ansaurus

Question

Handling mvc security...override membership provider, action filter, or something else? Not sure how to handle this.

Answer 1

+3 A:

As far as I know you should be able to do what you are talking about without too much fuss...

Because ASP.Net MVC is built on top of ASP.Net you should be able to take advantage of ASP.Net's ability to put in your own custom membership provider as you described. Once created, to get ASP.Net MVC to use this provider all you should have to do is register your provider in the web.config and simply add the existing Authorize attribute to what ever controllers you want to lock down.

This existing Authorise attribute isn't tied to a given provider it just looks to see which provider is current and in your case your custom provider will be the current on.

You said that you have read articles on creating custom providers so I wont go into detail there and you shouldn't have to create a custom attribute/filter (which an ActionFilter is an attribute but an attribute isn't always an ActionFilter - ActionFilter's are an MVC concept, attributes are a .Net concept - hope that helps).

So it looks like you should have everything you need to implement.

Let me know if you need more.

UPDATE:

I would have it a guess that the following is what is wrong with css - I have just gone through a very similar problem... In short I think MVC is trying to authenticate the getting of the CSS file and becasue you are not logged in yet, its not letting you download the CSS.

The way to verify this is by doing something similar to the following (note the code goes in the global.asax):

    public void Application_AuthenticateRequest(object sender, EventArgs e)
    {
        var shouldAuthenticate = true;

        if (Request.Path.Contains("/Error") || Request.Path.Contains(".css") || Request.Path.Contains(".jpg") ||
            Request.Path.Contains(".png") || Request.Path.Contains(".js") || Request.Path.Contains(".gif") || Request.Path.Contains("/asset.axd?id=")) 
            shouldAuthenticate = false;

        ...
    }

When you debug your app, try putting a break point in here and see how many times it gets called per load of the login page and what the "Request.Path" is for each... If you see that it is trying to authenticate these assets then at is your problem.

anthonyv 2010-02-22 20:37:15

Thanks for your input. It's really appreciated. I'm going the custom membership route and I think I have everything in place, but when I start my site, it says it can't find the default login view, but it's clearly in my directory structure. I know there could be a hundred reasons for this, but wondered if you knew of something I should look for. I can post code + web.config if necessary.

Jason 2010-02-24 14:23:57

Jason 2010-02-24 18:33:15

That is the issue precisely. How do I tell my application not to authenticate these assets? My Site.css file is in the Content folder just under the root directory.

Jason 2010-02-24 21:26:51

See edited question. Have to put response there so I can show formatted code.

Jason 2010-02-24 22:21:55

Updated again. See above.

Jason 2010-02-25 17:34:22

ansaurus

tags:

views:

answers:

Handling mvc security...override membership provider, action filter, or something else? Not sure how to handle this.

related questions