Securing ASP.NET Dynamic Data

At VSLive in Dallas last week I promised to follow up with a post about securing an ASP.NET Dynamic Data application. Your first concern is not exposing all the tables, so although it demo’s well, never set ScaffoldAllTables to true. That however, does still not solve how you can provide read-only access to certain users, while providing edit access to others. The most elegant way to do that is at the Data Model level, using a custom security attribute. There’s a great sample on how to do that on the Dynamic Data Samples on Codeplex. The specific sample you want is Secure Dynamic Data.


If you don’t want to spend the time to understand how security at the Data Model works, you can also just use ASP.NET Roles to secure specific parts of your site. Since securing folders/files that way has been around since ASP.NET 1.x, that should be easy enough :). There is a gotcha though: you cannot secure dynamic folders. In other words, a Dynamic Data path /SomeTable/List.aspx is not securable, because SomeTable is not an actual folder. With three simple steps you can get around this.


Step 1: Create a folder corresponding to a specific role, for example “Readers”.


Step 2: Create a web.config in that folder limiting access to the role(s) you want to give access.


Step 3: In globas.asax, route the tables and actions that apply to the specific role to that folder, like this:


routes.Add(new DynamicDataRoute(“Readers/{table}/{action}.aspx”)
{
    Constraints = new RouteValueDictionary(
        new
        {
            action = “List|Details”,
            table = “EvaluationSubjects|Reports”,
        }),
        Model = model
});


 

2 thoughts on “Securing ASP.NET Dynamic Data

Leave a Reply

Your email address will not be published. Required fields are marked *