Sunday, December 18, 2011

Security in ASP.NET MVC

Security is a major concern when developing web applications. 
Here we'll talk about security in ASP.NET MVC

Some of the main concepts to understand when dealing with security are,
  • Authentication
  • Authorization
  • XSS
  • CSRF (Cross site request forgery)

Authentication

In ASP.NET there are two main authentication mechanisms
  • Windows Authentication Provider
  • Forms Authentication Provider

Authorization 

Basically you can apply AuthorizeAttribute filter to actions and controllers to achieve authorization in MVC. See how to create Custom AuthroizeAttribute.

Role based security #

This is useful when you need to enforce policies where you have multiple users with different privileges. .NET framework role-based security supports authorization by making information about the Principal, which is constructed from an associated Identity.

What is a principal object?

 A principal object represents the security context of the user. It includes the user's identity and the roles to which they belong. In .NET, IPrincipal defines the basic functionality of a principal object.

 Resources

 Principal and Identity objects (MSDN)
Key security concepts (MSDN)
Custom IIdentity or IPrincipal (SO)
http://nipunasilva.blogspot.com/2012/07/filters-in-aspnet-mvc.html
http://www.codeproject.com/Articles/654846/Security-In-ASP-NET-MVC 

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Powered by Blogger.


Software Architect at Surge Global/ Certified Scrum Master

Experienced in Product Design, Software Engineering, Team management and Practicing Agile methodologies.

Search This Blog

Facebook