As of preview 3 of ASP.NET MVC it appears that authentication has been left out of the framework. So until this feature is included it seems that Microsoft has left security as an exercise for the reader. Many developers have find creative solutions for securing their MVC application. Here are a few interesting links:
- ASP.Net MVC Membership Basics – Troy Goode discusses using the membership APIs from non-MVC ASP.NET on an ASP.NET MVC site.
- ASP.Net MVC Framework – Security – Fredrik Normén shows how to use the controller’s OnPreAction event to implement action level security.
- ASP.NET MVC Controller And Action Role Authentication – AzamSharp uses the controller’s OnPreAction method similar to Fredrik’s example. But instead of using attributes, AzamSharp uses an XML based configuration to describe an action’s security.
- ASP.NET MVC: Securing Your Controller Actions – And lastly (but not least) Rob Conrey talks about using an ActionFilterAttribute to create essentially an OnLoad event for a controller’s actions. Rob uses that and action level attributes to implement his access security.
I hope Microsoft includes security as an out of the box feature for ASP.NET MVC before it RTMs. But in the interim it’s nice to see others aren’t letting that stop them from writing security mindful code.