Basic Authorization Demo

Basic Authorization using custom authorization provider in ASPNET MVC 5

MVC Authorization .NET C# FormsAuthentication HTML Bootstrap

Description

The demo demonstrates how we can implement private access to an MVC page by applying the Authorize attribute to the Controller.
For this, I created a very basic and custom authorization provider that simply requires a user name and password. For simplicity and to implement my custom Auth provider, I am using Microsoft FormsAuthentication which Manages forms-authentication services for Web applications

Disclaimer: This form of authentication is only for demonstration purposes and is not recommended on production scenarios (It is actually obsolete. Instead, Membership APIs).
The main focus should be on the ability to create your own authentication provider to restrict access to your pages

Technologies and Concepts:

  • MVC5: Applying the Authorize attribute to the Admin Controller.
  • Dependency Injection using LightInject (used to inject a custom Authorization Provider)
  • Creating custom Authorization Provider: provider logic, models and interface
  • Using basic HTML and Bootstrap. Not focusing much on design

Test Cases

1. Access the Private page without authenticating

Expectations:

  • You should not have access to the Admin page because it is private and you have not passed the authorization process yet.
  • You should be redirected to the login page.
2. Enter a wrong Login and Password (anything). Click on the Submit button

Expectations:

  • You should receive an error message: Incorrect userName or password
  • You should not be redirected to the Admin page because you did not pass authentication
3. Enter correct Login and Password. Use the fake user and password provided on the login screen. Click on the Submit button

Expectations:

  • You should be redirected to the Admin page because you pass validation.

Suggestions

  • Enhance the custom Authorization Provider: Do not hardcode the users and passowords. Use a database or a web service to maintain your users data.
  • Better Alternatives: Use OAuth 2.0 (Authorization protocol) or OpenID which is a layer on top of OAuth 2.0 combining authorization, identity, and authentication
  • Logging out: There should be an option to logout. This only demonstrate how to secure MVC controller but ideally you need to have an option to logout