Securing an ASP.NET MVC application for beta testing?

Question

Hey all. I have an ASP.NET MVC application that I am going to be deploying to a live server soon. Theoretically, I would like to password protect the application while I'm beta testing without modifying the underlying code base or membership within the application. I will have several people beta testing, so it is compulsory that it is available on the web. A simple scenario:

1. User navigates to the application under beta
2. Perhaps an HttpHandler will process the request and redirect them to an interstitial, temporary login page where they have to enter a beta password to access the application

Stackoverflow used a similar technique when they were under beta test. Any ideas?

An edit for clarification. I don't have access to IIS for this particular application because I'm using a managed host.

Answer 1

A couple ideas:

1. Use windows authentication for the whole application/site in IIS
2. The idea you mentioned is also a good approach IMO, implementation would probably be flexible in that case.

Answer 2

When you crate a new ASP.NET MVC project in Visual Studio, you automatically get an AccountController that uses ASP.NET's underlying MembershipProvider to provide a login mechanism.

Even if you don't have it in your final application, you can use it as a temporary solution until you get your real security mechanism up and running.

It requires you to set up a SQL Server database for those ASP.NET services, but depending on how familiar you are with that, you can do it within ten minutes to a couple of hours.

When the public beta is over, you can just discard the AccountController and the database.

Answer 3

I'm with dhulk -- use Windows Authentication on IIS. That route will allow you to avoid putting any authentication code in your application. Simpler is better, and I'd want to avoid doing the work to implement a membership system then to un-implement it.

Answer 4

I would create a simple login View which sets a Session that gets checked on Session_Start() in your Global.asax file... Like so:

protected void Session_Start()
{
    if (!Convert.ToBoolean(Session["authenticated"]))
    {
        // Redirect to the login View
    }
}

When you are ready to open up your application for everyone, just remove the View and the three lines of code in your Global.asax file.

Answer 5

You could wire up a quick custom AuthorizeAttribute that checks for a custom Auth cookie. Just decorate your controllers with it under beta and delete them when you're ready to go.

Something like this (PS - Did this on the fly without testing):

    public class BetaTestAuthorize : AuthorizeAttribute
    {
        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
            //if(cookie checks out ok)
                //return true;
            //else
                //httpContext.Response.Redirect("BetaLoginPage");

            return base.AuthorizeCore(httpContext);
        }
    }

Have an action method like so:

        [AcceptVerbs(HttpVerbs.Post)]
        public ActionResult BetaLogin(string username, string password)
        {
            if(username == "whatever" && password == "whatever")
            {
                 //create custom cookie
                 return RedirectToAction("Index", "Home");
            }
            else
                return View();
        }

Answer 6

1. Use the good old RoleProvider and create a Beta role and check it via Authorize
2. Create your own AuthorizeAttribute and check for the IP address or a cookie .