Group items tagged

"Recently, I've been exploring the new ASP.NET Web API. So far, I've been impressed with how easy it is to build RESTful web interfaces. In the examples I've published, none have been secure. In the real world - the world that exists beyond the world of samples and demos - security is a matter than cannot be brushed aside. In this post, I squarely tackle that issue by showing you an approach that locks down and secures your ASP.NET Web API."

"You cannot use routing or web.config files to secure your MVC application. The only supported way to secure your MVC application is to use a base class with an [Authorize] attribute, and then have each controller type subclass that base type. "

"ASP.NET MVC 3 introduced global filters, which allows you to add the AuthorizeAttribute filter to the global.asax file to protect every action method of every controller. (In MVC versions prior to MVC 3, it was difficult to enforce the AuthorizeAttribute attribute be applied to all methods except login/register. See my previous blog on security for details.) The code below shows how to add the AuthorizeAttribute filter globally."

"Many people on the forums want to know how to best protect Actions on their Controller using Forms Authentication. The MVC Team has done a nice job introducing Filters (using Attributes) to this latest drop of MVC, and in this post I'll show you how to create a filter that can handle security."

" Naked Objects takes a domain object model, written as POCOs but following a few very simple conventions, and dynamically creates one or more complete user interfaces for it, using reflection (not 'code generation' or 'scaffolding'). It is highly effective in support of Domain-Driven Design, OO Modelling, and/or Agile Development. Naked Objects MVC builds upon the core framework to create a complete web-based user interface, using ASP.NET MVC 3. The generic user interface may be customised via the .CSS, by adding custom views, or custom controllers, as needed. Entity Framework is used to persist objects on a database. Security may be handled simply via Forms Authentication and attribute-based authorisation, or more comprehensively via Microsoft WIF and an STS. "

"jQuery's $(document).ready() event is something that you probably learned about in your earliest exposure to jQuery and then rarely thought about again. The way it abstracts away DOM timing issues is like a warm security blanket for code running in a variety of cold, harsh browser windows."

"Crazy random logo of evocative clipart combining the .NET Logo and some universal powerplugs into an unofficial logoI always like to remind folks of the equation ASP.NET > (ASP.NET MVC + ASP.NET WebForms). The whole "base of the pyramid" of ASP.NET has lots of things you can use in you applications. Some of these useful bits are Session State, Membership (Users), Roles, Profile data and the provider model that underlies it. Using these isn't for everyone but they are very useful for most applications, even ones as large as the ASP.NET site itself."

"Many Web applications require a way to restrict access to some resources (such as specific pages) so that those resources are accessible only to authenticated users. The default Web application project template for ASP.NET MVC provides a controller, data models, and views that you can use to add ASP.NET forms authentication to your application. The built-in functionality lets users register, log on and off, and change their password. For many applications, this functionality provides a sufficient level of user authentication."

"The Microsoft Web Protection Library (WPL) is a set of .NET assemblies which will help you protect your web sites, current, future and past. The WPL includes "

"A little while ago I wrote a blog post describing granular request validation that shipped in MVC 3 Beta. However, since then we have changed the API for this feature and that post is no longer valid. In this post I will present the new API which is usable in the recently-shipped MVC 3 Release Candidate."

"A new ASP.NET MVC project includes preconfigured Membership, Profile and RoleManager providers right out of the box. Try it yourself - create a ASP.NET MVC application, crack open the web.config file and have a look. "