To integrate Visual Guard in your MVC Application project you have to:

• Add the assemblies of Visual Guard as references of your project.
• Modify the "web.config" file of your application to integrate the Visual Guard module.
• Integrate Visual Guard in the code of your application.
• Create a Visual Guard repository and declare your application by using the Visual Guard console. This repository will contain all security items (users, roles, permissions ...) of your application.
• Generate the Visual Guard configuration files by using the Visual Guard console. These configuration files will be needed to connect your application to the repository.
• Grant read/write permissions to the repository.

Integration Demo

This demo shows how to integrate Visual Guard in MVC application

 

Referencing Visual Guard assemblies

In order to use Visual Guard, you must add references to Visual Guard assemblies:

• Opens the solution of your project in Visual Studio.
• In the solution explorer, expands the project node.
• Right-click the Project node for the project and select Add Reference from the shortcut menu.
• In Browse tab, select the 4 assemblies Novalys.VisualGuard.Security, Novalys.VisualGuard.Security.WebForm, Novalys.VisualGuard.Security.WebMvc, Novalys.VisualGuard.Security.<RepositoryType> (File, SQLServer or Oracle) from the directory <Visual Guard installation directory>/bin.. Click the Select button, and then click the OK button

Note: Once the Visual Guard assemblies are referenced into project, you need to mark "Copy Local" property to "true" for each assembly.

Description of Visual Guard assemblies:

 

• Novalys.VisualGuard.Security contains the main Visual Guard classes.
• Novalys.VisualGuard.Security.Files contains the classes needed to access to a file based repository.
• Novalys.VisualGuard.Security.SQLServer contains the classes needed to access to a repository stored in a Microsoft SQLServer database (SQLServer 2005 or higher). Available only in Visual Guard Enterprise Edition
• Novalys.VisualGuard.Security.Oracle contains the classes needed to access to a repository stored in an Oracle database (9i or higher). Available only in Visual Guard Enterprise Edition
• Novalys.VisualGuard.Security.WebForm contains the classes needed for ASP.Net application. You must reference this assembly in ASP.Net web application or WebService project.
• Novalys.VisualGuard.Security.WebMvc contains the classes needed for MVC application. You must reference this assembly in MVC application along with Novalys.VisualGuard.Security.WebForm assembly.

Modifying the "web.config" file of your application 

To enable Visual Guard in your application, you must declare the class Novalys.VisualGuard.Security.WebForm.VGHttpModule in the list of HttpModules in the "web.config" of your application. To do that, you must:

• Open the "web.config" file of your application or add a new one to your project.
• Add the following line of code in the <httpModules> node.

<add type="Novalys.VisualGuard.Security.WebForm.VGHttpModule,Novalys.VisualGuard.Security.WebForm" name="VGModule"/>

For example:

<configuration> 
<system.web>
 ... 
<httpModules>
      <add type= "Novalys.VisualGuard.Security.WebForm.VGHttpModule,Novalys.VisualGuard.Security.WebForm" name="VGModule" />
</httpModules>
 ... 
</system.web>

<system.webserver>

... <!--  Integrated Mode -->

<modules runAllManagedModulesForAllRequests="true" > 
     <add type= "Novalys.VisualGuard.Security.WebForm.VGHttpModule,Novalys.VisualGuard.Security.WebForm" name="VGModule"/> 
</modules

...

            

 </system.webserver>
        </configuration> 

This module will enable Visual Guard in your application. It will automatically detect the type of authentication used in your application. Visual Guard supports Forms  and Windows authentication mode.

If you use Form authentication mode, you can use the Visual Guard authentication mechanism. In this case you must call the method VGSecurityManager.Authenticate in your login form. You can find an example of the authentication integrated in a login form in the chapter "Integrate Visual Guard in your code".

If you use Windows authentication mode, Visual Guard will automatically detect the authenticated user and load the security permissions granted to this user.

If the user does not have any role in the application or if the user is not declared in the repository or if the user is anonymous, Visual Guard will deny the user access to all pages in your application.

If you want to allow anonymous sessions in your application, you must declare an anonymous role to your application in the Visual Guard console.

To enable anonymous sessions, you must:

• Open the Visual Guard console and connect to the repository associated to your application.
• Create a new role in your application with a permission set containing permissions for an anonymous user.
• Select the item corresponding to your application and, in the property "Anonymous role", select the role created above.
• To take into account this modification in your application, you must regenerate the Visual Guard configuration files of your application or edit them and change the option anonymousSessionSupported.
• Modify your authorization section of web.config file in order to allow anonymous access to your application.

You can use Visual Guard in conjunction with the URL Authorization module to deny access to specific users (anonymous or not) or roles. Visual Guard users and roles are fully compatible with the URL Authorization module.

Allow Anonymous Access

If you have not allowed anonymous session in your web application and you want to allow certain files to have anonymous access, you must configure your web.config with following section. By default Visual Guard secures all pages except login page, so if you want to allow certain pages to have anonymous access(actions without [Authorize] attribute) without redirecting to login page, mark AutoLoginPage="False" :

 <configuration>
 <configSections>
      <section name="VGWebConfiguration" type="Novalys.VisualGuard.Security.WebForm.VGWebConfiguration" />
 </configSections>

...

<VGWebConfiguration excludeExtension=".css,.png,.js,.gif,.jpg,.Gif">
<ExcludePages>
 <add Url="^~/$" />
 <add Url="~/Account/Login" />
</ExcludePages>
 <VGCookieConfig Domain=".vg.local" DomainScope="WebSSO" AutoRedirect="true" AuthenticationUrl="http://vg.local/webApp/Account/Login" />
</VGWebConfiguration>
</configuration>    

Web SSO

Web SSO allows users authenticated across sub-domains(Ex. sales.novalys.local, marketing.novalys.local, etc) when the authentication takes places at any application under parent domain(Ex. novalys.local). To enable web sso, you must enable VGCookieConfig as mentioned above. Please go through points below which explains possible scenarios with it.

• If the tag VGCookieConfig is not defined, Visual Guard Authentication restricts its scope for the website only.
• Value for the property Domain restricts Visual Guard Authentication to that particular domain. Hence, all web application coming under that domain will be authenticated.
• Value for the property DomainScope defines the scope of Visual Guard Authentication.
• Website:  Restricts authentication only for current web application.
• WebSSO:  Restricts authentication for all web applications which comes under defined domain. Signing out from one application results sign out from all web applications.
• All:  Restricts authentication for all web applications which comes under defined domain. But here signing out from one application would not affect other applications.
• If the value of property AutoRedirect is true and the user is not authenticate VG redirects the user to AuthenticationUrl.
• Value of the property AuthenticationUrl gets or sets the url for authentication.

Mixed Mode Authentication

Mixed Mode Authentication allows users to be able to authenticate against a web application using either Windows authentication or Forms authentication. If a user executes an application internally from an organization, he can log in with Windows authenticatiom wherein other users who connects to the same application externally can use Form authentication. Visual Guard handles this feature in same application by configuring web.config with essential tags and passing an argument with URI. To enable this feature, please refer to the points below:

• Make sure to enable "Windows Authentication". You can enable it from Windows features > Internet Information Services > World Wide Web Services > Security > Windows Authentication.
• Make sure to mark Authentication - Windows to Read/Write. You can mark it from IIS Root > Feature Delegation > mark Authentication - Windows to Read/Write.
• Set authentication mode to "None" in web.config
<authentication mode="None" />
• Set modules and security tag nuder system.webServer in web.config as below:
<system.webServer>
    <validation validateIntegratedModeConfiguration="false" />
    <modules runAllManagedModulesForAllRequests="true">
      <remove name="FormsAuthentication" />
      <add type="Novalys.VisualGuard.Security.WebForm.VGHttpModule,Novalys.VisualGuard.Security.WebForm" name="VGModule" />
    </modules>
    <security>
      <authentication>
        <windowsAuthentication enabled="true" />
      </authentication>
    </security>    
  </system.webServer>
• To authenticate user with windows authentication, you need to pass an argument "VGWindowsNegotiate" in URI. Make sure that an argument is case sensitive.
http://localhost/ApplicationName/Login?VGWindowsNegotiate

