ASP.NET MVC provides us the basic Authorization and Authentication functionalities when we use the Project template as Internet. It does all the major functionalities such as Role membership management, Login credential validation handling etc. For more information about basic authorization in MVC application check out here our article “Insight of ASP.NET MVC’s Authorize Attribute”.
In brief we can just restrict the anonymous users by decorating our Controllers and Action Methods using the Attribute called Authorize. This will redirects the Anonymous users to the login page and with some overriding we can navigate them to the Custom Error page as well. But it’s not flexible enough if we are going for more Enterprise level application where the security matters.
So there comes our concept of Customizing the Authorization and Authentication in ASP.NET MVC, let’s play around with it for some time.
Custom Membership provider in ASP.NET MVC
You would have noticed while implementing the Default membership provided by .NET, a table created with Schema related to Authentication and Authorization and persist the credentials that the end user creates. This work around is done automatically, but in case of Custom Authentication it needs to be created starting from Scratch or can use the existing Schema system of already built in Application.
Setting Up the Database
- If you have the Security database configured already then you can skip the step, else let us create ASP.NET security database.
- Open Visual Studio command prompt and type in the command “aspnet_regsql”.
- Which pops up a Sql wizard, click on the Next.
- You can decide here, whether to move on with existing on or replace the security database.
- Provide you Server name and Database, the wizard will automatically load it with ASPNET security schema loaded table.
Creating Custom Membership
- Open up Visual studio 2012 or Later and create a Class library project.
- Now it’s time to refer an assembly called System.Web.ApplicationServices. This namespace provides us different classes that enables us to access the Forms authentication, Roles and Profiles application services. To refer assembly, Right click on the Reference folder, then Add reference and Select Assemblies. Search or Scroll for corresponding namespace mentioned earlier and add it.
- Create your custom Authentication class here for instance its WebDevelopmentCustomAuth and derive it from the MembershipProvider class.
- MembershipProvider provides us a method called “ValidateUser()” which is one that needs to be overridden.
Implementing Custom Authentication into ASP.NET MVC4 Client
- Create a brand new ASP.NET MVC 4 application (The template project could be Internet).
- We can replace or add some membership tags in our Web.Config file mapping to our Custom Authentication Class library.
- Now decorate the required Controllers or ActionMethods with Authorize attribute as usual.
- It’s important that we need to set Off the Simple Membership and Auto Form authentication in the Web Config file.
<add key= “enableSimpleMembership” value= “false” />
<add key= “autoFormsAuthentication” value= “false” />
- Now Run the application by hitting F5 and navigate to the Authorize attribute decorated Action Method.
- You will be navigated to the Login page as desired.
Customizing Authorization (Role Provider)
- In our before Class library project, create a class CustomRoleProvider that inherits the RoleProvider class.
- Where the RoleProvider class provides us with the method for handling the Roles, called as GetRoleForUser().
- We can override that particular function with our logic.
- Now in our MVC 4 client project that we created earlier, open up the Web.Config file and add or replace the RoleManager Section as below.
- Then decorate the ActionMethod’s Authorize attribute with the property called Roles.
- If we again run our application and navigate to decorated ActionMethod then you can see the login only if your username has the role Administrator.
We can also make use of Third party Authentications such as Google, Microsoft, Facebook etc. This can be implemented by deriving our WebDevelopmentCustomAuth class from ExtendedMembershipProvider class, where this particular class has its base class as MembershipProvider class. We also need to refer an assembly called as WebMatrix.WebData and can manipulate the AccountController to make use of other Social type of Authentication.
Custom Authorization and Authentication provides us enough flexibility in implementing Security, it’s quite a wide topic. I’ve written the most prominent way of implementing it and I hope this helps you in learning Customization and can move forward in securing your application.
Thanks for reading, make your app Non-Screwable !
More You Must Read about ASP.NET MVC & Related
- Top New Features of C# 6.0 (Feature-wise comparison with older versions).
- All you need to know to pass Exam: 70-486 (Developing ASP.NET MVC Web Applications)
- ASP.NET MVC3 Vs MVC4 Vs MVC5 Vs MVC6
- Building ASP.NET MVC5 Application with Entity Framework 6
- Understanding Model-First Approach in ASP.NET MVC with Entity Framework
- ViewBag Vs ViewData Vs TempData Vs Session
- Free Practical Guide to ASP.NET Web API