Showing posts from May, 2012

MVC - Displaying CheckBoxLists for Generic Lists

When developing an application, you may encounter a scenario where you have, for example, a customer record and that customer may be a member of several (but not all) customer lists in your application. 

All fairly straightforward. In an ASP.NET WebForms application for a customer management page where you want to select or un-select the lists a customer is in, you would typically bind the available customer lists to a CheckBoxList and in the DataBound event for this CheckBoxList control you would then mark checkboxes as checked for the lists your customer is in.

Depending on how you structure your application, this could involve two calls to your data store - one to get the available customer lists and one to get the customer details.

With MVC, the approach to this scenario takes a little adjustment!

The MVC Approach

There are several ways to handle displaying checkbox lists, however when I am developing MVC applications  I prefer to work solely with the strongly typed ViewModel I have cr…

MVC3 - Securing with Authentication and Anti-forgery by Default

Following on from my post about securing MVC3 application by use of global filters, I have released today a package on that can be installed to do this automatically.

In addition to requiring to set explicit anonymous access for controller actions you want to be accessible anonymously, there is also ad additional filter for anti-forgery tokens. The additional filter requires you to pass an anti-forgery token in every form post.

Please download the package and let me know what you think!

Securing Your MVC Intranet Applications - Security by Default

The standard way to secure your MVC Intranet applications is to use the [Authorize] attribute for controller actions you want to secure. The controller is the resource you're actually trying to protect and any security decisions should be done at the controller level rather than at the route level.

For example using the default Intranet Application template in MVC3, you will have a Home Controller that looks like the following:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;

namespace MvcAuthenticationSample.Controllers
    public class HomeController : Controller
        public ActionResult Index()
            ViewBag.Message = "Welcome to ASP.NET MVC!";

            return View();

        public ActionResult About()
            return View();

To force users to log on when they access /Home/, you would add the [Authorize] attribute to your Index ActionResult, like this: