To integrate Visual Guard in your MVC Application project you have to:
This demo shows how to integrate Visual Guard in MVC application
In order to use Visual Guard, you must add references to Visual Guard assemblies:
Note: Once the Visual Guard assemblies are referenced into project, you need to mark "Copy Local" property to "true" for each assembly.
Description of Visual Guard assemblies:
To enable Visual Guard in your application, you must declare the class Novalys.VisualGuard.Security.WebForm.VGHttpModule in the list of HttpModules in the "web.config" of your application. To do that, you must:
<add type="Novalys.VisualGuard.Security.WebForm.VGHttpModule,Novalys.VisualGuard.Security.WebForm" name="VGModule"/>
For example:
<configuration> <system.web> ... <httpModules> <add type= "Novalys.VisualGuard.Security.WebForm.VGHttpModule,Novalys.VisualGuard.Security.WebForm" name="VGModule" /> </httpModules> ... </system.web>
<system.webserver>
... <!-- Integrated Mode -->
<modules runAllManagedModulesForAllRequests="true" > <add type= "Novalys.VisualGuard.Security.WebForm.VGHttpModule,Novalys.VisualGuard.Security.WebForm" name="VGModule"/> </modules
... </system.webserver> </configuration>
This module will enable Visual Guard in your application. It will automatically detect the type of authentication used in your application. Visual Guard supports Forms and Windows authentication mode.
If you use Form authentication mode, you can use the Visual Guard authentication mechanism. In this case you must call the method VGSecurityManager.Authenticate in your login form. You can find an example of the authentication integrated in a login form in the chapter "Integrate Visual Guard in your code".
If you use Windows authentication mode, Visual Guard will automatically detect the authenticated user and load the security permissions granted to this user.
If the user does not have any role in the application or if the user is not declared in the repository or if the user is anonymous, Visual Guard will deny the user access to all pages in your application.
If you want to allow anonymous sessions in your application, you must declare an anonymous role to your application in the Visual Guard console.
To enable anonymous sessions, you must:
You can use Visual Guard in conjunction with the URL Authorization module to deny access to specific users (anonymous or not) or roles. Visual Guard users and roles are fully compatible with the URL Authorization module.
<configuration> <configSections> <section name="VGWebConfiguration" type="Novalys.VisualGuard.Security.WebForm.VGWebConfiguration" /> </configSections>
...
<VGWebConfiguration excludeExtension=".css,.png,.js,.gif,.jpg,.Gif"> <ExcludePages> <add Url="^~/$" /> <add Url="~/Account/Login" /> </ExcludePages> <VGCookieConfig Domain=".vg.local" DomainScope="WebSSO" AutoRedirect="true" AuthenticationUrl="http://vg.local/webApp/Account/Login" /> </VGWebConfiguration> </configuration>
Web SSO allows users authenticated across sub-domains(Ex. sales.novalys.local, marketing.novalys.local, etc) when the authentication takes places at any application under parent domain(Ex. novalys.local). To enable web sso, you must enable VGCookieConfig as mentioned above. Please go through points below which explains possible scenarios with it.
Mixed Mode Authentication allows users to be able to authenticate against a web application using either Windows authentication or Forms authentication. If a user executes an application internally from an organization, he can log in with Windows authenticatiom wherein other users who connects to the same application externally can use Form authentication. Visual Guard handles this feature in same application by configuring web.config with essential tags and passing an argument with URI. To enable this feature, please refer to the points below:
Alike Membership API, Visual Guard has its own library of Membership. To use VG Membership features, you must declare VGMembershipProvider and VGRoleProvider in your web.config file.
<configuration> <system.web> ... <roleManager defaultProvider="VGRoleProvider" enabled="true"> <providers> <add name="VGRoleProvider" type="Novalys.VisualGuard.Security.WebForm.VGRoleProvider, Novalys.VisualGuard.Security.WebForm" /> </providers> </roleManager> <membership defaultProvider="VGMemberShipProvider"> <providers> <add name="VGMemberShipProvider" type="Novalys.VisualGuard.Security.WebForm.VGMemberShipProvider, Novalys.VisualGuard.Security.WebForm" /> </providers> </membership> ... </system.web> </configuration>
The main class in Visual Guard is Novalys.VisualGuard.Security.VGSecurityManager. This class provides the main access point for interacting with Visual Guard. It provides authentication and authorization features, it allows you to set the security of your application objects.
You have 3 types of code to integrate Visual Guard in your code:
If you use form authentication mode, you must configure your web.config file as described in the previous chapter. You can also use your own controls or develop a custom form page.
