If you've ever tried maintaining a web application where HTML rendering logic, database queries, and business rules all live in the same files, you know the pain. Changes ripple unpredictably through the codebase. Testing becomes nearly impossible because you can't isolate components. Multiple developers stepping on each other's work becomes routine.
The Model-View-Controller pattern in ASP.NET Core eliminates this pain by enforcing clear separation of concerns. Models handle data and business logic. Views focus solely on presentation. Controllers coordinate between them, processing requests and selecting responses. This separation makes code testable, maintainable, and allows teams to work in parallel without conflicts.
By the end of this article, you'll understand how to structure ASP.NET Core MVC applications properly, implement controllers that follow best practices, create strongly-typed views with Razor, and leverage dependency injection for clean architecture. You'll build a working application that demonstrates these principles in action.
The MVC pattern divides your application into three interconnected components. Models represent your domain data and business rules. Views render the user interface based on model data. Controllers handle HTTP requests, interact with models, and select views to render.
This separation isn't just theoretical—it has practical benefits. You can unit test controllers without rendering HTML. You can change views without touching business logic. Multiple views can present the same model data differently. Teams can work on controllers, views, and models independently with minimal coordination.
In ASP.NET Core, the framework handles routing HTTP requests to controller actions, which return results like views, JSON, or redirects. The built-in dependency injection system provides services to controllers, and the Razor view engine renders dynamic HTML based on model data.
Models represent the data and business logic of your application. They're plain C# classes (POCOs) that define entities, validation rules, and business operations. Models should be framework-agnostic—they don't know about HTTP, controllers, or views.
In a well-designed MVC application, models encapsulate your domain logic. They validate themselves, enforce business rules, and provide a clear API for controllers to interact with your data. Keep models focused on the domain, not on presentation concerns like formatting for display.
using System.ComponentModel.DataAnnotations;
namespace ProductCatalog.Models;
public class Product
{
public int Id { get; set; }
[Required(ErrorMessage = "Product name is required")]
[StringLength(100, MinimumLength = 3)]
public string Name { get; set; } = string.Empty;
[StringLength(500)]
public string Description { get; set; } = string.Empty;
[Required]
[Range(0.01, 10000, ErrorMessage = "Price must be between $0.01 and $10,000")]
public decimal Price { get; set; }
[Range(0, int.MaxValue)]
public int StockQuantity { get; set; }
public string Category { get; set; } = string.Empty;
public DateTime CreatedDate { get; set; } = DateTime.UtcNow;
// Business logic in the model
public bool IsAvailable() => StockQuantity > 0;
public bool IsNew() => DateTime.UtcNow.Subtract(CreatedDate).TotalDays < 30;
public decimal GetDiscountedPrice(decimal discountPercent)
{
if (discountPercent < 0 || discountPercent > 100)
throw new ArgumentException("Discount must be between 0 and 100");
return Price * (1 - discountPercent / 100);
}
}Data annotations like [Required] and [Range] provide validation that ASP.NET Core MVC enforces automatically during model binding. The business methods like IsAvailable() and GetDiscountedPrice() encapsulate domain logic that views and controllers can use without duplicating code.
Controllers are classes that handle HTTP requests and coordinate between models and views. Each public method (action) in a controller responds to a specific route. Controllers receive data from requests, invoke business logic through models or services, and return results like views or JSON.
Good controllers are thin—they orchestrate operations but don't contain business logic. They validate input, call services, and decide which view to render. Keep complex logic in models or separate service classes that controllers call through dependency injection.
