I realize that I can decorate each controller with [Authorize].
However is there a way that I can do this globally so that it's the default and then have the Account controller set as anonymous only ?
Add a comment
|
4 Answers
Create a BaseController which all other controllers inherit from. Have this class then inherit from Controller, like so
SomeController : BaseController
Then in BaseController
BaseController : Controller
Add an authorize attribute to the base controller. All controllers inheriting from BaseController will now require authorization. Controllers which don't, wont. So, your account controller will only inherit from Controller, not BaseController as you don't want this authorized.
There are other advantages of having a base controller. You can override OnAction executed to log application usage for instance.
I would create a second base controller called BaseUnsecuredController which your account controller can inherit from which won't have an authorize attrubute. Then have an abstract base controller class which contains the implementations of common actions you wish to share between the base controllers, like logging and error handling.
Hope this helps.
3 Comments
Samantha J T Star
Can you explain a little more or give me an example of what you mean with abstract base class? Do you mean another class that BaseController and UnsecuredBaseController would inherit from ?
Dan
Yep, no worries. All I mean is that if you have two base controllers, one with the authorize and the other without, and you also want to add logging and error handling, instead of repeating the code you could create another class which holds the implementations and call them from the two base controllers. To be honest, you should probably just get the base controllers working first, then look into what advantages using them will bring you.
aamir sajjad
consider usign authorize attribute which you can customize as per your needs
Use a basecontroller, from which each controller inherits. Then set the [Authorize] attribute on the base controller.
Comments
Apply the filter globally like this.
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
// Existing code
config.Filters.Add(new System.Web.Http.AuthorizeAttribute());
}
}
Then, apply [AllowAnonymous] on the AccountController or specific action methods.
[AllowAnonymous]
public class AccountController : WebApiController {}
answered May 12, 2014 at 11:45
Badrinarayanan Lakshmiraghavan
19.3k6 gold badges65 silver badges63 bronze badges
Comments
You can add the AuthorizeAttribute globally by changing your FilterConfig to add it to all requests:
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
//Other filters
filters.Add(new AuthorizeAttribute());
}
After that you can add the [OverrideAuthorization] attribute to your controller.
If you have any AuthenticationFilter set globally it won't be reseted. If you want to reset both you also need to use the [OverrideAuthentication] attribute.
