All geek questions in one place

Why is auth usually located in the MVC?

I have done a lot of tutorials for different MVC frameworks, and it seems that this is typical for authorization in the controller. Why?

My idea is that the controller should only be used to organize the actions of the model, to handle redirection, and to handle error events. This is what is specific to the request. Setting the authorization in the controller seems such that you have to duplicate the authorization each time you use the same model action in different controller actions or different controllers. If Auth is in the model, you have sequential requirements to perform a change in the action or state of the data.

I searched and searched for other questions, such as Should authorization be part of a model or controller? but I really don’t understand why convention is accepted.

Is there any specific reason why I do not have enough authority to authorize in the model controller?

To summarize in the comments:

  • Controllers are responsible for changing the state of the model layer and the current view. Nothing more.
  • Authorization belongs to where the action is performed, if you execute a strict MVC pattern, this will most likely be a model, and the controller is certainly not responsible for authorizing the use of model actions.
  • Cookies should be processed like any other data storage: abstracted and used in models, and not directly using controllers.
  • Authentication and authorization are separate issues, although both of them usually fall into the model level, since they usually include checking values ​​in data stores (for example, cookies).
+6
source share
3 answers

Is there any specific reason why I am not enough for authorization in the controller by model?

Well, the most common reason I can imagine is laziness. I don’t mean that it’s moral, but it’s much easier to skip some authorization concept from above into a layer that is closer to a specific request in order to have differentiated access at the model level. To have authorization with models, this is a much higher design.

To add some more practical recommendations for the answer, I think you should analyze for each program where and why you want to enter authorization. The needs for this can be (extremely) different.

Then only in the next step should you think about which design is most beneficial for introducing authorization and authentication to meet these needs.

+6
source

In the MVC approach, you need to install protection in the place where:

  • it cannot be bypassed
  • It can be easily configured, managed and updated.

This applies - essentially - to any architecture / type of application.

In particular, in MVC, imagine that you entered authorization in a view. For example, you decide to control who can approve a transaction by enabling / disabling a button. The user of your submission will not be able to approve the transaction if it is not allowed. Imagine that you expose your controller by API, not by presentation. Approve authorization check now needs to be redefined in the API level.

This example shows that you are better off disconnecting authorization from the view / different endpoints and to a common center point - your controller.

Similarly, if you want to control access to large data sets (for example, medical records), you ideally want to put authorization in the model. This is explained both for performance reasons and for security reasons: you prefer the controller to process less data, and you should always try to protect the source of confidential data as close as possible.

Please note that the simultaneous use of permissions / authorization checks in the view, controller and model can lead to a significant increase in experience. See Authorization in the view as a "security / usability" mechanism, in which the user is only presented with the corresponding menus and widgets on the screen depending on their rights. If they were malicious and knew their way around the user interface to the controller, authorization will still be there.

Finally, generally speaking, you want to separate non-functional requirements / logic from functional requirements / logic. Just as you do not implement logging in your code, but use a custom structure (e.g. Log4J) or rely on a container for authentication (e.g. HTTP BASIC in Apache Tomcat), you want to use an external authorization environment such as authorization on based on the requirements of the world of Microsofct MVC4, Spring Security in Java, CanCan in Ruby or XACML, a standard part of the same body as SAML (OASIS), and which will allow you to apply authorization for any type of application and at any level.

+1
source

Authorization as a holistic process should be involved both in the controller levels and in the model.

But all logical queries (SQL queries, etc.) must happen in the model. The controller is an intermediate layer between the view (view) and the model. But you simply cannot throw the controller out of this scheme, because the Controller is responsible for processing sessions and cookies. Without these two things, all your authentication / authorization logic is useless because it is by its nature stateless. Sessions and cookies bring information to it. Moreover, as you correctly said, the controller redirects.

0
source

Source: https://habr.com/ru/post/956274/

More articles:


All Articles