When building a big web application with ASP.NET MVC 3 I ran into a problem to secure my web application in a maintainable way. There are lots of examples with attributes, but this isn't maintainable. So I started searching for other solutions, however most of the information is leaning on those un-maintainable attributes I finally found "Fluent Security".
What does Fluent Security offer you?
Fluent Security provides a fluent interface for configuring security in ASP.NET MVC. No attributes or nasty xml, just pure love. Go get it on NuGet!
What does that mean?
Well it simply means you can bootstrap your security just from your Application_Start() and maintain it on a single place. Besides that you can easily unit test your security setup. So you can test if your security configuration matches the security setup you described in your unit tests. This is a huge advantage because you know for sure the controller actions are secured the way you like it without having the need to click through your complete web application. You can only fail when not defining your tests correctly. That's not all… You can easily extend, modify etc. by adding your own implementations of the interfaces.
Let me start to show you some code so you see for yourself how easy it is! My example is based on a default MVC 3 application and I have added a CategoryController like below to have some extra actions for my example.
First of all I create a static class for my bootstrap code! I leave the implementation blank because I will first implement some tests.
Then you start to write some tests for your security setup. I would advice you to be very explicit in your test setup although you won't have to. This way you are 100% sure you secured it exactly the way you want and it is 100% transparent. So never write a test for your whole controller, but do it for every specific action.
After we have defined our tests for our security setup we can implement the actual setup.
As you probably have seen already we configure the security for both the get and post actions. Now we can run our tests to see if we implemented the security like we have defined them in our tests. When all your tests succeeded we are ready to enable it in our web application and define handlers for our policy violations.
First of all we called our SecurityBootstrapper.BootUp() method in our global.asax to configure our security. Then I used Castle Windsor as dependency container to register my dependencies. Of course you can use your own favorite IoC container. Or plumb your own implementation. In order to install my Fluent Security dependencies I implemented a Windsor installer which takes care of registering the dependencies in the container.
As you can see I install all PolicyViolationHandlers in my assembly. As an example I have added some implementations for a security policy violation handler.
These violation handlers are mapped by naming convention inside Fluent Security. So a RequireRolePolicy needs a RequireRolePolicyViolationHandler etc.
I think I gave you a good impression of the power of Fluent Security. There are lots of ways to make your own components for Fluent Security when the defaults don't work for you. It is open source available on Github, so you can easily participate and improve Fluent Security. The documentation is pretty good and Kristoffer Ahl really helped me out with some small issues I had when trying it out first time. Please share the article if you liked it and you really should try it out. Have fun!
You have disabled cookies. To leave me a comment please allow cookies at functionality level.
Have you ever got in the situation that you downloaded a zip-file and figured out to late the files are blocked? So you extracted the zip file into a folder with existing items. It will be damn hard to figure out which files needs to be unblocked. Besides that it will cost you many work to do so by right-clicking all of the files and clicking the unblock button.
Luckily we have PowerShell and we can easily write a little script to execute the unblock operation on the files in a sp…
This is the fourth time I installed Windows 8. This time I installed it on my personal notebook instead of a VHD, because Windows 8 is finally ready to market. So I started with downloading the enterprise edition from my MSDN subscription. Unfortunately my USB drive died so I had no storage large enough to put the image on and boot from. So I started thinking to install it over the network. Luckily me I still had my rusty 10 year old 256MB USB drive which perfectly fits a Windows PE image. So I…
When using Linq on your Entity Framework objects, you often need to distinct your query results. Therefore you need to implement an IEqualityComparer for the more advance scenario's. For example if you want to distinct on a specific property, or maybe on multiple properties. However this forces you to write lots of infrastructure code to distinct each type.
You probably would end up with several equality compare classes like this.
However there is a solution which will save you the work to wri…
In a previous blog post I explained to you how to install Windows 8 developer preview on vhd, so you can boot from your vhd. Since there have changed a few small things I just add an updated manual below. The installation will take about 30 minutes.
Make sure you have at least 40Gb of free disk space for your vhd. Make sure you're running Windows 7.
Download the Windows 8 consumer preview.
Download the Windows 7 USB/DVD tool to make yourself a bootable usb stick.
Use the tool…