tags:

views:

86

answers:

4
Q: 

Asp.net MVC Secure Area

I'm just strating a new project in MVC and I need to have a backend that has restricted access.

I was going to set up a group in Active Directory for users who have access rights and use the Authorize atribute on the backend controller to restrict access. I will also enable Windows authentication.

I was just wondering if that would be secure enough for an external facing website for a small to Medium site?

Thanks

Jemes

A: 

I see no reason why not using the built in providers.

Not sure what else to say :)

Pino  2010-01-27 11:01:08
Thanks for your reply.What do you mean by built in providers?
Jemes  2010-01-27 11:09:52
Sorry for delay, Like you've said in your post. Authorize tag, Membership and Role Providers.
Pino  2010-01-28 13:48:43
A: 

It should be ok, but but do remember MVC supports RESTful url's do go through this link

http://www.infoq.com/articles/roa-resource-metadata to avoid pages not being accessed by other user's as getting uri is easier in REST.

Ravia  2010-01-27 11:01:46
A: 

I know this is pointing out the obvious but depending on the sensitivity of the data you might want to look at running the protected parts of your site under SSL?

Additionally depending on your specific needs you might want to look at using IIS to lock down the folder(s) to a set IP address range?

Kane  2010-01-27 11:04:55
The backend is only being used to add/update certain content on the site. I'm not sure about locking down to IP Address as users will need to be able to update the site from different machines and locations.What would be the benifits of using SSL?
Jemes  2010-01-27 11:25:46
SSL is a common cryptographic protocol which provides security for web applications. http://en.wikipedia.org/wiki/Transport_Layer_Security
Kane  2010-01-27 11:29:17
A: 

I assuming that if I did follow the security steps above, a user could still access my views in the backend if they guess the url. Does the Authorize atribute work on Views?

Jemes  2010-01-27 15:55:31
Please edit your own question rather than post an answer to it. Thanks!
Dan Atkinson  2010-01-27 15:58:14
[Authorize] doesn't work on views, but there's a ~\Views\Web.config file that prevents *all* direct access to the Views\ folder and its subdirectories. This file is included in the MVC project template.
Levi  2010-01-27 19:45:48

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data