XML FeedsIntroduction
So after solving the little bug with regards to fluent security and VB.Net I now can try out fluent security.
How it works
So now that I have it working I needed to find out how it works. My first attempt was to make the About Function in the Homecontroller only accessible for logged in users. Yes I know this seems illogical but who cares about that anyway.
For this I need to change the configuration code in my Global.asax to this.
- SecurityConfigurator.Configure(Sub(configuration)
- configuration.GetAuthenticationStatusFrom(Function() HttpContext.Current.User.Identity.IsAuthenticated)
- configuration.For(Of HomeController)().Ignore()
- configuration.For(Of HomeController)(Function(x) x.About).DenyAnonymousAccess()
- configuration.For(Of AccountController)().DenyAuthenticatedAccess()
- configuration.For(Of AccountController)(Function(x) x.LogOff()).DenyAnonymousAccess()
- End Sub)
- GlobalFilters.Filters.Add(New HandleSecurityAttribute(), 0)
Do you see the first line of the HomeController configuration that says ignore? That means that all functions in Homecontroller will have no security rules so everyone can use them. As with any good policy we can however override this and we do this in the next line, where we say that the About function must Deny Anonymous access. Which is what we want. In short the Index function of our standard HomeController will be accessible for everyone and About just for logged in users.
When our users see this and click the about button/link.
they will get this.
Neither are ideal situations but we now know what happens.
You get this exeptions that your users should never see because that is the default. Just go look at the code.
- using System.Web.Mvc;
- namespace FluentSecurity
- {
- public class ExceptionPolicyViolationHandler : IPolicyViolationHandler
- {
- public ActionResult Handle(PolicyViolationException exception)
- {
- throw exception;
- }
- }
- }
You can now also conclude that this behaviour is overridable. Which it is.
We will however need structuremap or another IoC container. So I created a new handler with the correct name.
- Namespace Security
- Public Class DenyAnonymousAccessPolicyViolationHandler
- Implements FluentSecurity.IPolicyViolationHandler
- Public Function Handle(ByVal exception As FluentSecurity.PolicyViolationException) As System.Web.Mvc.ActionResult Implements FluentSecurity.IPolicyViolationHandler.Handle
- Return New HttpUnauthorizedResult(exception.Message)
- End Function
- End Class
- End Namespace
And I change my global.asax to this after adding structuremap via nuget.
- ObjectFactory.Configure(Sub(x) x.For(Of IPolicyViolationHandler).Add(Of Security.DenyAnonymousAccessPolicyViolationHandler)())
- SecurityConfigurator.Configure(Sub(configuration)
- configuration.GetAuthenticationStatusFrom(Function() HttpContext.Current.User.Identity.IsAuthenticated)
- configuration.ResolveServicesUsing(Function(type) ObjectFactory.GetAllInstances(type).Cast(Of Object)())
- configuration.For(Of HomeController)().Ignore()
- configuration.For(Of HomeController)(Function(x) x.About).DenyAnonymousAccess()
- configuration.For(Of AccountController)().DenyAuthenticatedAccess()
- configuration.For(Of AccountController)(Function(x) x.LogOff()).DenyAnonymousAccess()
- End Sub)
- GlobalFilters.Filters.Add(New HandleSecurityAttribute(), 0)
And now I get the logon screen when I click on about.
Conclusion
It works, what can I say. You can now easily add security to your asp.net MVC 3 application without having to add attributes all over the place.
Chris is awesome.
Thanks, I was indeed helpful for me as I was confused how to configure 'DenyAnonymousAccessPolicyViolationHandler'.
LTD Social Sitings
Note: Watch for social icons on posts by your favorite authors to follow their postings on these and other social sites.