When developing a web app (ASP.NET/MVC) when do you add your security?

Question

When developing a web app, in my case a ASP.NET MVC app, but this question isn't platform specific, when you do you add the infrastructure for membership, roles and authentication?

I've actually done it both ways.... 1. Start developing the app with membership/roles/authentication being one of the first milestones and 2. Wait until most of the major functionality and requirements are implemented then add in the membership/roles/authentication infrastructure.

Is there a best practices for this or it is personal preference?

Answer 1

I'm not very familiar with ASP.NET but every time that I develop an web application security is almost the first thing that I code, otherwise you might miss something in further development; either because you forgot about it or more probably because something has changed during development.

Answer 2

I mix it up depending on what I'm working on.

ASP.Net allows you to abstract security components so much that I find it's really easy to implement them after the fact. Sometimes it's as simple as having your pages inherit from a custom page class. (Or in the case of MVC a custom controller class)

Though, I have found it's a lot easier to debug core functionality when I don't have to worry about the security measures getting in the way.

Answer 3

Security is part of the up-front application design. You cannot add it on later except in the most trivial cases.

Example: HR Application. The compensation manager can edit compensation, the recruiter can only view it. If you don't know about this distinction up-front, you will not build it into your user interface, and you will be in trouble. Yes, security in ASP.net is largely configurable, but the structure/granularity must be in place in the application.

Answer 4

To quote from "Professional ASP.NET MVC 1.0" (which I happen to be working through),

The default Visual Studio project template for ASP.NET MVC automatically enables forms authentication when new ASP.NET MVC applications are created. It also automatically adds a pre-built account login implementation to the project – which makes it really easy to integrate security within a site.

At least for the tutorial, it mostly just happens, and any explicit references seem to fall in nicely toward the end - but there isn't much. It's the same level of simplicity as PHP sessions if you use it as intended.