This document describes how easy it is to secure your MVC projects with Visual Guard
Visual Guard is a ready to use Access Control solution that allows you to secure MVC applications without coding.
Save time during application development, and standardize security across the company with Visual Guard. It supports various application types: Winform, Webform, Webservices, SaaS, Multi-tenant, etc.
Visual Guard modules provide functionality for:
To integrate Visual Guard in your MVC application, you need to ensure that the following points are met:
All business applications require a secure way to restrict access to resources, making them accessible to only authenticated users. Before we proceed, make sure the prerequisites are implemented and the user(s) have permission to access the application.
Here is the code written in AccountController which will be executed once "Log In" button is clicked.
Code Snippet
The method "Runtime.Authenticate" takes username, password and authentication mode as a parameter and returns its status after execution based on many criterias. The authentication mode here can be VisualGuard, WindowsByCredential, Database, etc. Once the authentication status is "Success", "VGFormsAuthentication.SignIn" method must be called. It sets an authentication token in a cookie which lets the application know, on subsequent requests, about user authentication.
The objective of SSO is to allow users access to all applications with a single account. It provides a unified mechanism to manage the authentication of users and determine user access to applications and data.
SSO integration should not impose significant modifications to the application and should be the same no matter the type of application or development technology used.
Visual Guard provides a coherent authentication strategy and framework for all applications and websites secured by the system.
To enable SSO in your application, you must enable VGCookieConfig in web.config under VGWebConfiguration section.
<VGCookieConfig Domain=".vg.local" DomainScope="WebSSO" AutoRedirect="true" AuthenticationUrl="http://vg.local/webApp/Account/Login" />
Visual Guard has extended the helper class to manage security and access control using the Razor View Engine. Now, you can easily secure your razor view page implementing the below methods.
Once the user is authenticated, you can check whether the logged in user is in a specific role or not. You can easily check using the code below.
Code Snippet
1. @if (this.IsInRole("Administrator"))
2. {
3. //..
4. }
Along with checking the role of an authenticated user, you can also check whether the currently logged in user has a specific permission or not. You can check using the code below.
Code Snippet
Using the IsAuthenticated method, you can check whether the user is authenticated or not. Based on that you can enable some controls.
Code Snippet
Similar to ActionLink link button, Visual Guard has a VGActionLink which takes the permission parameter based on which you can hide/show link button.
The VGWebAuthorize attribute, when applied on a controller or actions, forbids unauthorized access. If you mark a controller with the VGAuthorize attribute, all actions in this controller are restricted.
Any attempts to access a controller or an action secured by VGWebAuthorize attribute will throw an UnAuthorize 401 status and take you to a standard login page. You can restrict a controller/an action based on users, roles and permissions.
Code Snippet
You can pass multiple roles, users or permissions so that Visual Guard combines and restricts the entity accordingly.
The security of databases has become important as enterprises consider the data as assets that are critical to operations. One of the common requirements for most applications is filtering rows based on data of current user or securing LINQ in modern times. Visual Guard is capable of achiving this.
A user can secure the data access layer based on the property assigned from Visual Guard. Also, they can pass the expression to a property or add an attribtue of any data type to a permission.
Code Snippet
To dynamically secure a property from Visual Guard, you can assign the property of the controller as below:
Code Snippet
Every big organization has multiple websites, either by department or location wherein they have an individual login page for user authentication and the user needs to login multple times with the same credentials. The Visual Guard Web Portal provides the solution for a scenario where there is only one login page for all secured websites integrated into Visual Guard. A user of multiple websites secured by Visual Guard will log in when they enter the first site.
Visual Guard provides two possible ways to achieve this:
After successful authentication on one site, Visual Guard creates the security token that allows the security system to uniquely identify each session. You can pass this token to another web site and Visual Guard will automatically identify whether the user has permission to access this application or not.
By default, Visual Guard secures all views. You can however exclude some views from security. For example: Root page, Login Page and Create User page do not require security. You can exclude it from the web.config section as below:
Code Snippet
Code Snippet
You need to define ‘VGWebConfiguration’ section to activate configuration in the application and then in the next code snippet you can see how you can exclude extension from security. If ‘AutoLoginPage=True’, it will redirect the browser to the login URL.
Code Snippet
Code Snippet
You need to define ‘VGWebConfiguration’ section to activate configuration in the application and then in the next code snippet you can see how you can exclude extension from security. If ‘AutoLoginPage=True’, it will redirect the browser to the login URL.
If you have more than 1000 connections per second, you need to set some preferences in Visual Guard.
By default Visual Guard secures all components requested by the browser.
To control access on a Web API, you need authentication and authorization. In most of the cases, Web API assumes that the authentication would happen on host side which creates IPrincipal object representing the security context. But in other cases where a user wants to do authentication on Web API side, he can simply authenticate with Visual Guard and return token to the host. Later, the host can send this token with requests, for example a querystring, to call Web API actions.
Code Snippet
Later, to call an action with token, it can be called as “<baseurl>/api/production/getall?vgtoken=xxxxxxxx”
Visual Guard provides an attribute authorization filter “VGAuthorize” which checks whether the user is authenticated and if not then returns the status code 401. Once it checks it is authenticated, it checks for authorization for users, roles and permissions.
Code Snippet