The following example demonstrates how to authenticate a user. This code can be inserted in the LogOn[HttpPost] method of your Login Controller class:
[C#] [HttpPost] public ActionResult LogOn(LogOnModel model, string returnUrl) { if (ModelState.IsValid) { if (!VGSecurityManager.Authenticate(model.UserName, model.Password, VGAuthenticationMode.VisualGuard).IsFailed) { VGFormsAuthentication.SignIn(); if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/") && !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\")) { return Redirect(returnUrl); } else { return RedirectToAction("Index", "Home"); } } else { ModelState.AddModelError("", "The user name or password provided is incorrect."); } } return View(model); } public ActionResult LogOff() { VGFormsAuthentication.SignOut(); return RedirectToAction("Index", "Home"); }
[Visual Basic]<HttpPost>_ Public Function LogOn(ByVal model As LogOnModel, ByVal returnUrl As String) As ActionResult If ModelState.IsValid Then If Not VGSecurityManager.Authenticate(model.UserName, model.Password, VGAuthenticationMode.VisualGuard).IsFailed Then VGFormsAuthentication.SignIn() If Url.IsLocalUrl(returnUrl) AndAlso returnUrl.Length > 1 AndAlso returnUrl.StartsWith("/") _ AndAlso Not returnUrl.StartsWith("//") AndAlso Not returnUrl.StartsWith("/\\") Then Return Redirect(returnUrl) Else Return RedirectToAction("Index", "Home") End If Else ModelState.AddModelError("", "The user name or password provided is incorrect.") End If End If Return View(model) End Function Public Function LogOff() As ActionResult FormsAuthentication.SignOut() Return RedirectToAction("Index", "Home") End Function
If you want to understand how Visual Guard sets the security of your application objects, see How Visual Guard secures an application.
[Visual Basic] Sub VGModule_PermissionLoading(ByVal sender As Object, ByVal e As VGPermissionsLoadingEventArgs) If e.Roles.Length > 1 Then Dim selectedRoles(1) As Novalys.VisualGuard.Security.VGGrantedRole For Each role As Novalys.VisualGuard.Security.VGGrantedRole In e.Roles If role.Name = "Administrator" Then selectedRoles(0) = role Exit For Else If role.Name = "Member" Then selectedRoles(0) = role Exit For End If End If Next If selectedRoles(0) Is Nothing Then e.Status = Novalys.VisualGuard.Security.VGAuthorizationStatus.ProcessCanceled Else e.Roles = selectedRoles End If End If End Sub
[C#] void VGModule_PermissionLoading(object sender, VGPermissionsLoadingEventArgs args) { if(e.Roles.Length > 1) { Novalys.VisualGuard.Security.VGGrantedRole[] selectedRoles = new Novalys.VisualGuard.Security.VGGrantedRole[1]; foreach (Novalys.VisualGuard.Security.VGGrantedRole role in e.Roles) { if (role.Name == "Administrator") { selectedRoles[0] = role; break; } else if (role.Name == "Member") { selectedRoles[0] = role; break; } } if (selectedRoles[0] == null) { e.Status = Novalys.VisualGuard.Security.VGAuthorizationStatus.ProcessCanceled; } else { e.Roles = selectedRoles; } } }
[C#] public class ProductController: Controller, VGISecurable { public ProductController()
{
VGSecurityManager.SetSecurity(this);
} }[Visual Basic] public class ProductController Inherits Controller Implements VGISecurable Public Sub New()
VGSecurityManager.SetSecurity(Me); End Sub End Class
[C#] @using Novalys.VisualGuard.Security.Web @Html.VGActionLink(@"/Employees/Allow to edit and delete employee", "Edit", "Edit", "Edit", new { id = item.EmployeeID })
[Visual Basic ] @Imports Novalys.VisualGuard.Security.Web @Html.VGActionLink(@"/Employees/Allow to edit and delete employee", "Edit", "Edit", "Edit", new { id = item.EmployeeID })This method will take permission full name as parameter with other required parameters to display link text.
[C#]
@using Novalys.VisualGuard.Security.Web
@if (this.HasPermission("/Employees/Allow to administrate employees"))
{
@Html.ActionLink("Edit or create employee", "Index", "Employee", null, null)
}
else
{
@: Edit or create employee
}
[Visual Basic ] @Imports Novalys.VisualGuard.Security.Web If Me.HasPermission("/Employees/Allow to administrate employees") Then @Html.ActionLink("Edit or create employee", "Index", "Employee", Nothing, Nothing) Else @: Edit or create employee End If
[C#] @using Novalys.VisualGuard.Security.Webb @if (this.IsInRole("FullTrust")) { @Html.ActionLink("Edit or create employee", "Index", "Employee", null, null) } else { @: Edit or create employee }
[Visual Basic ] @Imports Novalys.VisualGuard.Security.Web If Me.IsInRole("Developer") Then @Html.ActionLink("Edit or create employee", "Index", "Employee", Nothing, Nothing) Else @: Edit or create employee End If
Visual Guard needs to have Read/Write permissions to access the repository. For example, for a file based repository you must grant "Modify" permission to the directory containing the repository for ASP.NET user accounts. For a repository stored in a database, the user used to access the Visual Guard repository database must be a member of "vg_BasicAccess" role.
In most cases, you must grant this permission to "MACHINE\ASPNET" user account. If you use IIS 6.0 on Windows Server 2003 the user account is "NT Authority\Network Service". If you use impersonation, you must grant permission to "MACHINE\IUSR_<MACHINE>" for Form authentication mode and "Domain\UserName" for Windows integrated authentication mode.
To change permission to a directory, you must: