Feature List

Reliable, secure and flexible

20 Absolutely Essential features to create reliable, secure and flexible applications on ASP.NET Mvc

You get source code for almost all the features of ASP Security Kit (detailed below) directly installed and neatly organized in your application project. Which means you can modify/extend ASP Security Kit easily to achieve your application goals.

Note: Not all features mentioned below are included in every package. Please see Packages to learn about features included in a given package.



Activity (permission) based authorization checks

Hardwiring roles with actions in your code limits your ability to manage permissions at run time. The alternative is to use Activity based authorization which gives you granular control and ability to manage permissions on a live application. In this approach, you define a unique permission code for each action and authorize users by checking whether or not they possess the corresponding permission code in their permissions set for the action being executed. ASP Security Kit can automatically infer this permission code. This means you don't have to type the permission code and clutter your code with more attributes. Of course, you can completely override this behavior, for a controller, for action(s) or for both.

ASP Security Kit also introduces a new concept called implied permissions, which is more flexible than roles and completely eliminates a need for having roles as a separate construct.

Resource aware activity-based authorization

Most actions are performed on some resource (entity record). Read, update and delete are three of the four typical crud operations that require a record. In a real-world web application that supports multiple users, you absolutely need the ability to authorize users for actions against resources.
ASP Security Kit lets you manage permissions against actions down to individual resources at run time.

One-click install using NuGet

ASP Security Kit is distributed as a NuGet package so it is fairly easy to install it in an ASP.NET MVC project.

User Model Independence

Most authorization systems have this limitation that they restrict you with using a specific user model that they implements. Often, the user tables are also automatically created based on the model and you have no control of the schema.

ASP Security Kit is designed to free you from this limitation as well – the core security module works on interfaces and the models implementing those interfaces live in your application project. So you are free to change the actual models as per your needs.

Database and data access technology agnostic

ASP Security Kit does not impose a limitation to work with a specific database (E.G. Sql Server) or to use a particular data access technology (E.G. EF or NHibernate). It abstracts the call to the database using a service pattern interface, the implementation of which resides in your application code and can be modified to work with any database/data access technology.

Testable design based on Service pattern implementation

The entire core security module is implemented using service pattern – so you can easily create mocks during testing for things like user service, data access, session, logging, localization ETC. and can even provide your custom implementation at runtime for component(s) as per your need.

Fixed timeout issue for Remember me in ASP.NET

If you have implemented a real web application in ASP.NET you must have noticed that there’s only one timeout value supported by forms authentication and that is not enough. You need one timeout value for when ‘remember me’ checkbox is checked and another for when it is not checked. Why? Because in the former case, user expects to be logged in automatically even if he logs onto the website after days while in the latter case, the expectation is that user must be logged out automatically after some time of inactivity (say 45 minutes or some hours). ASP Security Kit fixes this shortcoming in ASP.NET forms authentication and it gives you an ability to specify different timeout value for each of these two cases.

Custom formatted 404/500 error pages that do not redirect

The requirements for a complete, frictionless custom error (404 not found/500 internal error) pages in ASP.NET Mvc are:

  1. Execute a specific Mvc error controller's action for each error so that you can display error page with layout (header/footer) matching your site layout.
  2. You should be able to re-use layout.cshtml (the master theme definition file) for error views so you don't repeat yourself (DRY).
  3. You should not redirect to a different, error specific page just to display the error. Redirecting is bad for SEO and you also lose the context.
  4. You must be able to return corresponding http status code (404/500) for the error occurred. This is necessary for SEO so that search engine do not index your error pages.
  5. Your error pages (Mvc actions) aren't accessible directly (and you get 404 if you invoke their URL.)

If you install ASP Security Kit, you get a full-fledged, custom error handling flow implementing all of the above requirements out of the box!

Forgot/reset Password flow via email

Specify email and password for the mail provider of your choice (Gmail/Yahoo/Hotmail) in web.config and have a complete forgot password flow get up and running with email templates customizable to fit your brand.
The entire templating and mailing code lives as source files in your application project so you can extend it to more providers and customize it as per your needs.

User hierarchy

All the real-world systems observe some kind of user hierarchy. For example, you always like to have an admin user in addition to regular members so that you can manage the system. In moderately complex web applications, you have hierarchy of 3 or more levels. Like super admin > admins > managers > executives etc. ASP Security Kit supports this feature out of the box and you explicitly define the parent user as you create a new user. Parent user can then delegate all or a subset of permissions to its subordinate users and control their activities.

User Verification

Apart from authentication and authorization, there’s one more additional check that is useful in most web applications and that is verification. If your registration process requires user to provide his email and/or phone number, you also require that user must verify that he actually owns that email or phone number before he could do anything useful with the system. ASP Security Kit provides built-in support for the complete verification flow (for emails) and you can selectively allow only a certain pages to be accessible to unverified users just like as you do for anonymous users.

Localization support

An out-of-the-box support for customizing time zone and culture information (date formats) for every user. Razor templates and json.net converters to automatically manage localization for any rendering scenario.

Multiple Themes (including Bootstrap based)

For the first time, you can choose a theme for your Mvc project – ASP Security Kit comes with multiple starter themes based on popular Twitter Bootstrap css framework. However, if you want your views based on the default theme that comes with ASP.NET Mvc project template, you have that option as well.
You may try out different themes on the demo website (change current theme from the combo box at the bottom of any page.)

Admin Control Panel

The admin control panel gives administrators and developers to manage security, permissions and users within the system with features including but not limited to:
Note, all these features are built upon Permission based authorization infrastructure so you can easily delegate each one of them to support staff as needed.


Often when a user asks for help or faces an issue, administrative/support personnel need access to user's account to help them out. Asking user for his password is not secure and recommended. Impersonation is a killer feature that gives administrators the ability to assume the identity of another user without having to log in with that user's password. This is an administrative permission and can be delegated to other users as needed.
Try it here. (First create a user, assign him one or more permissions, and then impersonate it.)

Adopt a User

This interface gives administrators an ability to change the parent of a user thereby resetting that user permissions as per the new parent. This is very crutial in organizations where employee hierarchy keeps changing due to promotion, attrition and hiring. Thus the system remain in sync with changes in organizational structure. This is an administrative permission and can be delegated to other users as needed.
Try it here. (First create at least two users, and then try adopt feature.)

Organize Permissions

This interface lets administrators create new permission codes and aggregate permissions into higher-level constructs similar to roles on a live system. This is an administrative permission and can be delegated to other users as needed.
Try it here.

Drill Down

This interface lets administrators drill down permission distribution fairly quickly. For each permission defined in the system, it shows how many users have been assigned with this permission and also lets you view their user names and parents. This is handy for troubleshooting and making sure sensitive permissions haven't been assigned to unintended users. This is an administrative permission and can be delegated to other users as needed.
Try it here.

Render Permissions

This interface renders all the permission codes (including implied permissions) along with resource ids for the specified user. It helps in troubleshooting and hard-to-find issues in your application. This is an administrative permission and can be delegated to other users as needed.

So are you ready to get ASP Security Kit now?