1

If you were planning and preparing for a big ASP.NET MVC project how would you approach it to design and build comprehensive, extensible and maintainable security solution that requires

  • users,
  • roles,
  • controller-level and action-level security,
  • item-level security (applying users or roles to items),
  • security trimming (hiding some menu options based on the above settings).

If you were to estimate the time and effort to produce this and would have to issue a qoute to the client, what would it be? You don't have to give a number in money, only billable hours.

Improve this question
2
  • Read this book: amazon.com/Beginning-ASP-NET-Security-Wrox-Programmer/dp/…. Commented Dec 13, 2010 at 13:08
  • This question requires an indepth analysis and good design upfront, which I don't think I will get if I read this book because as it seems it is a general, all around overview of security related questions. And it also lacks MVC aspects of security. Commented Dec 13, 2010 at 14:16

1 Answer 1

Reset to default
3

You don't have to give a number in money, only billable hours.

You want someone to do your work for free? Come on...

Authorization

Anyway, I would use Code Access Security and impersonation to implement security in all my services. Check the PrinicpalPermission attribute.

Controller/Action level

As for MVC, simply use the Authorize attribute to provide authorization. Derive it to provide a more finegrained control.

Security trimming

if (System.Thread.Threading.CurrentThread.CurrentPricinpal.IsInRole("Administrator"))
   //show menu item

Item level

Not possible with default MVC implementation. You need to do a manual check in your actions.

if (!System.Thread.Threading.CurrentThread.CurrentPricinpal.IsInRole(item.RequiredRole))
  return View("AccessDenied", null); //return accessdenied view.

Authentication

I don't know what kind of users you got. Are all registered in a AD domain? Then use Windows Authentication to authenticate your users. It's just a IIS setting..

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.