MVC3 » Greg Leonardo

Second INETA Component Code Challenge 2012

.NET, Application, ASP.NET, C#, General, MVC3, MVC4, Silverlight No Responses »

Sep 122012

For the second time this year I have the great opportunity to be one of the judges for the INETA Component Code Challenge. Here are the details:

Have you ever thought “I have a good idea for an application, however what can I get for it?” and/or “I would love to go to DevConnections, but I am not sure how to pay for it?”. Well, you are in luck. With the INETA Component Code Challenge for 2012, all you need to do is create an application using 2 approved controls from 2 approved vendors, create a video talking about your application, and submit it to our judging panel. Our judging panel, consisting of Bill Reiss, Nikita Polyakov, Matt Hidinger, and Greg Leonardo, will be looking for innovation and creativity in the use of approved controls. To read official rules click here.

So grab your computer and Visual Studio and GET YOUR CODE ON!

Disclaimer: INETA covers one conference ticket, hotel, and travel to the conference as is outlined in INETA’s travel policy. Please visit the site for additional rules.

Quick look at security in MVC3

.NET, Application, General, MVC3 No Responses »

Mar 022012

I learned about some security features in MVC3, that I had forgotten about. So, let’s discuss them and the differences between authenticate and authorization as well as look at some standard attacks. MVC3 out of the box supports Windows and Forms based authentication, Windows authentication are generally used for intranet applications and Forms based is general used for internet based applications. With forms authenticate SSL needs to used to help protect the username and password being entered by the user.

To secure a controller action you can use the [Authorize] attribute to secure an action or the controller itself. If you use just the [Authorize] attribute, all you are really saying is you don’t want anonymous users to access the controller or action. You can further define this by adding Roles or Users to the [Authorize] attribute, which is the authorization part of security in MVC3.

Now let’s talk about site attacks.

Cross-Site Scripting, which are defined as cookie theft, malware downloads, account hijacking, and modify content to name a few. This is controlled by the underlying framework, however you can use [AllowHtml] attribute to the model property you would like to allow Html to flow through with minimal risk.

The Anti Cross Script library can be used to help sanitize the Html.

Cross site request forgery can be combated with the @Html.AntiForgeryToken() on your form declaration and ValidateAntiForgeryToken attribute on the post destination action in the controller.

Example:
In the View form definition.

[sourcecode langauge="csharp"]
@using (Html.BeginForm("Contact", "Home")) {
@Html.AntiForgeryToken()
@Html.ValidationSummary(true)
[/sourcecode]

In the Controller Action

[sourcecode langauge="csharp"]
[OutputCache(NoStore=true, Duration=0)]
[ValidateAntiForgeryToken]
public ActionResult Contact(string message = null)
{
EmailModel email = new EmailModel();
ViewBag.Message = message;
return View(email);
}
[/sourcecode]

Hopefully this give some insight into security options with MVC3, I will follow this up with MVC4 here soon.