Last active
October 5, 2015 00:57
-
-
Save marcofranssen/2727173 to your computer and use it in GitHub Desktop.
Gist related to my "Secure your web app fluently" at http://marcofranssen.nl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public class CategoryController | |
{ | |
[HttpGet] | |
public ActionResult AddNewCategory() | |
{ | |
return View(new CategoryModel()); | |
} | |
[HttpPost] | |
public ActionResult AddNewCategory(CategoryModel model) | |
{ | |
if (!ModelState.IsValid) return View(model); | |
//Save the data etc... | |
return RedirectToAction("AddNewCategory"); | |
} | |
//Other actions | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[TestFixture] | |
public class FluenSecuritySetupTests | |
{ | |
[SetUp] | |
public void SetUp() | |
{ | |
BootStrapper.BootUp(); | |
} | |
[Test] | |
public void anonymous_access_should_be_allowed_for_the_logon_and_home_index_actions() | |
{ | |
var results = SecurityConfiguration.Current.Verify(expectations => | |
{ | |
expectations.Expect<UserController>(c => c.LogOn(string.Empty)).Has<IgnorePolicy>(); | |
expectations.Expect<HomeController>(c => c.Index()).Has<IgnorePolicy>(); | |
}); | |
Assert.That(results.Valid(), results.ErrorMessages()); | |
} | |
[Test] | |
public void adding_a_new_catogegory_requires_a_system_administrator_role() | |
{ | |
var results = SecurityConfiguration.Current.Verify(expectations => | |
{ | |
expectations.Expect<CategoryController>(c => c.AddNewCategory()).Has(new RequireRolePolicy(AppRoles.SystemAdministrator)); | |
expectations.Expect<CategoryController>(c => c.AddNewCategory(null)).Has(new RequireRolePolicy(AppRoles.SystemAdministrator)); | |
}); | |
Assert.That(results.Valid(), results.ErrorMessages()); | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public class MvcApplication : HttpApplication | |
{ | |
public static IWindsorContainer Container { get; private set; } | |
protected void Application_Start() | |
{ | |
SecurityBootstrapper.BootUp(); | |
Container = new WindsorContainer().Install(FromAssembly.This()); | |
AreaRegistration.RegisterAllAreas(); | |
RegisterGlobalFilters(GlobalFilters.Filters); | |
RegisterRoutes(RouteTable.Routes); | |
} | |
//Other members left for brevity... | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public class DenyAnonymousAccessPolicyViolationHandler : IPolicyViolationHandler | |
{ | |
public ActionResult Handle(PolicyViolationException exception) | |
{ | |
//Log the violation, send mail etc. etc. | |
return new HttpUnauthorizedResult(exception.Message); | |
} | |
} | |
public class RequireRolePolicyViolationHandler : IPolicyViolationHandler | |
{ | |
public ActionResult Handle(PolicyViolationException exception) | |
{ | |
//Log the violation, send mail etc. etc. | |
var rvd = new RouteValueDictionary(new | |
{ | |
area = "", | |
controller = "Error", | |
action = "HttpForbidden", | |
statusDescription = exception.Message | |
}); | |
return new RedirectToRouteResult(rvd); | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public static class SecurityBootstrapper | |
{ | |
public static void BootUp() | |
{ | |
SecurityConfigurator.Configure(configuration => | |
{ | |
configuration.ResolveServicesUsing(type => BootStrapper.Container.ResolveAll(type).Cast<object>()); | |
configuration.GetAuthenticationStatusFrom(() => HttpContext.Current.User.Identity.IsAuthenticated); | |
configuration.GetRolesFrom(Roles.GetRolesForUser); | |
configuration.ForAllControllersInAssembly(typeof(HomeController).Assembly).DenyAnonymousAccess(); | |
configuration.For<HomeController>(c => c.Index()).Ignore(); | |
configuration.For<UserController>(c => c.LogOn()).Ignore(); | |
configuration.For<UserController>(c => c.ResetPassword()).RequireRole(AppRoles.UserAdministrator); | |
configuration.For<CategoryController>(c => c.AddNewCategory()).RequireRole(AppRoles.SystemAdministrator); | |
configuration.For<CategoryController>(c => c.AddNewCategory(null)).RequireRole(AppRoles.SystemAdministrator); | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public static class SecurityBootstrapper | |
{ | |
public static void BootUp() | |
{ | |
//Here we will configure our security later on... | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public class WindsorInstaller : IWindsorInstaller | |
{ | |
public void Install(IWindsorContainer container, IConfigurationStore store) | |
{ | |
container.Register(AllTypes.FromThisAssembly().BasedOn(typeof(IPolicyViolationHandler)).Configure(h => h.LifeStyle.Singleton)); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment