The default MVC framework includes login and registration pages. They are functional, but by default the main pages in the site are not configured as login-protected.
As with much of MVC, the login wrapper has been abstracted to a configuration component – a filter in this case.
In the solution explorer under ~/App_Start, double, double-click “FilterConfig.cs”
Add the following lines to RegisterGlobalFilters:
filters.Add(new System.Web.Mvc.AuthorizeAttribute());
filters.Add(new RequireHttpsAttribute());
I disabled RequireHttpsAttribute during development.
The entire site is now protected by the login wrapper with the exception of the account related pages. The account pages are excluded from the login wrapper because of the [AllowAnonymous] attribute.
For a much more comprehensive treatment, see “Deploy a Secure ASP.NET MVC 5 app with Membership, OAuth, and SQL Database to a Windows Azure Web Site” by Rick Anderson.
This is a beginning-to-end explanation of how to create and deploy a site. To skip to the security section, scroll to the middle of the page and look for “Protect the Application with SSL and Authorize Attribute”. He even explains how to create security levels!
No comments:
Post a Comment