using Microsoft.AspNetCore.Mvc;
using ProductCatalog.Models;
using ProductCatalog.Services;
namespace ProductCatalog.Controllers;
public class ProductController : Controller
{
private readonly IProductService _productService;
private readonly ILogger _logger;
public ProductController(
IProductService productService,
ILogger logger)
{
_productService = productService;
_logger = logger;
}
// GET: /Product
public async Task Index()
{
var products = await _productService.GetAllProductsAsync();
return View(products);
}
// GET: /Product/Details/5
public async Task Details(int id)
{
var product = await _productService.GetProductByIdAsync(id);
if (product == null)
{
_logger.LogWarning("Product {ProductId} not found", id);
return NotFound();
}
return View(product);
}
// GET: /Product/Create
public IActionResult Create()
{
return View();
}
// POST: /Product/Create
[HttpPost]
[ValidateAntiForgeryToken]
public async Task Create(Product product)
{
if (!ModelState.IsValid)
{
return View(product);
}
await _productService.CreateProductAsync(product);
_logger.LogInformation("Product created: {ProductName}", product.Name);
return RedirectToAction(nameof(Index));
}
// GET: /Product/Edit/5
public async Task Edit(int id)
{
var product = await _productService.GetProductByIdAsync(id);
if (product == null)
{
return NotFound();
}
return View(product);
}
// POST: /Product/Edit/5
[HttpPost]
[ValidateAntiForgeryToken]
public async Task Edit(int id, Product product)
{
if (id != product.Id)
{
return BadRequest();
}
if (!ModelState.IsValid)
{
return View(product);
}
await _productService.UpdateProductAsync(product);
_logger.LogInformation("Product updated: {ProductId}", id);
return RedirectToAction(nameof(Index));
}
// POST: /Product/Delete/5
[HttpPost]
[ValidateAntiForgeryToken]
public async Task Delete(int id)
{
await _productService.DeleteProductAsync(id);
_logger.LogInformation("Product deleted: {ProductId}", id);
return RedirectToAction(nameof(Index));
}
} The controller uses dependency injection to receive IProductService and ILogger. Actions follow the pattern: validate input, call service methods, return appropriate result. The [ValidateAntiForgeryToken] attribute protects against CSRF attacks on state-changing operations.
Views render HTML to users based on model data. Razor views combine HTML markup with C# code using the @ syntax. They're strongly-typed to specific models, giving you IntelliSense and compile-time checking. Views should contain minimal logic—just what's needed for presentation.
ASP.NET Core uses Razor view engine by default. It supports layouts for shared UI elements, partial views for reusable components, and tag helpers for cleaner syntax when generating HTML. Views live in Views folder, organized by controller name.
@model IEnumerable<ProductCatalog.Models.Product>
@{
ViewData["Title"] = "Product Catalog";
}
<div class="container">
<div class="d-flex justify-content-between align-items-center mb-4">
<h1>@ViewData["Title"]</h1>
<a asp-action="Create" class="btn btn-primary">Add New Product</a>
</div>
@if (!Model.Any())
{
<div class="alert alert-info">
No products found. <a asp-action="Create">Create your first product</a>
</div>
}
else
{
<div class="row">
@foreach (var product in Model)
{
<div class="col-md-4 mb-4">
<div class="card">
<div class="card-body">
<h5 class="card-title">
@product.Name
@if (product.IsNew())
{
<span class="badge bg-success">New</span>
}
</h5>
<p class="card-text">@product.Description</p>
<p class="h4 text-primary">$@product.Price.ToString("F2")</p>
<p class="text-muted">
Stock: @product.StockQuantity
@if (!product.IsAvailable())
{
<span class="text-danger">(Out of Stock)</span>
}
</p>
<div class="btn-group" role="group">
<a asp-action="Details" asp-route-id="@product.Id"
class="btn btn-sm btn-outline-primary">Details</a>
<a asp-action="Edit" asp-route-id="@product.Id"
class="btn btn-sm btn-outline-secondary">Edit</a>
</div>
</div>
</div>
</div>
}
</div>
}
</div>The @model directive declares the view's model type. Tag helpers like asp-action and asp-route-id generate URLs based on routing configuration. The view calls model methods like IsNew() and IsAvailable() to make presentation decisions without duplicating business logic.
Services encapsulate business logic and data access, keeping controllers thin. ASP.NET Core's built-in dependency injection makes services available to controllers through constructor injection. This promotes testability and loose coupling.
Define service interfaces for contracts, implement them in concrete classes, and register them in Program.cs. Controllers depend on interfaces rather than concrete implementations, making it easy to swap implementations for testing or different environments.
