Securing an MVC application
In this tutorial, you will learn how to secure an MVC application with Enforcer.
Learning objectives:
- Know how to add Enforcer to an MVC application
- Learn how to use the File System Policy Store
- Add authorization to an MVC controller
- Use Identity claims in authorization rules
- Use request values in the authorization rules
- Extend the Policy Information Point (PIP) to provide additional information to the PDP
- Use a custom handler for authorization failures
Note This tutorial assumes you have a basic knowledge of ALFA and the OASIS policy model and understand the ASP.NET MVC programming model.
Getting Started
In this tutorial, you will evolve an MVC application to use a set of ALFA policies to perform authorization. To get started, clone the git repository
https://github.com/RockSolidKnowledge/Samples.Enforcer
Once cloned, you will see a folder called MVCEnforcerTutorial. Inside this folder, there is a before folder; this folder represents the starting point. There are also a series of after folders representing each completed part of this tutorial. As you work through this tutorial, you will perform all the tasks inside the before folder.
Open the SecureMVCApp.csproj file in your .NET development environment, and compile it. Now run the application. A web browser will launch with a login form. The following accounts have been pre-created
- Username alice@acme.com, password alice
- Username bob@acme.com, password bob
- Username sally@acme.com, password sally
- Username charlie@acme.com, password charlie
Login with one of these accounts; once logged in, navigate to the purchase order area and create/edit a few purchase orders; you can order whatever you like.
Now inspect the PurchaseOrderController; other than requiring a user to have been authenticated before using the controller actions, there are no other security policies in play.
During this tutorial, you will be creating and modifying ALFA policies. We recommend installing an ALFA plugin for your .NET IDE; this will colorize and highlight syntax errors in the ALFA.
Finally, if you don't have a license key for Enforcer, obtain one by visiting https://identityserver.com/products/enforcer