Securing your base code for SPAs using ASP.NET MVC the easy way

For this you will only need 1 controller, and 1 optional view.

The controller is to provide routing details to the DB and feed back to the view. The optional view then embeds the host page internally, or the controller can just issue the page.

The purpose of this is to lock down your SPA pages from prying eyes if they don’t have rights to the page.

So you will have a routing table that maintains the security, and describes what happens to the route.

Example route mydomain.dom/SPAName/#Home

So in the ASP.NET routing we are getting “SPAName” which we can look up and see that it belongs to view “SPAName/home.html”. While we are looking this up, we can also the rights table, and see there is a right called “SPAName:true” with a tag called “Required”. So if the user who is logged in had the business rule of “SPAName”, then they have rights to get the page rendered to their browser.

Sample Table

ID RoutCommand SPAHost BusinessRequirement
11 SPAName SPAName/#Home Required:SPAName=true,

If you opt to not have a view, then just have the controller read and issue the HTML. By doing this you can manage your process to locking down the HTML, like storing it off the host server, or just outside of the public host space. You can even encrypt and decrypt the page prior to the view.

The goal here is to prevent those people who have no right to your page from getting access to your page.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.