Skip to main content

Securing Controller Actions in ASP.NET MVC for Multi-Tenant Applications

Image
By

One of the cool things about using the MVC Framework is that you get clean RESTful urls e.g.

/Product/Edit/1

This is all well and good but when developing a multi-tenant application which uses a Shared datastore it is extremely important that your controller actions are secure in the sense that the Urls can’t be tampered with.

Believe it or not but this level of security is often neglected in a lot of projects or is at the least an afterthought.

You could implement in every controller action something like below:

        public ActionResult Edit(int id)
        {
            if (!catalogService.HasAccessToProduct(UserContext.UserId, id))
            {
                HttpContext.Response.Status = "401 Unauthorized";
                HttpContext.Response.StatusCode = 401;
                Response.End();
            }

            var product = catalogService.GetProductById(id);

            ViewData.Model = product; 

            return View();
        }

However this is very repetitive, likely to be forgotten and prone to logic errors.

With the flexibility of the MVC Framework you have the ability to create your own Action Filters. Here is an example of an Action Filter that inherits from the Authorize Attribute. 

public class ProductAuthorizeAttribute : AuthorizeAttribute
   {
       private string routeDataKey = "id";

       public string RouteDataKey
       {
           get { return routeDataKey; }
           set { routeDataKey = value; }
       }

       public override void OnAuthorization(AuthorizationContext filterContext)
       {
           var userContext = UserIdentity.GetCurrent() as IUserContext;
           var productId = 0;

           if (!filterContext.RouteData.Values.ContainsKey(RouteDataKey))
           {
               throw new ApplicationException("RouteDataKey " + RouteDataKey +
                                              " does not exist in the current RouteData");
           }

           int.TryParse(filterContext.RouteData.Values[RouteDataKey].ToString(), out productId);

           if (productId > 0)
           {
               CheckAccess(productId, filterContext, userContext);
           }
       }

       private static void CheckAccess(int productId, 
           AuthorizationContext context, 
           IUserContext userContext)
       {
           var entityPermissionService = ServiceLocator.Resolve<IEntityPermissionService>();

           var hasAccess = entityPermissionService.HasAccessToProduct(userContext.UserId, productId);

           if (hasAccess) return;

           context.HttpContext.Response.Status = "401 Unauthorized";
           context.HttpContext.Response.StatusCode = 401;
           context.HttpContext.Response.End();
       }
   }

 

Then your Controller action looks like this. Much cleaner.  

        [ProductAuthorizeAttribute(RouteDataKey="id")]
        public ActionResult Edit(int id)
        {
            var product = catalogService.GetProductById(id);

            ViewData.Model = product; 

            return View();
        }

The great thing about this approach is that you can implement this at any time without changing any code other than adding the Attribute to the relevant Controller Actions.

Labels:

Popular posts from this blog

ASP.NET MVC Release Candidate - Upgrade issues - Spec#

By
First of all, great news that the ASP.NET MVC Release Candidate has finally been released.  Full credit to the team for the hard work on this.  You can get the download here  However this is the first time I have had upgrade issues.  Phil Haack has noted some of the issues here   If like me you have lot's of CTP's and Add-Ins then you might experience some pain in Uninstalling MVC Beta on Vista SP1  This is the list of Add-Ins / CTP's I had to uninstall to get it to work  Spec# PEX Resharper 4.1  Sourcelinks ANTS Profiler 4   Can't say I'm too impressed as it wasted over an hour of my time.  As it turned out Spec# turned out to be the offending culprit, it's forgiveable to have issues with a third party product but a Microsoft one? Guess no-one on the ASP.NET team has Spec# installed. 
Read more

Freeing Disk Space on C:\ Windows Server 2008

By Will Beattie
  I just spent the last little while trying to clear space on our servers in order to install .NET 4.5 . Decided to post so my future self can find the information when I next have to do this. I performed all the usual tasks: Deleting any files/folders from C:\windows\temp and C:\Users\%UserName%\AppData\Local\Temp Delete all EventViewer logs Save to another Disk if you want to keep them Remove any unused programs, e.g. Firefox Remove anything in C:\inetpub\logs Remove any file/folders C:\Windows\System32\LogFiles Remove any file/folders from C:\Users\%UserName%\Downloads Remove any file/folders able to be removed from C:\Users\%UserName%\Desktop Remove any file/folders able to be removed from C:\Users\%UserName%\My Documents Stop Windows Update service and remove all files/folders from C:\Windows\SoftwareDistribution Deleting an Event Logs Run COMPCLN.exe Move the Virtual Memory file to another disk However this wasn’t enough & I found the most space was
Read more

Consuming the SSRS ReportExecutionService from a .NET Client

By
  I’ve just finished writing a nice wrapper which internally calls the SSRS ReportExecutionService to generate reports. Whilst it was fairly simple to implement there has been some major changes between 2005 and 2008 and the majority of online and documentation is based on the 2005 implementation. The most important change is that the Report Server and Report Manager are no longer hosted in IIS which will be a welcomed change to Sys Admins but makes the security model and hosting model vastly different. So far I’ve yet to figure out how to allow Anonymous Access, if anyone knows how to do this leave a comment and it will be most appreciated. Getting Started To get started you’ll want to add a service reference to http://localhost/ReportServer_SQL2008/ReportExecution2005.asmx where ReportServer_SQL2008 is the name you configure in the Reporting Services Configuration Manager. The Web Application files are located in C:\Program Files\Microsoft SQL Server\MSRS10.SQL2008\R
Read more