Wednesday, October 27, 2010

Logging in and Authentication Providers in MVC

First let me state there is no login control in an MVC application. You CAN use one - since you can use ASPX pages and controls in an MVC application. However, if you want to use 'pure' MVC and no Web Forms controls then you should do it the way the Visual Studio MVC template does it.

By default MVC creates a new web application that follows the following methods for logging a user on:
The master page contains a user control which if Request.IsAuthenticated, displays a logoff link, otherwise a login link.

The login view is rendered when the user clicks on the login link.
Upon filling out the details and clicking to submit the login page, the following actions happen:

1. We have a model containing a username, password, and 'remember me' being posted and passed to the LogOnMethod via this signature

public ActionResult LogOn(LogOnModel model, string returnUrl)

2. This model posts to the AccountController
3. The LogOn method validates the model: if (ModelState.IsValid)
4. The LogOn method checks the user against the profile provider: MembershipService.ValidateUser(model.UserName, model.Password)
5. The LogOn method then calls: FormsService.SignIn(model.UserName, model.RememberMe);


The same happens for 'Register'. If you do NOT want any user to be able to be registered, then REMOVE THE REGISTER METHOD or - add security to it such as a SystemAdministrators role:

[Authorize( Roles="SystemAdministrators")]
[HttpPost]
public ActionResult Register(RegisterModel model)
{}

No comments:

Post a Comment