9

I'm working on a site that uses Forms Authentication. I was interested in how the authentication system was working, since when I initially open any page in the site, it redirects me to a login, and none of the controllers/actions have any authorization logic placed in them.

  • Via the configuration below, does MVC or ASP.NET automatically determine if you're authenticated? (Like I said, there is no code in the controllers to "redirect" or make sure that the user is authorized.
  • If ASP.NET handles this, in what situations do you need to authorize your actions/controllers? (i.e. [Authorize] attribute)
  • How does forms authentication work? I'm especially interested in how the "authorization" is persisted? (i.e. cookies??)

Websites web.config Technology: MVC 3, Entity Framework 4.1 (Code first), ASP.NET 4

<configuration>
<system.web>
        <authentication mode="Forms">
          <forms loginUrl="~/Account/Index" timeout="2880" />
        </authentication>

        <membership defaultProvider="CodeFirstMembershipProvider">
          <providers>c
            <clear />
            <add name="CodeFirstMembershipProvider" type="Vanguard.AssetManager.Services.Security.MembershipService" applicationName="/" />
          </providers>
        </membership>

        <roleManager enabled="true" defaultProvider="CodeFirstRoleProvider">
          <providers>
            <clear />
            <add name="CodeFirstRoleProvider" type="Vanguard.AssetManager.Services.Security.RoleService" applicationName="/" />
            <add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
          </providers>
        </roleManager>

      </system.web>

      <location path="Admin">
        <system.web>
          <authorization>
            <allow roles="Admin" />
            <deny users="*" />
          </authorization>
        </system.web>
      </location>


      <location path="Content/packages">
        <system.web>
          <authorization>
            <allow roles="Admin" />
            <deny users="*" />
          </authorization>
        </system.web>
      </location>

      <location path="Home">
        <system.web>
          <authorization>
            <deny users="?" />
          </authorization>
        </system.web>
      </location>

      <location path="CheckIn">
        <system.web>
          <authorization>
            <allow roles="CheckIn, Admin" />
            <deny users="*" />
          </authorization>
        </system.web>
      </location>

      <location path="Assignment">
        <system.web>
          <authorization>
            <allow roles="Assignment, Admin" />
            <deny users="*" />
          </authorization>
        </system.web>
      </location>
<configuration>

The site uses MVC areas, which I assume is what the section refers to.

Improve this question

1 Answer 1

Reset to default
9

Via the configuration below, does MVC or ASP.NET automatically determine if you're authenticated? (Like I said, there is no code in the controllers to "redirect" or make sure that the user is authorized.

Yes, it uses the <location> section in your web.config to allow only users that have the Admin role to access the /Admin/* path.

If ASP.NET handles this, in what situations do you need to authorize your actions/controllers? (i.e. [Authorize] attribute)

In ASP.NET MVC using the [Authorize] attribute is the prefered method to control which actions need authorization instead of using the <location> tag in your web.config as you did. The reason for this is that ASP.NET MVC uses routing and you shouldn't be hardcoding paths in your web.config which is what happens with the <location> section. So always use the [Authorize] attribute to decorate controllers/actions that require authentication.

How does forms authentication work? I'm especially interested in how the "authorization" is persisted? (i.e. cookies??)

Cookies, yes. You might also checkout the following article on MSDN which explains how Forms Authentication works.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.