Configuring Membership

Alike Membership API, Visual Guard has its own library of Membership. To use VG Membership features, you must declare VGMembershipProvider and VGRoleProvider in your web.config file.

<configuration> 
<system.web> ... 
     <roleManager defaultProvider="VGRoleProvider" enabled="true"> 
          <providers> 
                <add name="VGRoleProvider" type="Novalys.VisualGuard.Security.WebForm.VGRoleProvider, Novalys.VisualGuard.Security.WebForm" /> 
         </providers> 
     </roleManager> 
     <membership defaultProvider="VGMemberShipProvider"> 
        <providers> 
              <add name="VGMemberShipProvider" type="Novalys.VisualGuard.Security.WebForm.VGMemberShipProvider, Novalys.VisualGuard.Security.WebForm" /> 
       </providers> 
    </membership> 
   ... 
</system.web> 
</configuration> 

Integrating Visual Guard in your code

The main class in Visual Guard is Novalys.VisualGuard.Security.VGSecurityManager. This class provides the main access point for interacting with Visual Guard. It provides authentication and authorization features, it allows you to set the security of your application objects.

You have 3 types of code to integrate Visual Guard in your code:

• When you want to use the Form Authentication mode, you must create authentication form that will be used to identify the users.
• When you want to secure a WebService, a custom class or custom control, you must call Visual Guard to set the security of this object (Form and Master class are automatically secured by Visual Guard).
• When you want to check if a user has a specific permission or a specific role, you can use Novalys.VisualGuard.Security.VGSecurityManager.Principal or use the property HttpContext.User.

To create a Login page

If you use form authentication mode, you must configure your web.config file as described in the previous chapter. You can also use your own controls or develop a custom form page.

The following example demonstrates how to authenticate a user. This code can be inserted in the LogOn[HttpPost] method of your Login Controller class:

[C#]

[HttpPost]
public ActionResult LogOn(LogOnModel model, string returnUrl)
{ 
     if (ModelState.IsValid) 
     {
          if (!VGSecurityManager.Authenticate(model.UserName, model.Password, VGAuthenticationMode.VisualGuard).IsFailed) 
          { 
               VGFormsAuthentication.SignIn(); 
               if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/") && !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\")) 
               { 
                    return Redirect(returnUrl); 
               } 
               else 
               { 
                    return RedirectToAction("Index", "Home"); 
               } 
          } 
          else 
          { 
               ModelState.AddModelError("", "The user name or password provided is incorrect."); 
          } 
     } 
     return View(model); 
} 

public ActionResult LogOff() 
{ 
     VGFormsAuthentication.SignOut(); 
     return RedirectToAction("Index", "Home"); 
}

[Visual Basic]

<HttpPost>_ 
Public Function LogOn(ByVal model As LogOnModel, ByVal returnUrl As String) As ActionResult 
     If ModelState.IsValid Then 
          If Not VGSecurityManager.Authenticate(model.UserName, model.Password, VGAuthenticationMode.VisualGuard).IsFailed Then 
               VGFormsAuthentication.SignIn() 
               If Url.IsLocalUrl(returnUrl) AndAlso returnUrl.Length > 1 AndAlso returnUrl.StartsWith("/") _ 
                    AndAlso Not returnUrl.StartsWith("//") AndAlso Not returnUrl.StartsWith("/\\") Then 
                    Return Redirect(returnUrl) 
               Else 
                    Return RedirectToAction("Index", "Home") 
               End If 
          Else 
               ModelState.AddModelError("", "The user name or password provided is incorrect.") 
          End If 
     End If 
     Return View(model) 
End Function 

Public Function LogOff() As ActionResult 
     FormsAuthentication.SignOut() 
     Return RedirectToAction("Index", "Home") 
End Function

To secure your application objects

If you want to understand how Visual Guard sets the security of your application objects, see How Visual Guard secures an application.

