Question
We have a legacy system for which we are exposing a new web interface. It has its own authentication/login management system so I think we want to bypass a lot of what MVC4 can offer. We just need to have the legacy verify that a user and password represent a valid login, then find some means of ensuring that future requests aren't forged from another user/client. Can we accomplish this simply with:
Code in the controller that supports login:
https://stackoverflow.com/questions/20525744
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPublic Class HomeController
Inherits System.Web.Mvc.Controller
Protected Overrides Sub OnAuthorization(filterContext As AuthorizationContext)
MyBase.OnAuthorization(filterContext)
If Not User.Identity.IsAuthenticated Then
' Ensure that provided login parameters are valid
FormsAuthentication.SetAuthCookie(<Insert user name here>, False)
End If
End Sub
Function Index(ByVal returnUrl As String) As ActionResult
ViewData("ReturnUrl") = returnUrl
Return View()
End Function
End Class
Then I can simply apply AuthorizeAttribute to any controller function to make sure that it can only be called by an authorized user? For example:
' GET api/fsitem
<Authorize()> _
Public Function GetValues(<FromUri()> filter As IEnumerable(Of GridFilter)) As IEnumerable(Of FS_Item)
Is this adequately secure, assuming I tell the application what the value of User.Identity.Name is, or have I circumvented some important levels of security here?
Solution
Yes, this is basically using Forms Authentication cookie management without the Membership store. This is a supported scenario for ASP.NET. Here is an article explaining the difference between the two concepts.
After the initial authentication, Authorize attribute will enforce the identity of the caller. Not only this is adequate, this is the key security feature of the Forms Authentication.
