Wednesday, March 27, 2013

// // Leave a Comment

Authentication in ASP.Net MVC

At the outset there appear to be a couple of options for doing Authentication in an ASP.Net MVC application - Global Filters and HttpModules. To understand this a little bit more in detail, we need to take a look at the Architecture of ASP.Net MVC as illustrated in the diagram below



As you can see, MVC is built upon the ASP.Net framework along with other frameworks like Web Forms and Services etc.

Global Filters - are implemented at the MVC layer
HttpModules - are implemented at the ASP.Net pipeline layer.

ASP.Net Framework has inbuilt functionality to provide authentication, which is by the use of HttpModules. Every request into the system will go through Httpmodules  whereas only MVC specific request will go through the global action filters. MVC has the concept of global filters that expose an onAuthorize event. This (authorization) at the application level does make sense to control which user can access which resource or not. But Authentication should not be left to the individual applications IMO.

Mnay people prefer MVC filters be used for authentication, but I don't agree that this is a good paradigm in an enterprise scenario where you may not want developers controlling authentication polcy and application. I advocate using the ASP.Net HttpModules feature for authentication for the following reasons

  • It allows configuring security at "site" or asset level completely agnostic to the higher level frameworks like MVC / Web forms etc.
  • It can be configured by Release Engineering. Global filters on the other hand are defined and instantiated in code programmatically. This moves the control of security from developers to release engineering which is a safer mechanism. We partition developer and release engineering practices (even though the developers might be writing the the code for the actual httpmodule)
  • Common set of HttpModules can be reused across ASP.Net application, WCF services and MVC applications

There are some advantages of using global filters -

  • They allow for finer grained control if we wanted to expose actions for authenticated as well as unauthenticated user (which is not the case in any scenarios)
  • They speak the language of MVC


Reading and references

http://blogs.teamb.com/craigstuntz/2009/09/09/38390/
ASP.NET MVC Authentication - Customizing Authentication and Authorization The Right Way - Jon Galloway

0 comments:

Post a Comment