Skip to main content

MVC 3 and Azure ACS–Protect parts of the site

 

If you have worked with ADFS 2.0 or other claims based security models Azure’s Access Control Service (ACS) should not seem all the new to you. It is basically Azure’s hosted Secure Token Service (STS).

Recently I have been building an MVC 3 application and did not want my application to be forums protected. My personal opinion is that no one wants to create one off logins on the web anymore. To solve this I decided to use MVC 3 with ACS. Adding ACS to your MVC 3 project is not very hard and is explained in a few blogs on the net (here is a good one). You basically just use Visual Studio’s “Add STS” functional like you would for any other STS.

When you add the STS to your project it updates your web.config with information it needs for federation to work. By default it protects your entire website. This means you cannot even hit the login page without signing in. But what if I want unauthenticated people to read parts of my website, like the homepage? Well this is what I had to figure out. In the end it is pretty simple but given my newness to MVC and experience with using ADFS to protect WCF services I went down the wrong direction for awhile.

Your web.config is updated by the STS fedutil with the following information.

<location path="FederationMetadata">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
</location>
<system.web>
     <authorization>
        <deny users="?" />
      </authorization>

This does two things. 1) It tells the website not to protect the path to the federationmetadata. This allows the STS to get the information it needs. 2) It tells the site to deny access to all unauthenticated users (<deny users=”?”>). Since that node is not inside a location node that directive applies to the entire site, minus any location node directives.

Now if you want to unprotect certain areas of your site you might think you can just use some additional location nodes. Well this will send you down the wrong path with MVC. With a standard ASP.net or WCF app this could work but MVC adds a framework that causes this so it doesn’t work very well. In MVC 3 authorization is handled via the “authorize” attribute added to methods in controls or the controller class. In order to make sure you don’t open security holes this is really where you want to keep that control. If you add this attribute to a controller method, and it fails, the requests will fall into the Windows Identity Framework pipeline. The user will then be pushed to authenticate, IF, you change your config file a little.

Since the fedutil setup your web.config file to protect your entire site the website configuration will pick up the authorization requirement before it gets to any controller actions. So we need to change our web.config so it is not protecting anything. Update your web.config so it looks like the following:

 <location path="FederationMetadata">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
<system.web>

All we did was remove the authorization deny nodes from the web.config. This now opens up your entire site so nothing is protected by ACS. To start locking down your site you need to go into each of your controllers and start applying the Authorize attribute. For each method that has this attribute applied the site will fail over to your ACS (via the WIF pipeline) and request the user to login (unless of course they are already logged in).

Here is what a HomeController might look like:

 public class HomeController : Controller
    {
        public ActionResult Index()
        {
            ViewBag.Message = "Welcome to MVC 3!!";

            return View();
        }

        [Authorize]
        public ActionResult About()
        {
            return View();
        }
    }

Notice how the About method has the authorize attribute. Now when this method is called (in the standard MVC 3 default template this is called via clicking on the about link in the navigation) the user will be directed to login if they have not already.

You can also apply the attribute to the entire controller if everything should be projected.

Comments

Popular posts from this blog

Uniting Testing Expression Predicate with Moq

I recently was setting up a repository in a project with an interface on all repositories that took a predicate. As part of this I needed to mock out this call so I could unit test my code. The vast majority of samples out there for mocking an expression predicate just is It.IsAny<> which is not very helpful as it does not test anything other then verify it got a predicate. What if you actually want to test that you got a certain predicate though? It is actually pretty easy to do but not very straight forward. Here is what you do for the It.IsAny<> approach in case someone is looking for that. this .bindingRepository.Setup(c => c.Get(It.IsAny<Expression<Func<UserBinding, bool >>>())) .Returns( new List<UserBinding>() { defaultBinding }.AsQueryable()); This example just says to always return a collection of UserBindings that contain “defaultBinding” (which is an object I setup previously). Here is what it looks like when you want to pass in an exp

Password Management

The need to create, store and manage passwords is a huge responsibility in modern day life. So why is it that so many people do it so poorly? This is a loaded questions with answers ranging from people being uneducated, to lazy, to educated but not affective in their methods and many more. This blog is to help those (in some way even myself) around me strengthen their online security. Why does it matter? To answer this let's look at a few numbers. According to the US Department of Justice (DOJ)’s most recent study , 17.6 million people in the US experience some form of identity theft each year. Ok fine but that is identity theft that has nothing to do with password management. What is one way someone can start getting information about who you are? How do they get access to steal your money? From Cyber Security Ventures 2019 report : "Cybersecurity Ventures predicts that healthcare will suffer 2-3X more cyberattacks in 2019 than the average amount for other industries. W

Excel XIRR and C#

I have spend that last couple days trying to figure out how to run and Excel XIRR function in a C# application. This process has been more painful that I thought it would have been when started. To save others (or myself the pain in the future if I have to do it again) I thought I would right a post about this (as post about XIRR in C# have been hard to come by). Lets start with the easy part first. In order to make this call you need to use the Microsoft.Office.Interop.Excel dll. When you use this dll take note of what version of the dll you are using. If you are using a version less then 12 (at the time of this writing 12 was the highest version) you will not have an XIRR function call. This does not mean you cannot still do XIRR though. As of version 12 (a.k.a Office 2007) the XIRR function is a built in function to Excel. Prior version need an add-in to use this function. Even if you have version 12 of the interop though it does not mean you will be able to use the function. The

Experience Profile Anonymous, Unknown and Known contacts

When you first get started with Sitecore's experience profile the reporting for contacts can cause a little confusion. There are 3 terms that are thrown around, 1) Anonymous 2) Unknown 3) Known. When you read the docs they can bleed into each other a little. First, have a read through the Sitecore tracking documentation to get a feel for what Sitecore is trying to do. There are a couple key things here to first understand: Unless you call " IdentifyAs() " for request the contact is always anonymous.  Tracking of anonymous contacts is off by default.  Even if you call "IdentifyAs()" if you don't set facet values for the contact (like first name and email) the contact will still show up in your experience profile as "unknown" (because it has no facet data to display).  Enabled Anonymous contacts Notice in the picture I have two contacts marked in a red box. Those are my "known" contacts that I called "IdentifyAs"

Anatomy of Sitecore Business Rule - Macros

In previous posts, we talked about  field syntax and the basic structure of business rules . This time we are going to dive into macros in the business rules. Macros are used as part of the business rule syntax. The syntax looks like this and calls for 4 parameters. [Property to set, Operator/Macro, AdditionalParameters, Display text]. When I first started working with business rules the difference between operator and macro was confusing. To add to this confusion some of the out-of-the-box macros are named with the term "operator" (like ListOperator who's configuration points to a class called ListMacro and the class implements IRuleMacro). Anything under the path /sitecore/system/Settings/Rules/Definitions/Macros should be a macro and should implement IRuleMacro. Macros have the follow characteristics: They inherit the IRuleMacro interface The interface requires this execute method void Execute(XElement element, string name, UrlString parameters, string value)