Quick look at security in MVC3

I learned about some security features in MVC3, that I had forgotten about.  So, let’s discuss them and the differences between authenticate and authorization as well as look at some standard attacks.  MVC3 out of the box supports Windows and Forms based authentication, Windows authentication are generally used for intranet applications and Forms based is general used for internet based applications.  With forms authenticate SSL needs to used to help protect the username and password being entered by the user.

To secure a controller action you can use the [Authorize]  attribute to secure an action or the controller itself.  If you use just the [Authorize] attribute, all you are really saying is you don’t want anonymous users to access the controller or action.  You can further define this by adding Roles or Users to the [Authorize] attribute, which is the authorization part of security in MVC3.

Now let’s talk about site attacks.

Cross-Site Scripting, which are defined as cookie theft, malware downloads, account hijacking, and modify content to name a few.  This is controlled by the underlying framework, however you can use [AllowHtml] attribute to the model property you would like to allow Html to flow through with minimal risk.

The Anti Cross Script library can be used to help sanitize the Html.

Cross site request forgery can be combated with the @Html.AntiForgeryToken() on your form declaration and ValidateAntiForgeryToken attribute on the post destination action in the controller.

Example:
In the View form definition.

[sourcecode langauge="csharp"]
@using (Html.BeginForm("Contact", "Home")) {
@Html.AntiForgeryToken()
@Html.ValidationSummary(true)
[/sourcecode]

In the Controller Action

[sourcecode langauge="csharp"]
[OutputCache(NoStore=true, Duration=0)]
[ValidateAntiForgeryToken]
public ActionResult Contact(string message = null)
{
EmailModel email = new EmailModel();
ViewBag.Message = message;
return View(email);
}
[/sourcecode]

Hopefully this give some insight into security options with MVC3, I will follow this up with MVC4 here soon.

Why is Architecture important?

Today I was humbled in talking about architecture as I stumbled through some explanations of principles and key terms.  For those that know me I am very passionate and professional on how I approach things, including discussions.  I found myself stumbling because I got myself stuck on answering an open question about how I would architect something anyway I wanted to (skies the limit).  I struggled because everyday architects resolve issues within the constraints of budgets, personnel, and technology stacks.  It was like asking me, if you could do anything in the world, you want what would do?  Flight or invisibility?  But at the end of the day, the laws of gravity and physics comes into play.

I asked myself, why is architecture important?

Like everything else to me it is a process and with that it has defining characteristics.  Some of the main issues that seem to get focused on is acronyms and perceptions.  What I mean by that is acronyms have different meanings to different industries – they also seem to overlap.  Like a house, software needs a strong foundation to build on and without it everything built on top of it is at risk – do we really need to concern ourselves with what we call it.  Sometimes I think quite a few great discussions get last with acronyms and there usage

With that what should the goals of Architecture be?

The main focus should be bridging the gap between business requirements and technical requirements by understanding the software’s use cases and working out ways to implement them.

Well then, what key principles should an Architect consider?

  • Instead of building to last, build to change.
  • To reduce risk and model to analyze.
  • Use visualization as a collaboration tool.
  • Work to identify key engineering decisions.

With emergent architecture try using a more iterative or agile approach to help minimize risk of change throughout the process.

So, to answer the main question without a strong foundation you simple end with a house of cards, that is difficult to deploy, modify, manage, and support.  While architect by nature is conceptual, without walking that mile or suffering through a bumpy foundation – how do you really know what foundation to build?

 

INETA Component Code Challenge 2012

This year I have the great opportunity to be one of the judges for the INETA Component Code Challenge.  Here are the details:

Have you ever thought “I have a good idea for an application, however what can I get for it?” and/or “I would love to go to DevConnections or Tech•Ed, but I am not sure how to pay for it?”. Well, you are in luck. With the INETA Component Code Challenge for 2012, all you need to do is create an application using 2 approved controls from 2 approved vendors, create a video talking about your application, and submit it to our judging panel. Our judging panel, consisting of Bill Reiss, Nikita Polyakov, Matt Hidinger, and Greg Leonardo, will be looking for innovation and creativity in the use of approved controls. To read official rules click here.

So grab your computer and Visual Studio and GET YOUR CODE ON!

Disclaimer: INETA covers one conference ticket, hotel, and travel to the conference as is outlined in INETA’s travel policy. Please visit the site for additional rules.