How to filter granted roles

If a user has more than one role, by default Visual Guard creates a permission set that will be a union of all permission sets. If you want to select only one role or filter roles granted to the user, you can handle the event VGHttpModule.PermissionLoading. This event allows you to select roles granted to the user.
To handle this event you must declare <VGHTTPModuleName>_ PermissionLoading in the global.asax script (where <VGHTTPModuleName> is the name of the Visual Guard module declared in the web.config files, by default "VGModule").

The following example demonstrates how to select the role Administrator if this role is granted:

[Visual Basic]
Sub VGModule_PermissionLoading(ByVal sender As  Object, ByVal e As VGPermissionsLoadingEventArgs) 
If e.Roles.Length > 1 Then
     Dim selectedRoles(1)  As Novalys.VisualGuard.Security.VGGrantedRole 
     For Each role As Novalys.VisualGuard.Security.VGGrantedRole In e.Roles
        If role.Name = "Administrator"  Then 
          selectedRoles(0) = role 
          Exit 
        For Else If role.Name = "Member"  Then 
          selectedRoles(0)  = role 
        Exit For
       End 
If End 
        If Next If
                selectedRoles(0)
                Is
Nothing Then e.Status = Novalys.VisualGuard.Security.VGAuthorizationStatus.ProcessCanceled
        Else e.Roles
        = selectedRoles
        End 
If End 
        If End Sub

[C#]
void VGModule_PermissionLoading(object sender, VGPermissionsLoadingEventArgs args) 
{
     if(e.Roles.Length > 1) 
     { 
       Novalys.VisualGuard.Security.VGGrantedRole[] selectedRoles = new Novalys.VisualGuard.Security.VGGrantedRole[1]; 
       foreach (Novalys.VisualGuard.Security.VGGrantedRole role in e.Roles)
       { 
         if (role.Name ==  "Administrator") 
         { 
             selectedRoles[0] = role;
             break; 
         } 
         else if (role.Name == "Member") 
         {
             selectedRoles[0] = role; 
             break; 
         }
       }
       if (selectedRoles[0] == null) 
       {
           e.Status = Novalys.VisualGuard.Security.VGAuthorizationStatus.ProcessCanceled;
       }
       else 
       {
            e.Roles = selectedRoles;
       }
    }
} 

Creating a repository and declaring the application

Once Visual Guard is integrated in your application, you can create the repository containing the information about the security of your application (users, roles, permissions ...). You must launch the Visual Guard console, right-click the root node in the treeview then select the option "Add repository".

After creating the repository, you must declare your application in the repository. Right-click the node corresponding to your repository then select the option "Connect...". After the connection, right-click on the repository node then select the option "Add application". At the end of the wizard, the console will generate 2 configuration files in the "bin" directory of your application.

Note: If you want to test the connection to this repository from your application, you will need to create a role for your application in the Visual Guard console and grant this role to a user. A user defined in the repository can access your application only when a role of the application is granted to this user.

Securing MVC application

Once all the above configurations are integrated in your application, you can now create permissions.
There are multiple ways possible with Visual Guard to create permission on your application. At first, you need to create permission under Permission Node of an application. Please find steps below on how to create a permission:

• Connect to the Repository.
• Expand your MVC application node.
• Right click on Permission node and click "Create Permission".
• Give valid name to the newly created permission.

You can secure your MVC application in following manner:

• Implementing permission on Property Action
  
  It is mandatory to implement VG interface "VGISecurable" in the controller to secure and by writting VGSecurityManager.SetSecurity(this) in the constructor of a controller.
  

