.net/mvca>. @Html.VGActionLink("canGoToAbout", "Go to about page", "About", "Home"); @if (this.HasPermission("canGoToPage2")) { @Html.ActionLink("Go to Page 2", "Page2", "Home"); } @if (this.IsInRole("canGoToPage3")) { @Html.ActionLink("Go to Page 3", "Page3", "Home"); } p>
7) MVC3 Controller Security:
All types of permissions are supported for MVC3 Controllers and Models.
In particular, you can use VG Dynamic Permissions as follows:
public class HomeController : Controller, VGISecurable
public HomeController()
{
VGSecurityManager.SetSecurity(this);
}
public String Message
{
get;
set;
}
public ActionResult Index()
{
ViewBag.Message = Message;
return View();
}
8) Define the Security data with the VG WinConsole