0

Is it possible through web.config or similar to only allow\disallow access to certain controllers or actions on an ASP.NET MVC2 application? I don't mean through the Authorize attribute, I mean literally completely disallow access to some controllers?

The scenario I'm looking at is that a client has an ASP.NET MVC2 site with one controller with public actions (and no Authorize attribute) and a bunch of other controllers with Authorize attributes on them. The site uses forms authentication so if the user tries to access one of the non-public controllers they are prompted to log in.

The client wants to take this a step further and on their intranet allow access to the non-public controllers, while on the internet only the public controller is accessible.

What approaches are there to do this, preferably without code changes to the actual application? I'm guessing it might be possible with 2 IIS sites\apps with different settings? Will I need 2 copies of the application folder with different web.config or are there other options?

Improve this question
1
  • you can create your own custom authorize atribute Commented Jun 14, 2013 at 3:19

1 Answer 1

Reset to default
2

If code change is not preferred I think Request Filtering will allow you to block certain urls of your application, effectively making unreachable those controller-actions that you do not want to expose.

Here is an example of how to use: http://www.iis.net/configreference/system.webserver/security/requestfiltering/denyurlsequences

Basically you have to add the following to your web.config:

<system.webServer>
    <security>
        <requestFiltering>
            <denyUrlSequences>
                <add sequence="controller/action" />
                <add sequence="controller/otheraction" />
            </denyUrlSequences>
        </requestFiltering>
    </security>
</system.webServer>

With this approach you will need to have two copies of the website in the file system and two IIS websites. Not optimal but satisfies the condition of no code change.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

+1 for the no code change solution. Although a custom AuthorizeAttribute would be the best solution I would think.
@SimonWhitehead totally agree with you.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.