  [C#] 
  public class ProductController: Controller, VGISecurable
  {
       public ProductController() 
       {      
  
               VGSecurityManager.SetSecurity(this); 
       }
  } 
  [Visual Basic] 
  public class ProductController
      Inherits Controller  
  Implements VGISecurable
       Public Sub New() 
  
               VGSecurityManager.SetSecurity(Me); 
      End Sub 
  End Class 


Visual Guard can create a permission on a property which is written inside the code. For example:
1) Create a boolean property inside the code.
2) Create a permission in your application in Visual Guard Win Console.
3) Right click and create "Property Action" and follow the screen.
4) Finally select the property which you have created inside the code and assign either True of False


• Implementing permission on Action Link
  
  Alike Action Link in MVC Razor, you can find VG Action Link which will take parameter permission under consideration and display the link accordingly. For example:
  
  

  [C#]
  @using Novalys.VisualGuard.Security.Web
  
  @Html.VGActionLink(@"/Employees/Allow to edit and delete employee", "Edit", "Edit", "Edit", new { id = item.EmployeeID }) 

  [Visual Basic	]
  @Imports Novalys.VisualGuard.Security.Web
  
  @Html.VGActionLink(@"/Employees/Allow to edit and delete employee", "Edit", "Edit", "Edit", new { id = item.EmployeeID }) 

  This method will take permission full name as parameter with other required parameters to display link text.
  
  
• Implementing permission if has permission
  
  You can check in MVC Razor if a logged in user has a particular permission or not, based on that you may need to show/hide controls. For example:
  

  [C#]
  @using Novalys.VisualGuard.Security.Web
  
  @if (this.HasPermission("/Employees/Allow to administrate employees")) 
  { 
  	@Html.ActionLink("Edit or create employee", "Index", "Employee", null, null)
  } 
  else 
  { 
  	@: Edit or create employee 
  }

  
  

  [Visual Basic	]
  @Imports Novalys.VisualGuard.Security.Web
  
  If Me.HasPermission("/Employees/Allow to administrate employees") 
  Then 
  	@Html.ActionLink("Edit or create employee", "Index", "Employee", Nothing, Nothing) 
  Else 
  	@: Edit or create employee 
  End If 

 

• Implementing permission if is in role
  
  You can check in MVC Razor if a logged in user has a particular role or not, based on that you may need to show/hide controls. For example:

  [C#]
  @using Novalys.VisualGuard.Security.Webb
  
  @if (this.IsInRole("FullTrust")) 
  { 
  	@Html.ActionLink("Edit or create employee", "Index", "Employee", null, null)
  } 
  else 
  { 
  	@: Edit or create employee 
  }

  [Visual Basic	]
  @Imports Novalys.VisualGuard.Security.Web
  
  If Me.IsInRole("Developer") 
  Then 
  	@Html.ActionLink("Edit or create employee", "Index", "Employee", Nothing, Nothing) 
  Else 
  	@: Edit or create employee 
  End If   

Granting Read/Write permission to the Repository

Visual Guard needs to have Read/Write permissions to access the repository. For example, for a file based repository you must grant "Modify" permission to the directory containing the repository for ASP.NET user accounts. For a repository stored in a database, the user used to access the Visual Guard repository database must be a member of "vg_BasicAccess" role.

In most cases, you must grant this permission to "MACHINE\ASPNET" user account. If you use IIS 6.0 on Windows Server 2003 the user account is "NT Authority\Network Service". If you use impersonation, you must grant permission to "MACHINE\IUSR_<MACHINE>" for Form authentication mode and "Domain\UserName" for Windows integrated authentication mode.

To change permission to a directory, you must:

• Open the Explorer.
• Right click the directory containing the repository data then select the menu "Properties".
• In the "Security" tab, click on the "Add" button and select the user for which you want to grant the permission (i.e. MACHINE\ASPNET) then click ok.
• In the list of permissions, click the option "Modify" then click on the "OK" button.