0

I have a .Net Web Project, however for the most part we are using html pages (ideally we would have a website project instead). These pages are loading there dependencies with RequireJS, so the only Razer part is happening with loading the initial html page. Now, this site as both a home page and an admin page. The home page does not need to be secured on the same level as the admin page. Thus, we are using a mapPageRoute for the home page to simply point to the appropriate home html page.
Now for the admin page, we need to have authentication and ensure that the user is an administrator. Currently, to achieve this, we have an AdminController which returns a view (we added a custom location for this view, since it is not in the default Views folder). So our controller looks like this:

namespace XXXXX.YYY.Web.Controllers
{
    public class AdminController : Controller
    {
        [RequiresPrivilegeAttribute(Constants.Security.Privileges.ADMINISTER_APPLICATION)]
        public ActionResult Index()
        {
            return View();
        }
    }
}

What I would like to do is follow the same pattern I was for the home site, by defining a route to simply load an html file. For the home page, we are using this in the RouteConfig (which happens on App_Start):

routes.MapPageRoute(
           "",
           String.Empty,
           "~/ui/dist/index.html"
        );

For the Admin site route, our first and second parameter would be "Admin", and the third parameter would be the location of the admin index.html ("~/ui/dist/admin/index.html").
This won't work for the admin site, because it does not take into account administrator security. So the question is: How can protect a path to an html file without having to use a controller?

Additionally, we are wanting to ultimately move away from a .NET MVC application and replace it with a pure HTML SPA. So I want to accomplish this without the use of a controller.

Andrew
  • 718
  • 1
  • 7
  • 25
  • This is not common way to leverage your web application security! – Amirhossein Mehrvarzi Nov 06 '14 at 22:01
  • I know it's not a common way to leverage security. That's why we're trying to find a better way of doing it. But ultimately we are moving away from Razor and MVC web applications to go for a more pure HTML/JS web application. Security is not my for-te, so I'm unsure of the proper approach. – Andrew Nov 07 '14 at 13:51

2 Answers2

0

In an ASP.net MVC application you can't view a page without controller or map route for static html pages. Unless breaking its architecture perhaps by authorizing in configuration files to view html pages too. This cause to have anomaly and preferred security can't be ensured in this way although you have decreased it too!

Amirhossein Mehrvarzi
  • 18,024
  • 7
  • 45
  • 70
  • We are already using maps to static html pages (although they're technically not static, they're a dynamic SPA) for the home page, and for that, security isn't a big deal. For the admin page, we want to have that to be a static html page as well, but provide some way to filter routes based on a security level (not just authenticated, but an administrator). – Andrew Nov 07 '14 at 13:57
0

You could try adding it in the Web.Config, but I haven't tried this on MVC before...

<location path="ui/dist">
<system.web>
  <authorization>
    <allow users="UsersToAllow" />
    <deny users="UsersToDeny" />
  </authorization>
</system.web>
</location>

You could deny Non-Authenticated users, <deny users="?"/>. Also, have a read of this link Securing your ASP.NET MVC App...

Christian Phillips
  • 18,399
  • 8
  • 53
  • 82
  • Ultimately, we would like to move away from the ASP.NET MVC approach, and have a more Web Site approach (since we are creating a pure html SPA). We looked into modifying the web.config, but that doesn't give us the level we need. It is not enough to know if the user is authenticated, but if the user has admin privileges. To my knowledge, we can't perform that level of a check in the web.config. – Andrew Nov 07 '14 at 14:00
  • You could use `` – Christian Phillips Nov 07 '14 at 14:02
  • So in our existing controller (which we are trying to replace), we have the following line above the Index ActionResult: _[RequiresPrivilegeAttribute(Constants.Security.Privileges.ADMINISTER_APPLICATION)]_. How would that work with Roles in the Web.Config? – Andrew Nov 07 '14 at 14:15