Introduction

So after solving the little bug with regards to fluent security and VB.Net I now can try out fluent security.

How it works

So now that I have it working I needed to find out how it works. My first attempt was to make the About Function in the Homecontroller only accessible for logged in users. Yes I know this seems illogical but who cares about that anyway.

For this I need to change the configuration code in my Global.asax to this.

vb.net
1
2
3
4
5
6
7
8
9
10
SecurityConfigurator.Configure(Sub(configuration)
                                           configuration.GetAuthenticationStatusFrom(Function() HttpContext.Current.User.Identity.IsAuthenticated)
                                           configuration.For(Of HomeController)().Ignore()
                                           configuration.For(Of HomeController)(Function(x) x.About).DenyAnonymousAccess()
 
                                           configuration.For(Of AccountController)().DenyAuthenticatedAccess()
                                           configuration.For(Of AccountController)(Function(x) x.LogOff()).DenyAnonymousAccess()
                                       End Sub)
 
        GlobalFilters.Filters.Add(New HandleSecurityAttribute(), 0)
SecurityConfigurator.Configure(Sub(configuration)
                                           configuration.GetAuthenticationStatusFrom(Function() HttpContext.Current.User.Identity.IsAuthenticated)
                                           configuration.For(Of HomeController)().Ignore()
                                           configuration.For(Of HomeController)(Function(x) x.About).DenyAnonymousAccess()

                                           configuration.For(Of AccountController)().DenyAuthenticatedAccess()
                                           configuration.For(Of AccountController)(Function(x) x.LogOff()).DenyAnonymousAccess()
                                       End Sub)

        GlobalFilters.Filters.Add(New HandleSecurityAttribute(), 0)

Do you see the first line of the HomeController configuration that says ignore? That means that all functions in Homecontroller will have no security rules so everyone can use them. As with any good policy we can however override this and we do this in the next line, where we say that the About function must Deny Anonymous access. Which is what we want. In short the Index function of our standard HomeController will be accessible for everyone and About just for logged in users.

When our users see this and click the about button/link.

they will get this.

Neither are ideal situations but we now know what happens.

You get this exeptions that your users should never see because that is the default. Just go look at the code.

C#
1
2
3
4
5
6
7
8
9
10
11
12
using System.Web.Mvc;
 
namespace FluentSecurity
{
    public class ExceptionPolicyViolationHandler : IPolicyViolationHandler
    {
        public ActionResult Handle(PolicyViolationException exception)
        {
            throw exception;
        }
    }
}
using System.Web.Mvc;

namespace FluentSecurity
{
	public class ExceptionPolicyViolationHandler : IPolicyViolationHandler
	{
		public ActionResult Handle(PolicyViolationException exception)
		{
			throw exception;
		}
	}
}

You can now also conclude that this behaviour is overridable. Which it is.

We will however need structuremap or another IoC container. So I created a new handler with the correct name.

vb.net
1
2
3
4
5
6
7
8
9
10
11
Namespace Security
    Public Class DenyAnonymousAccessPolicyViolationHandler
        Implements FluentSecurity.IPolicyViolationHandler
 
 
        Public Function Handle(ByVal exception As FluentSecurity.PolicyViolationException) As System.Web.Mvc.ActionResult Implements FluentSecurity.IPolicyViolationHandler.Handle
            Return New HttpUnauthorizedResult(exception.Message)
        End Function
 
    End Class
End Namespace
Namespace Security
    Public Class DenyAnonymousAccessPolicyViolationHandler
        Implements FluentSecurity.IPolicyViolationHandler


        Public Function Handle(ByVal exception As FluentSecurity.PolicyViolationException) As System.Web.Mvc.ActionResult Implements FluentSecurity.IPolicyViolationHandler.Handle
            Return New HttpUnauthorizedResult(exception.Message)
        End Function

    End Class
End Namespace

And I change my global.asax to this after adding structuremap via nuget.

vb.net
1
2
3
4
5
6
7
8
9
10
11
12
13
ObjectFactory.Configure(Sub(x) x.For(Of IPolicyViolationHandler).Add(Of Security.DenyAnonymousAccessPolicyViolationHandler)())
 
        SecurityConfigurator.Configure(Sub(configuration)
                                           configuration.GetAuthenticationStatusFrom(Function() HttpContext.Current.User.Identity.IsAuthenticated)
                                           configuration.ResolveServicesUsing(Function(type) ObjectFactory.GetAllInstances(type).Cast(Of Object)())
                                           configuration.For(Of HomeController)().Ignore()
                                           configuration.For(Of HomeController)(Function(x) x.About).DenyAnonymousAccess()
 
                                           configuration.For(Of AccountController)().DenyAuthenticatedAccess()
                                           configuration.For(Of AccountController)(Function(x) x.LogOff()).DenyAnonymousAccess()
                                       End Sub)
 
        GlobalFilters.Filters.Add(New HandleSecurityAttribute(), 0)
ObjectFactory.Configure(Sub(x) x.For(Of IPolicyViolationHandler).Add(Of Security.DenyAnonymousAccessPolicyViolationHandler)())

        SecurityConfigurator.Configure(Sub(configuration)
                                           configuration.GetAuthenticationStatusFrom(Function() HttpContext.Current.User.Identity.IsAuthenticated)
                                           configuration.ResolveServicesUsing(Function(type) ObjectFactory.GetAllInstances(type).Cast(Of Object)())
                                           configuration.For(Of HomeController)().Ignore()
                                           configuration.For(Of HomeController)(Function(x) x.About).DenyAnonymousAccess()

                                           configuration.For(Of AccountController)().DenyAuthenticatedAccess()
                                           configuration.For(Of AccountController)(Function(x) x.LogOff()).DenyAnonymousAccess()
                                       End Sub)

        GlobalFilters.Filters.Add(New HandleSecurityAttribute(), 0)

And now I get the logon screen when I click on about.

Conclusion

It works, what can I say. You can now easily add security to your asp.net MVC 3 application without having to add attributes all over the place.