How to Secure MVC3 Applications

This page describes how to manage security and access control for MVC3 Applications using the Razor view engine:

All the VG features - including VG Dynamic Permissions - are available to secure MVC3 Models and Controllers.
MVC3 / Razor Views are not built with classic C#/VB code, so we use other technics to secure them.

A few examples:
1 - If a link to the "About" page requires the permission "CanGoToAbout", you can type:

@Html.VGActionLink("canGoToAbout", "Go to about page", "About", "Home");

2 - Another (equivalent) solution is this:

@if (this.HasPermission("canGoToAbout"))
      { 
        @Html.ActionLink("Go to about page", "About", "Home");
      }

3 - If this link depends on the Role "Manager", you can also type:

@if (this.IsInRole("Manager"))
      { 
        @Html.ActionLink("Go to about page", "About"
        , "Home");
      }

You will find below more details about how to secure MVC3 applications with Visual Guard

1) Add the dll references:

  • Novalys.VisualGuard.Security.dll
  • Novalys.VisualGuard.Security.SQLServer.dll if you use SqlServer
  • Novalys.VisualGuard.Security.WebForm.dll
  • Novalys.VisualGuard.Security.WebMvc.dll

2) Compile your application

3) Add your application in the VGRepository

4) Generate the configuration file

5) Modify your Login Method: 

[HttpPost]
        public ActionResult LogOn(LogOnModel model, string returnUrl)
        {
            if (ModelState.IsValid)
            {
                if (MembershipService.ValidateUser(model.UserName, model.Password))
                {
                    VGSecurityRuntime runtime = VGSecurityManager.Runtime;
                    VGFormsAuthenticationService.SignIn(runtime.Principal, true);
 
                    //FormsService.SignIn(model.UserName, model.RememberMe);
                    if (Url.IsLocalUrl(returnUrl))
                    {
                        return Redirect(returnUrl);
                    }
                    else
                    {
                        return RedirectToAction("Index", "Home");
                    }
                }
                else
                {
                    ModelState.AddModelError("", "The user name or password provided is incorrect.");
                }
            }
 
            // If we got this far, something failed, redisplay form
            return View(model);
        }

6) MVC3 views Security

  • You should use the Razor view engine.
  • You should add
    @using Novalys.VisualGuard.Security.Web
    in your *.cshtml

You can use / combine the following VG methods:

      @this.HasPermission()
      @this.IsAuthenticated()
      @this.IsInRole()
      @this.VGRuntime // accessing the VGRuntime if you need to call a VG API.

You can also use Helpers, developed specifically for MVC3 / Razor views:

For example:

@Html.VGActionLink(<Permission Name or ID>, parm1, parm2, parm3);

Instead of:
@Html.ActionLink(parm1, parm2, parm3);

As a result, a MVC3 / Razor view can look like this:

@using Novalys.VisualGuard.Security.Web;
@{
    ViewBag.Title = "Home Page";
}
<h2>@ViewBag.Messageh2>
<p>
    To learn more about ASP.NET MVC visit <a href="http://asp.net/mvc" title="ASP.NET MVC Website">http://asp.net/mvca>.
 
    @Html.VGActionLink("canGoToAbout", "Go to about page", "About", "Home");
 
    @if (this.HasPermission("canGoToPage2"))
    {
        @Html.ActionLink("Go to Page 2", "Page2", "Home");
    }

    @if (this.IsInRole("canGoToPage3"))
    {
        @Html.ActionLink("Go to Page 3", "Page3", "Home");
    }
p>

 

7) MVC3 Controller Security:

All types of permissions are supported for MVC3 Controllers and Models.

In particular, you can use VG Dynamic Permissions as follows:

  • Add VGISecurable interface on your class: 
    Example:
  • public class HomeController : Controller, VGISecurable
  • Call VG methods from your constructor:
    Example:
  • public HomeController()
            {
                VGSecurityManager.SetSecurity(this);
            }
  • Create and use business properties that VG can dynamically modify if needed:
  • public String Message
            {
                get;
                set;
            }
     
    public ActionResult Index()
            {
                ViewBag.Message = Message;
                return View();
            }
  • Compile your code

8) Define the Security data with the VG WinConsole

  • Declare Permissions, both for Views and Controllers
  • Create Property Actions to change properties of controller classes.
  • Define Permission Sets and select their Permissions
  • Define Roles and select their Permissions Sets
  • Define the User accounts and grant them Roles