I was trying to determine the best way to secure my admin* actions when I thought of something I had only really seen while studying for my MCSD.Net exams, or maybe it was the MCPD upgrade exams I haven't gotten round to taking.
I decided to secure the admin controller actions using.
[PrincipalPermission(SecurityAction.Demand,Role="<Role>")]
Which I had never used even though I started programming .Net in during the beta of 1.0. And I have to admit that each time I run into something like this, it makes me feel that my thought in a previous post is right.
This works for my immediate needs, after thinking about it, it would be nice if the Route Validation could deal with security too. That way instead of getting "Security Exception" when navigating to one of the admin actions, the route would simply not resolve resulting in "An action named 'New could not be found on the controller." if someone was trying out the obvious Urls for maintenance, since they are rather hackable (from Phil Haack's recent interview on the ASP.Net Podcast show ).
Though now that I write that I think it would be better to have it throw the Security Exception, log it, then handle both errors be handle it as a 404 error from then on. That way I can log information of the unauthorized attempts on the admin actions, without telling the outside world anything. So maybe I don't need to be able to specify authentication validation on the routes after all. Though routes based on errors might be nice.
Now I just need to look up more on custom error pages.
I really do feel so behind sometimes.
* Will be making a post in next few days on this. The dynamic stuff I had started for the last post was a bit more usable in the admin area.
Technorati Tags:
aspnetmvc,
Security