CRV2 AuthorizationWeaknesses

Authorisation in .NET MVC 4

The usage of filters is recommended when authorisation is being implemented in MVC 4 .NET MVC 3 introduced a method in global.asax called RegisterGlobalFilters.The can be used to DEFAULT DENY access to URL's in the application.

public static void RegisterGlobalFilters(GlobalFilterCollection filters) {       filters.Add(new HandleErrorAttribute); filters.Add(new System.Web.Mvc.AuthorizeAttribute); }

Is is recommended when reviewing MVC3/4 .NET to take a look at how authorisation is being implemented. The line above, filters.Add(new System.Web.Mvc.AuthorizeAttribute); pretty much default denies access to any request without a valid session. If this is implemented we may need to provide unauthorised access to certain pages such as a registration page, public welcome page or a login page. How do we do this?

AllowAnonymous is used to provide access to public pages with no valid session required. The code may look like this:

[AllowAnonymous] public ActionResult LogMeIn(string returnUrl)

One must be careful that the pages which have AllowAnonymous enabled are actually designed for public consumption.