CRV2 AuthorizationWeaknesses

Revision as of 04:54, 1 August 2013 by EoinKeary (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Authorisation in .NET MVC 4

The usage of filters is recommended when authorisation is being implemented in MVC 4 .NET MVC 3 introduced a method in global.asax called RegisterGlobalFilters.The can be used to DEFAULT DENY access to URL's in the application.

   public static void RegisterGlobalFilters(GlobalFilterCollection filters)
       filters.Add(new HandleErrorAttribute());
       filters.Add(new System.Web.Mvc.AuthorizeAttribute());

Is is recommended when reviewing MVC3/4 .NET to take a look at how authorisation is being implemented. The line above, filters.Add(new System.Web.Mvc.AuthorizeAttribute()); pretty much default denies access to any request without a valid session. If this is implemented we may need to provide unauthorised access to certain pages such as a registration page, public welcome page or a login page. How do we do this?

AllowAnonymous is used to provide access to public pages with no valid session required. The code may look like this:

   public ActionResult LogMeIn(string returnUrl)

One must be careful that the pages which have AllowAnonymous enabled are actually designed for public consumption.