Skip to main content

Securing Controller Actions in ASP.NET MVC for Multi-Tenant Applications

One of the cool things about using the MVC Framework is that you get clean RESTful urls e.g.

/Product/Edit/1

This is all well and good but when developing a multi-tenant application which uses a Shared datastore it is extremely important that your controller actions are secure in the sense that the Urls can’t be tampered with.

Believe it or not but this level of security is often neglected in a lot of projects or is at the least an afterthought.

You could implement in every controller action something like below:

        public ActionResult Edit(int id)
        {
            if (!catalogService.HasAccessToProduct(UserContext.UserId, id))
            {
                HttpContext.Response.Status = "401 Unauthorized";
                HttpContext.Response.StatusCode = 401;
                Response.End();
            }

            var product = catalogService.GetProductById(id);

            ViewData.Model = product; 

            return View();
        }

However this is very repetitive, likely to be forgotten and prone to logic errors.

With the flexibility of the MVC Framework you have the ability to create your own Action Filters. Here is an example of an Action Filter that inherits from the Authorize Attribute.

public class ProductAuthorizeAttribute : AuthorizeAttribute
   {
       private string routeDataKey = "id";

       public string RouteDataKey
       {
           get { return routeDataKey; }
           set { routeDataKey = value; }
       }

       public override void OnAuthorization(AuthorizationContext filterContext)
       {
           var userContext = UserIdentity.GetCurrent() as IUserContext;
           var productId = 0;

           if (!filterContext.RouteData.Values.ContainsKey(RouteDataKey))
           {
               throw new ApplicationException("RouteDataKey " + RouteDataKey +
                                              " does not exist in the current RouteData");
           }

           int.TryParse(filterContext.RouteData.Values[RouteDataKey].ToString(), out productId);

           if (productId > 0)
           {
               CheckAccess(productId, filterContext, userContext);
           }
       }

       private static void CheckAccess(int productId, 
           AuthorizationContext context, 
           IUserContext userContext)
       {
           var entityPermissionService = ServiceLocator.Resolve<IEntityPermissionService>();

           var hasAccess = entityPermissionService.HasAccessToProduct(userContext.UserId, productId);

           if (hasAccess) return;

           context.HttpContext.Response.Status = "401 Unauthorized";
           context.HttpContext.Response.StatusCode = 401;
           context.HttpContext.Response.End();
       }
   }

 

Then your Controller action looks like this. Much cleaner. 

        [ProductAuthorizeAttribute(RouteDataKey="id")]
        public ActionResult Edit(int id)
        {
            var product = catalogService.GetProductById(id);

            ViewData.Model = product; 

            return View();
        }

The great thing about this approach is that you can implement this at any time without changing any code other than adding the Attribute to the relevant Controller Actions.

Comments

Popular posts from this blog

Freeing Disk Space on C:\ Windows Server 2008

I just spent the last little while trying to clear space on our servers in order to install .NET 4.5. Decided to post so my future self can find the information when I next have to do this. I performed all the usual tasks: Deleting any files/folders from C:\windows\temp and C:\Users\%UserName%\AppData\Local\TempDelete all EventViewer logs Save to another Disk if you want to keep themRemove any unused programs, e.g. FirefoxRemove anything in C:\inetpub\logsRemove any file/folders C:\Windows\System32\LogFilesRemove any file/folders from C:\Users\%UserName%\DownloadsRemove any file/folders able to be removed from C:\Users\%UserName%\DesktopRemove any file/folders able to be removed from C:\Users\%UserName%\My DocumentsStop Windows Update service and remove all files/folders from C:\Windows\SoftwareDistributionDeleting an Event Logs Run COMPCLN.exe Move the Virtual Memory file to another disk However this wasn’t enough & I found the most space was cleared by using the Disk Cleanup to…

CPF Contribution Rates for new Singapore Permanent Residents (SPR’s)

Recently my wife and I applied and got approved for Singapore Permanent Residency. After completing the formalities the most significant immediate change is the contribution to CPF which is Singapore’s mandatory social security savings scheme requiring contributions from employers and employees. CPF contributions start from the date you obtain SPR status, which is the date of the entry permit.   Being a relentless budgeter I needed to know exactly how much I and my employer would have to contribute so that I could adjust my budget accordingly as the employee contributions get deducted from the monthly salary. After doing some research I discovered that there is a “graduated” approach to CPF contributions for new SPR’s where the contributions gradually increase in the first and second year and then upon reaching the third year are at the full amount. Note: There is an option for employers to contribute the full amount for year 1 and year 2 and the employee can use the graduated rate, b…

Implementing Custom Castle Windsor Facilities

If you’ve been following my posts you would know that I love Castle Windsor. One of the many useful features I have found is the Facility and I’m going to try and give a good example how you can make use of this. In a recent post I showed how you can add Cross-Cutting concerns to your application by using Interceptors.Now when configuring the Container you can explicitly configure each Interceptor per Service but when you have lot’s of components it can get pretty hard to maintain after a while and can also introduce subtle issues if someone forgets to configure it correctly.Below is how you would configure your Container without using a Facility. On the last line we are specifying the Interceptor explicitly. public void Configure() { container = new WindsorContainer(); container.Register( Component.For<CacheInterceptor>(), Component.For<ICacheProvider>() .ImplementedBy<WebCache…