Professional Documents
Culture Documents
Home Get St art ed Downloads Web Forms MVC AJAX Communit y Wiki Forums Search
Ho me › ASP.NET MVC › ASP.NET MVC Tuto rials › Authe ntic ating Us e rs with Wind o ws Authe ntic atio n
Learn how to use Windows authentication in the context of an MVC application. You learn how to enable Windows
authentication within your application’s web configuration file and how to configure authentication with IIS. ASP.NET MVC Ove rvie w
Finally, you learn how to use the [Authoriz e] attribute to restrict access to controller actions to particular Windows Create a Movie Database Application in 15
users or groups. Minutes with ASP.NET MVC
ASP.NET MVC Overview
« Previous Tutorial | Next Tutorial »
Understanding the ASP.NET MVC Execution
The goal of this tutorial is to explain how you can take advantage of the security features built into Internet Information Process
Services to password protect the views in your MVC applications. You learn how to allow controller actions to be Understanding Models, Views, and Controllers
invoked only by particular Windows users or users who are members of particular Windows groups.
Creating a MVC 3 Application with Raz or and
Using Windows authentication makes sense when you are building an internal company website (an intranet site) and Unobtrusive JavaScript
you want your users to be able to use their standard Windows user names and passwords when accessing the website.
If you are building an outwards facing website (an Internet website) consider using Forms authentication instead. ASP.NET MVC Ro ut ing
ASP.NET MVC Routing Overview
Enabling Windows Authentication Creating Custom Routes
Creating a Route Constraint
When you create a new ASP.NET MVC application, Windows authentication is not enabled by default. Forms
Creating a Custom Route Constraint
authentication is the default authentication type enabled for MVC applications. You must enable Windows
authentication by modifying your MVC application’s web configuration (web.config) file. Find the <authentication>
section and modify it to use Windows instead of Forms authentication like this:
ASP.NET MVC Co nt ro lle rs
ASP.NET MVC Controller Overview
PDFmyURL.com
ASP.NET MVC Validat io n
Performing Simple Validation
Validating with the IDataErrorInfo Interface
Validating with a Service Layer
Validation with the Data Annotation Validators
Mast e r Page s
Creating Page Layouts with View Master Pages
Passing Data to View Master Pages
Se curit y
Authenticating Users with Forms Authentication
Authenticating Users with Windows
Authentication
Preventing JavaScript Injection Attacks
Preventing Open Redirection Attacks
PDFmyURL.com
Fig ure 2 – Enab ling Wind o ws IIS f e at ure s Part 1: Overview and File- >New Project
Part 2: Controllers
Part 3: Views and ViewModels
Part 4: Models and Data Access
Part 5: Edit Forms and Templating
Part 6: Using Data Annotations for Model
Validation
Part 7: Membership and Authoriz ation
Part 8: Shopping Cart with Ajax Updates
Part 9: Registration and Checkout
Part 10: Final Updates to Navigation and Site
Design, Conclusion
PDFmyURL.com
Secure Applications Using Authentication and
Authoriz ation
Use AJAX to Deliver Dynamic Updates
Use AJAX to Implement Mapping Scenarios
Enable Automated Unit Testing
NerdDinner Wrap Up
For example, the Home controller in Listing 1 exposes three actions named Index(), CompanySecrets(), and
StephenSecrets(). Anyone can invoke the Index() action. However, only members of the Windows local Managers group
can invoke the CompanySecrets() action. Finally, only the Windows domain user named Stephen (in the Redmond
domain) can invoke the StephenSecrets() action.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
using System.Web.Mvc.Ajax;
namespace MvcApplication1.Controllers
{
[HandleError]
public class HomeController : Controller
{
public ActionResult Index()
{
return View();
}
[Authorize(Roles = "Managers")]
public ActionResult CompanySecrets()
{
PDFmyURL.com
{
return View();
}
[Authorize(Users="redmond\\swalther")]
public ActionResult StephenSecrets()
{
return View();
}
}
}
Because of Windows User Account Control (UAC), when working with Windows Vista or Windows Server 2008, the
local Administrators group will behave differently than other groups. The [Authoriz e] attribute won’t correctly
recogniz e a member of the local Administrators group unless you modify your computer’s UAC settings.
Exactly what happens when you attempt to invoke a controller action without being the right permissions depends on
the type of authentication enabled. By default, when using the ASP.NET Development Server, you simply get a blank
page. The page is served with a 4 01 N o t Aut ho riz e d HTTP Response Status.
If, on the other hand, you are using IIS with Anonymous authentication disabled and Basic authentication enabled, then
you keep getting a login dialog prompt each time you request the protected page (see Figure 4).
PDFmyURL.com
Summary
This tutorial explained how you can use Windows authentication in the context of an ASP.NET MVC application. You
learned how to enable Windows authentication within your application’s web configuration file and how to configure
authentication with IIS. Finally, you learned how to use the [Authoriz e] attribute to restrict access to controller actions to
particular Windows users or groups.
Comments (5)
PDFmyURL.com
Co ntac t | Ad ve rtis e | Po we re d b y Umb rac o
Te rms o f Us e | Trad e marks | Privac y State me nt
© 20 10 Mic ro s o ft Co rp o ratio n. All Rig hts Re s e rve d .
PDFmyURL.com