Wednesday, December 9, 2009

Implementing Custom Security in ASP.NET MVC framework

Securing a web site and web page is the most critical task a developer has to accomplish and get it right. In ASP.NET MVC, we are presented with membership and role providers to achieve the security. We can also use authorization attributes and write our own to lock down controller actions.

Security can be broken down to two aspects. First one is authentication, which is validating you are who you say you are. This is typically done through a username and password against a common repository. Second one is authorization, which is you, as an authenticated user, are allowed/denied certain actions on a given website/webpage.

ASP.NET MVC framework allows custom membership (authentication piece) and role (authorization piece) providers. Although this is fine for most applications, creating/editing roles can require a recompile of the whole application and redeployment. To get around this, you can create another layer, let's call, Context (or Features) if you will, and associate each role with multiple features.

I have done a sample application, and published the CodePlex. You can find the link here

Let me know if/when you check it out and what you think about it. Thanks for reading and happy coding!



  1. Hi,thanks for the PragmaticMVC,i have downloaded it and test the code,but when i try to run the registration,it give me error,this is the error.Thanks

  2. Hi Yonghan,

    Thanks for checking it out. Things may have changed a little bit since I wrote this application. This was probably done in MVC 1.1, now we are in MVC-4.
    But from what I gathered in your code, you have not initialized an object, quite possibly the roles or the user. Can you verify you have a list of roles and the HttpContext.Current.User has value? Let me know.

    Good luck!

  3. This comment has been removed by the author.

  4. Hi Baskin,i opened your application in vs web express 2010 sp1.There are values in HtppContext.Current.User,here are the screenshots :


  5. And after i continue the breakpoint it gives this :

    And i didn't change your code,just the way it was. :)

    Thanks a lot.