Posts

Showing posts from August, 2013

SessionAuthenticationModule Causes Strange Redirect Behavior

I was working on a web project using ASP.NET MVC 4 when I started seeing some strange behavior. Some of my AJAX calls to ASP.NET Web API services were getting redirected back to the same URL. The only difference between the original URL used to make the call and the redirected URL was changes in case sensitivity. While this could just be annoying and cause some performance issues this was causing my application real issues because the redirected web request was missing some header information.  Specifically I was using basic authentication on the calls to the Web API's and the header was missing the authentication information and therefore this was causing the requests to fail authentication/authorization.  For the life of me I could not figure out what was causing the redirects.

Then I started thinking back to what had changed in the application that may have introduced this behavior.  I had added the use of the SessionAuthenticationModule so that I could store claim information …

Decoupling You Security Model From The Application Model With SimpleMembership

Image
One of the peeves I have with ASP.NET MVC and  how security is handled is that you have to design your security model up front while you are designing your web application.  You have to determine which roles you need to have while implementing your application so that you can add them to the Authorize attribute on the controllers actions.  Here is an example of how you control access to controller actions.


[Authorize(Roles = "admin,user")] public ActionResult DoSomething() { ViewBag.Message = "Do something really spectacular."; return View(); }
Now when we want to change our security model, such as adding new roles, we have to go through the whole application changing these Authorize attributes, recompile the application, and redeploy. This coupling causes a lot of inefficiencies.

But you can customize SimpleMembership to handle this in a better way that decouples the security model form your application domain. I will demonstrate …