开发者

How can ASP.NET MVC enhance security compared to a webform?

问答 作者:

Since we have separation of layers it should be easier 开发者_运维问答to isolate each layer by security. How does MVC in ASP.NET exploit this to more easily secure a website compared to using a webform?

By security I do not only mean authorization but also anti-hacking security.

1) Decorate Controller/Action by [Authorize] attribute (optionnaly with list of roles that allowed).

Example:

[Authorize("Manager")]
public class MyController:Controller
{
    //Each action available only for authorized user
    [Authorize(Roles = "Admin;Customer")]
    public ActionResult MyAction()
    {
        //This action is available to the user that have a Manager role and one of next roles: Admin, Customer.
    }

    public ActionResult AnotherAction()
    {
        // This action is available for managers only.
    }
}

2) Create area at your MVC project, create base controller, that decorated by authorize attribute, and make all controllers at area inherited from decorated controller - that's way you can easy implement admin area for website, for example.

Example:

[Authorize(Roles = "Admin")]
public class BaseController: Controller
{

}


public class My2Controller: BaseController
{
    public ActionResult DoSomething()
    {
       //This action is available only for Admin.
    }
}

If you need to protect site from HTML/script injection (user input ... at text field 'surname', that will collect data from admin page 'all site users' and post to his site when you open your page) - you can use next methods.

  1. do nothing - by default MVC validates input, and don't process requests with HTML tags and returns error
  2. use validation - for many kinds of data (names, phones, dates) user should not have possibility to use '<' and '>'. but you don't want user see error page if makes accidental mistake. Than enable client validation.
  3. Use attribute [ValidateInput(false)] and encode incoming data - but user can't input HTML if he really need it.
  4. If you really need user can format his message - use HTML filters for giving possibility input tags from list of permitted. As example: http://htmlagilitypack.codeplex.com/
  5. Provide your own formatting dialect that will be safe and will not use HTML tags

If you need to protect from cross site fake form posting - use [ValidateAntiForgeryToken] attribute with @Html.AntiForgeryToken(); inside your <form> tag. This method generates hidden input with random value and cookie with known key and same value, and attribute check if form contains value, cookie contains value and form value equals to cookies value.

You can create your own security rules, using a bunch of attribute and hidden input on form: for example to set form time-outs.

You can put authorize attributed on each function call with role requirements.

One way users can hack your site is through "Cross-Site Request Forgery" and you can help prevent it by using AntiForgeryToken().

// Your View
@using (Html.BeginForm("Register", "Account"))
{
    // Your Form Fields
    @Html.AntiForgeryToken("someSalt")
}

// Your Controller
[HttpPost, ValidateAntiForgeryToken(Salt = "someSalt")]
public ActionResult Register(MyViewModel viewModel)
{
    // Your Code
}

继续阅读:asp.netasp.net-mvc

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9