How to lock down paths in ASP.NET MVC?

asp.net-mvc web-config forms-authentication asp.net-authorization
27,891

Take a look at Securing your ASP.NET MVC 4 App and the new AllowAnonymous Attribute.

You cannot use routing or web.config files to secure your MVC application (Any Version). The only supported way to secure your MVC application is to apply the Authorize attribute...

Quote

MVC uses routes and does not map URLs to physical file locations like WebForms, PHP and traditional web servers. Therefore using web.config will definitely open a security hole in your site.

The product team will have a communication if this changes in the future, but for now it is without exception the rule.

Examples:

Start with the default ASP.Net MVC project (internet/intranet).

Edit the web.config adding:

<location path="Home">
  <system.web>
    <authorization>
      <deny users="*">
    </authorization>
  </system.web>
</location>

Run the project, by default you will use the Default route /Home/Index and you see content, simply bypassing the web.config with no changes to the default template. Why? Because the ASP.Net pipeline is comparing the URL requested to the location specified in the web.config. However, after the Authorization Event has been executed in the pipeline the routing taking place (Default routing or custom routing) and allows access to the supposedly restricted area.

Additionally, any MVC Redirect() will also by-pass the same security measures as again the routing takes place after the Authorization Pipeline Event.

I don't think anyone should accept sorta working security. Do it correctly the first time, don't be lazy and use something that wasn't designed to be used with a specific technology.

Share:
27,891
Jed
Author by

Jed

Updated on April 30, 2020

Comments

  • Jed
    Jed about 4 years

    I'm playing around with MVC 4 for the first time to check out what's been changed/added/etc compared to MVC 3.

    To start off, I created a blank MVC 4 Web Application and started building from scratch.

    One of the first things that I noticed that is different in MVC 4 is the fact that the following web.config settings have no affect on the accessibility of the web pages:

    <configuration>
    <location path="">
    <system.web>
      <authorization>
        <deny users="?"/>
      </authorization>
    </system.web>
    </location>
    .....
</configuration>

    Back in MVC 3, the authorization settings above would deny all anonymous users from accessing any content within the site. However, if I add the same settings to an MVC4 Web.config file, an anonymous has free reign over an URL that s/he chooses.

    What do I need to do in MVC 4 to lock-down all paths like I did in MVC 3?

  • Erik Funkenbusch
    Erik Funkenbusch almost 11 years
    I think Rick's answer is overly aggressive. He says "you cannot", but you can. What he means is that you should not. If your application is sufficiently simple, then using web.config is not a problem. It only becomes an issue once you start using custom routes extensively. Although, I agree that it's wise to have a single rule of thumb for people to follow. The problem with attributes is that they require recompiling the code to change security access levels. He also says "will definitely" and again, that's not true absolutely.
  • Erik Philips
    Erik Philips almost 11 years
    Actually you cannot lock down any ASP.Net MVC application (application being the key word) using the web.config. You can only lock physical files that may reside with in the applications directories using MVC.
  • Erik Funkenbusch
    Erik Funkenbusch almost 11 years
    Certainly you can, you just disable access via handlers, force everything to go through controller actions.
  • Erik Funkenbusch
    Erik Funkenbusch almost 11 years
    If you have defined handlers that block file types, and turned off the "check filesystem first" feature, then yes it does.
  • Erik Philips
    Erik Philips almost 11 years
    It's doesn't fix RedirectResult. Which means standard MVC redirects bypass authorization.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Forms authentication - sliding expiration
What does the UnobtrusiveJavaScriptEnabled key do in .NET?
Logic behind data source=(local) in connection string
Allow Zero DateTime mysql connector web.config Entity Framework
how to configure a connection string for active directory
Application does not log
How can I create a local user profile for the anonymous user of an ASP.Net MVC application under IIS 7?
Determine correct connectionString for web publishing for ASP.NET-MVC application
maxRequestLength vs. maxAllowedContentLength on IIS 7.5
Custom Error Page does not show even though I set CustomError="On"