tags:

views:

83

answers:

2
+1  Q: 

Securing a mvc view so only the server can access it

I'm building a .Net MVC app, where I'm using one particular view to generate an internal report. I don't want the users of the site to gain access to this page at all.

I've a console app that fires every so often which will scrape some of the details from this page by hitting it's URL.

I don't like the idea of having the URL hanging out there but I'm not sure of another way to go about it.

Thoughts on what might be the best practice way for tackling this?

Edit:

Here's what I ended up doing, created a new WCF Service project in the solution. I also copied basically what was the MVC view page into a new standard web forms page in this project. On top of adding security via the regular .net Authentication methods (eg set only valid windows users can access the page), I can also lock down the vhost to only be accessed by certain IP's.

A: 

If the view never needs to be rendered at all except to provide data for the console app, then why not have the console app simply connect to your database to get the data directly instead of going through the web app? You could still do this for the console app even if the view does need to be available for some users, then control access to the view using the Authorization attribute, which could suitably restricted now that an external app need not have access to it.

tvanfosson  2009-03-16 12:00:24
Well that's just it. The rendered output *is* the data the console app needs. I'm using a view to generate pretty html which the console app consumes.
DaRKoN_  2009-03-16 12:08:09
You indicate that you're "scap[ing] some details from [the] page" -- so just provide the details out of the database. Push the generation of whatever details you need back to the BL or DAL and consume them both from your controller and console app. Console apps shouldn't need" pretty HTML.
tvanfosson  2009-03-16 13:40:44
The console app uses the HTML to generate reports. I'm using the view to 'draw' the report.
DaRKoN_  2009-03-16 23:10:01
+2  A: 

The best practice would be to expose a wcf service for this, and set up a security model that is different than website.

If you must use MVC the best approach use forms authentication with mvc and set 

[Authorize(Roles = "SecureUser")]

On the View.

Claus Thomsen  2009-03-16 12:08:42

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data