MVC 4 Security options
With the new ASP.NET 4.5 release, together with MVC 4, we have some new choices regarding security when building websites. In this post we’ll have a look at some of the choices.
Internet or Intranet site template for ADFS/ACS site
When creating a new (MVC) project, we have the choice of several projects: internet, intranet, webapi, mobile, basic or empty. But what do I need to choose for an “extranet” site (using ADFS or ACS)?
It turns out the best choice is the intranet template. With this template we can add the Federated Identity information through a new Visual Studio Extension: “Identity and Access Tool”
With this extension, we can create the ACS namespaces from within our Visual Studio. No more need to go to the old Azure Portal! If we would start with the “internet template” we would need to remove a lot of the plumbing (AccountController, views, etc)
New SimpleMembership provider
There is a new SimpleMembership provider for ASP.NET, which helps with the Membership and the Roles in our web applications. The main advantage is that we can use our own tables for Users and UserProfiles instead of the default ones generated.
Unfortunately this new provider is used in .NET 4.5 (and in webpages 4.5) but not used in MVC 4. The MVC 4 template uses a Webmatrix helper to accomplish the same.
Read these articles for more information:
http://blog.osbornm.com/archive/2010/07/21/using-simplemembership-with-asp.net-webpages.aspx
Identity in the internet template
In the internet template, a lot of the plumbing for the SimpleMembership is already done for us. We have an AccountController and all the Views and Models we need.
However, only the account controller initializes Membership using the [InitializeSimpleMembership] attribute. If you access the membership data from another controller, you’ll get an error stating WebSecurity.InitializeDatabaseConnection() should be called.
There are several solutions to this:
- Decorate the controller with the InitializeSimpleMembership attribute
- Register a global filter: filters.Add(new InitializeSimpleMembershipAttribute());
- Load the provider from your web.config: http://odetocode.com/Blogs/scott/archive/2012/08/31/seeding-membership-amp-roles-in-asp-net-mvc-4.aspx