In this tip, I will try to explain about achieving security to MVC application. Normally in Web forms, the security to the particular page can be established using sitemap control or putting some code in a
page_load event of either Site master or a particular page you needed. In this tip, what I am going to do is the same way as the web forms in MVC Apps.
In my application, I would like to include Role Management, Role in this sense is a list of users having some common feature, for example, say
Teacher, etc. so that when a particular user is logged into the system, she/he should get the corresponding Views/Pages. When Student Role User gets Logged into the system, he should get the particular Views of student only.
Let us create an MVC application. I will choose this as an internet project, I will name the project as
SecurityInMvc. We can notice that
Accountcontrol and Account Model got created by itself when we created a new project, which provides us authentication of type
FormsAuthentication. I don't go further on
FormsAuthentication. If you run this project, you can see that:
In the above View, you can see that there is a Register link at Right Corner, just Register one client and try to login, here there will be no problem because it is inbuilt by framework.
Here, I created myself an account which is stored in the database. Now at present, I am able to access both About and contact View, Now my requirement is that I should not be able to use About View for security purposes. How can I do this? I may do like this Remove About link for this role. Will this solve our problem? Definitely No. Because they can access the page through URL. Here is the place we needed to restrict the access.
Now I will make About View not accessible to this user through any other ways.
public ActionResult About()
ViewBag.Message = "Your app description page.";
Here to the above Action, I have given some restrictions that only admin Role users can access this action.
But here, how should the Action know the logged in user belongs to which role. To figure that out, we need to do one more little thing.
You might have noticed the App_Start folder when you created an MVC application.
In the App_Start folder, there is file called FilterConfig.cs which will execute when action call happens, we can do whatever we need. So it will create a custom file that restricts unauthorized user access.
Right click on Filter folder, click Add New Item, then choose a class file name - it can be anything you want, I will name it as RoleAuthorize.cs.
public class RoleAuthorize : AuthorizeAttribute
protected override bool AuthorizeCore(HttpContextBase httpContext)
userloginDb obj = new userloginDb();
foreach(string DefinedRoles in this.Roles.Split(','))
System.Web.MVC, there is a class called
AuthorizeAttribute which has some virtual methods in that we need to override
AuthorizeCore method which accepts input as
HttpContextBase which includes some information about login details such as login user name and Authentication type, etc. and returns
How This Works?
When a request happens to About action automatically before executing About Action, the control moves to Filter which we have defined, i.e., RoleAuthorize.cs.
Here at very first, it will check whether the user is Authenticated or not. If not, it returns
false and About Action doesn't get executed and it moves to login page. If it is authenticated, then I have defined a method called
GetRoles() which accepts input as username which is there in the
this.Roles() will get you the roles which are mentioned above each action and now what we need to do is just compare between these two
stings, if they match, return
We can achieve security to each action using Filters.