0

I have an ASP.NET MVC4 web page that is, for the most part, accessed without authentication. There is a single page that I want to protect for admin-only access (ELMAH's error log, specifically). Since I only require a single admin login, I'd like to avoid the complexity of maintaining a user/password database.

I've done some research, and I've found that previous versions of ASP.NET provide the ability to use Forms Authentication with a password encrypted in the web.config:

<forms loginUrl="Admin" name=".ASPXFORMSAUTH">
  <credentials passwordFormat="SHA1">
    <user name="admin" password="encryptedPassword" />
  </credentials>
</forms>

Then, the authentication controller uses FormsAuthentication.Authenticate and FormsAuthentication.RedirectFromLoginPage to validate entered credentials. However, I'm hesitant to use this solution because:

  1. The FormsAuthentication.Authenticate API is now obsolete.
  2. FormsAuthentication.RedirectFromLoginPage will redirect the user directly, rather than returning a RedirectResult. This doesn't follow the MVC controller pipeline, and so things like unit testing would be more difficult.

Looking through MSDN samples and the default template, it appears that WebMatrix's WebSecurity.Login API is the new standard for doing Forms Authentication in MVC applications. But, I haven't found a way to use a local (i.e. config-based) authentication provider.

Is there a recommended way to do local authentication, or is this considered a bad practice? What's the simplest method to provide admin authentication without taking on external dependencies?

Charles
  • 50,943
  • 13
  • 104
  • 142
Scott Wegner
  • 7,263
  • 2
  • 39
  • 55

1 Answers1

1

WebSecurity.Login is not "the new standard" for authentication. It's more like the new "newbie friendly standard". WebSecurity only really supports SimpleMembership, and that is really simply designed for simple applications.

FormsAuthentication.Authenticate has not been a good choice for a long time, so the fact that it's now officially deprecated is not a big deal.

You should probably be using Membership anyways, and use Membership.ValidateUser to validate credentials. Or, use something like Windows Identity Foundation.

Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291
  • Thanks for the tip, I'll read up more on ASP.NET Membership. What I'm looking for then is a `MembershipProvider` which authenticates from some local source. – Scott Wegner Feb 20 '13 at 15:56
  • @ScottWegner - not sure what you mean by "local source". If you mean a local database, then you can certainly use LocalDB or a local SqlServer or Sql Server Express database, and they work fine with SqlMembershipProvider (the old default provider, but still works). – Erik Funkenbusch Feb 20 '13 at 18:37
  • By "local source", I mean sourced internally from my web project. For example, within the web.config. I won't ever need more than a single login, so I want to avoid managing credentials within a database. – Scott Wegner Feb 20 '13 at 20:38