Skip to main content

Securing Controller Actions in ASP.NET MVC for Multi-Tenant Applications

Image
By

One of the cool things about using the MVC Framework is that you get clean RESTful urls e.g.

/Product/Edit/1

This is all well and good but when developing a multi-tenant application which uses a Shared datastore it is extremely important that your controller actions are secure in the sense that the Urls can’t be tampered with.

Believe it or not but this level of security is often neglected in a lot of projects or is at the least an afterthought.

You could implement in every controller action something like below:

        public ActionResult Edit(int id)
        {
            if (!catalogService.HasAccessToProduct(UserContext.UserId, id))
            {
                HttpContext.Response.Status = "401 Unauthorized";
                HttpContext.Response.StatusCode = 401;
                Response.End();
            }

            var product = catalogService.GetProductById(id);

            ViewData.Model = product; 

            return View();
        }

However this is very repetitive, likely to be forgotten and prone to logic errors.

With the flexibility of the MVC Framework you have the ability to create your own Action Filters. Here is an example of an Action Filter that inherits from the Authorize Attribute. 

public class ProductAuthorizeAttribute : AuthorizeAttribute
   {
       private string routeDataKey = "id";

       public string RouteDataKey
       {
           get { return routeDataKey; }
           set { routeDataKey = value; }
       }

       public override void OnAuthorization(AuthorizationContext filterContext)
       {
           var userContext = UserIdentity.GetCurrent() as IUserContext;
           var productId = 0;

           if (!filterContext.RouteData.Values.ContainsKey(RouteDataKey))
           {
               throw new ApplicationException("RouteDataKey " + RouteDataKey +
                                              " does not exist in the current RouteData");
           }

           int.TryParse(filterContext.RouteData.Values[RouteDataKey].ToString(), out productId);

           if (productId > 0)
           {
               CheckAccess(productId, filterContext, userContext);
           }
       }

       private static void CheckAccess(int productId, 
           AuthorizationContext context, 
           IUserContext userContext)
       {
           var entityPermissionService = ServiceLocator.Resolve<IEntityPermissionService>();

           var hasAccess = entityPermissionService.HasAccessToProduct(userContext.UserId, productId);

           if (hasAccess) return;

           context.HttpContext.Response.Status = "401 Unauthorized";
           context.HttpContext.Response.StatusCode = 401;
           context.HttpContext.Response.End();
       }
   }

 

Then your Controller action looks like this. Much cleaner.  

        [ProductAuthorizeAttribute(RouteDataKey="id")]
        public ActionResult Edit(int id)
        {
            var product = catalogService.GetProductById(id);

            ViewData.Model = product; 

            return View();
        }

The great thing about this approach is that you can implement this at any time without changing any code other than adding the Attribute to the relevant Controller Actions.

Labels:

Popular posts from this blog

Freeing Disk Space on C:\ Windows Server 2008

By Will Beattie
  I just spent the last little while trying to clear space on our servers in order to install .NET 4.5 . Decided to post so my future self can find the information when I next have to do this. I performed all the usual tasks: Deleting any files/folders from C:\windows\temp and C:\Users\%UserName%\AppData\Local\Temp Delete all EventViewer logs Save to another Disk if you want to keep them Remove any unused programs, e.g. Firefox Remove anything in C:\inetpub\logs Remove any file/folders C:\Windows\System32\LogFiles Remove any file/folders from C:\Users\%UserName%\Downloads Remove any file/folders able to be removed from C:\Users\%UserName%\Desktop Remove any file/folders able to be removed from C:\Users\%UserName%\My Documents Stop Windows Update service and remove all files/folders from C:\Windows\SoftwareDistribution Deleting an Event Logs Run COMPCLN.exe Move the Virtual Memory file to another disk However this wasn’t enough & I found the most space was
Read more

3 Reasons Why Progressive Web Apps (PWAs) Won’t Replace Native Apps

By Will Beattie
Many people believe Progressive Web Apps (PWAs) are the future of the mobile web, but in my opinion, PWAs are not a replacement for native mobile apps. Here are three reasons why: 1. Native mobile apps provide a smoother & faster experience  Mobile websites, progressive or otherwise are slower and not as smooth. 90% of the time spent is spent using apps vs the browser . The single most significant contributing factor to a smooth experience on mobile is the speed of the network and latency of the data downloaded and uploaded. When you visit websites on desktop or mobile, there is a lot of third-party code/data that gets downloaded to your device, which more often than not has zero impact on the user experience. This includes: CSS (Cascading Style Sheets) JavaScript Ad network code Facebook tracking code Google tracking code The median number of requests a mobile website makes is a shocking  69 . On the other hand, native apps only get the data that is requi
Read more

Unit Testing Workflow Activities in .NET 4.0

By Will Beattie
  Recently during a catch up with my buddy Keith Patton I was (as I tend to do) singing the praises of the Workflow in .NET 4.0. The all important question about Unit Testing support was raised, I tried as best as I could to explain the new In and Out Arguments but I didn’t feel I was convincing enough, so I though I would clarify with a blog post. If you developed Workflows in .NET 3.5 then you will be well aware of the lack of Unit Test support which was due to many reasons but mostly in part to the complex Workflow hosting environment. When moving to .NET 4.0 Workflow Foundation from .NET 3.5 it pays to be conscious of that fact that there is no longer a distinction between Activities and Workflows. Everything derives from the System.Activities.Activity class. So the definition of a Workflow is just a collection of of 1 or more Activities. I have designed a very simple Rental Car Activity which takes the an Applicants age as the input and outputs a True or False depending o
Read more