namespace ProductCatalog.Services;
public interface IProductService
{
Task> GetAllProductsAsync();
Task GetProductByIdAsync(int id);
Task CreateProductAsync(Product product);
Task UpdateProductAsync(Product product);
Task DeleteProductAsync(int id);
}
public class ProductService : IProductService
{
private readonly List _products = new();
private int _nextId = 1;
public Task> GetAllProductsAsync()
{
return Task.FromResult>(_products);
}
public Task GetProductByIdAsync(int id)
{
var product = _products.FirstOrDefault(p => p.Id == id);
return Task.FromResult(product);
}
public Task CreateProductAsync(Product product)
{
product.Id = _nextId++;
product.CreatedDate = DateTime.UtcNow;
_products.Add(product);
return Task.CompletedTask;
}
public Task UpdateProductAsync(Product product)
{
var existing = _products.FirstOrDefault(p => p.Id == product.Id);
if (existing != null)
{
existing.Name = product.Name;
existing.Description = product.Description;
existing.Price = product.Price;
existing.StockQuantity = product.StockQuantity;
existing.Category = product.Category;
}
return Task.CompletedTask;
}
public Task DeleteProductAsync(int id)
{
var product = _products.FirstOrDefault(p => p.Id == id);
if (product != null)
{
_products.Remove(product);
}
return Task.CompletedTask;
}
} This service provides an in-memory implementation for demonstration. In production, you'd replace this with Entity Framework Core or another data access technology. The interface remains the same, so controllers don't need to change.
Here's a complete working ASP.NET Core MVC application demonstrating all the concepts. This creates a product catalog with CRUD operations, validation, and proper separation of concerns.
using ProductCatalog.Services;
var builder = WebApplication.CreateBuilder(args);
// Add MVC services
builder.Services.AddControllersWithViews();
// Register application services
builder.Services.AddSingleton();
var app = builder.Build();
// Configure middleware pipeline
if (!app.Environment.IsDevelopment())
{
app.UseExceptionHandler("/Home/Error");
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthorization();
// Configure default route
app.MapControllerRoute(
name: "default",
pattern: "{controller=Product}/{action=Index}/{id?}");
app.Run(); <Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
</PropertyGroup>
</Project>Run with: dotnet run and navigate to https://localhost:5001
Moving from demonstration code to production requires integrating additional services and following security best practices. Here's how to enhance your MVC application for real-world use.
Entity Framework Core integration: Replace in-memory services with EF Core for database persistence. Register your DbContext in Program.cs with AddDbContext, inject it into services, and use async LINQ methods for data access. Enable migrations to manage schema changes and seed initial data.
Authentication and authorization: Add ASP.NET Core Identity for user management. Protect controller actions with [Authorize] attributes. Use role-based or policy-based authorization to control access to features. Configure authentication middleware in the pipeline before UseAuthorization.
API endpoints alongside views: Controllers can return both views and JSON. Add [ApiController] to API controllers for automatic model validation and problem details. Use content negotiation to serve JSON to API clients and HTML to browsers from the same actions.
Configuration and options: Use the Options pattern for strongly-typed configuration. Register configuration sections as services with Configure<TOptions>. Inject IOptions<T> into controllers and services. Store sensitive configuration in environment variables or Azure Key Vault, never in source control.
Even experienced developers make mistakes when implementing MVC. Here are pitfalls to avoid for cleaner, more maintainable applications.
Fat controllers with business logic: Controllers should orchestrate, not implement business logic. Move complex operations to services or domain models. Controllers that exceed 100-200 lines usually contain logic that belongs elsewhere. If you can't unit test a controller without hitting a database, it's too coupled.
ViewBag and ViewData overuse: Use strongly-typed models instead of ViewBag or ViewData for passing data to views. Strongly-typed models provide compile-time checking and IntelliSense. Reserve ViewBag for truly dynamic data or layout-specific values that don't fit in your model.
Logic-heavy views: Views should format and display data, not make business decisions. If your view has complex conditionals or calculations, that logic belongs in the controller, model, or a view model. Use display templates and editor templates for complex formatting that's reused across views.
Missing anti-forgery protection: Always use [ValidateAntiForgeryToken] on POST, PUT, and DELETE actions. Include @Html.AntiForgeryToken() in forms. This prevents CSRF attacks where malicious sites trick users into submitting requests to your application.
MVC separates business logic (models), presentation (views), and request handling (controllers), making code easier to test, maintain, and scale. It enables parallel development where teams can work on different layers simultaneously, and supports multiple views for the same model data.
ASP.NET Core MVC is cross-platform, has built-in dependency injection, uses middleware pipeline instead of HTTP modules, and offers better performance. It combines MVC and Web API into a unified programming model and supports modern development with tag helpers and Razor Pages.
Use Razor Pages for page-focused scenarios where each page is relatively independent. Use MVC for complex applications requiring custom routing, extensive API development, or sophisticated view composition. Both can coexist in the same application for different features.