5

I have a controller that I only want authenticated users to be able to access. Do I have to put a check in each method in my controller to verify a user is authenticated, or is there another way to handle this? Can I use annotations to do this instead?

Example from my controller:

public ActionResult Index()
        {
            if (UserVerified())
            {
               ...
            }
            return RedirectToAction("Login", "Account");
        }

    public ActionResult FacebookLogin()
    {
        if (UserVerified())
        {
           ....
        }

        return RedirectToAction("Login", "Account");
    }

    private bool UserVerified()
    {
        if (User != null && User.Identity != null && User.Identity.IsAuthenticated)
        {
            return true;
        }
        return false;
    }
Improve this question

6 Answers 6

Reset to default
14

You can use AuthorizeAttribute for it.
Put it to every action. 

[Authorize]
public ActionResult Index()
{
}

[Authorize]
public ActionResult FacebookLogin()
{
}

It will do the whole work for you. It checks whether the currect user is authenticated. If he is authenticated - proceeds to the action, if he is not - returns to the home page.

You can also add this attribute to a controller. Then all actions will require authorization.

[Authorize]
public class HomeController
{
    public ActionResult Index()
    {
    }

    public ActionResult FacebookLogin()
    {
    }
}

Update: And, yes, as Kamil said. Read this article, please.
http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api

You spend some time now and will spend much less time having questions about ASP.NET authentication in future.

By the way, you don't need to check for

User != null && User.Identity != null

If you are using default authentication then you can be always sure that User.Identity is a proper object. You can access User.Identity.IsAuthenticated directly.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

8

Using Authorize attribute is way to go (already answered here). In addition, if you may want to implement some other business rules or filtering checks, you can create a filter class inheriting from AuthorizeAttribute.

e.g.

public class CustomAuthorizeFilter: AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {

        var isAuthorized = base.AuthorizeCore(httpContext);

        if (!isAuthorized)
        {
            return false; //User not Authorized
        }

        else
        {
             //Check your conditions here
        }
     }
}

Then decorate your controller or Action as:

[CustomAuthorizeFilter]
public class SomeController
{
}
Improve this answer

Comments

2

You can either user [Authorize] attribute which is inbuilt. Or you can develop your custom attribute for the same purpose.

You can start from here for your own attribute:

Create custom attribute

If you want to perform validation on each action method, then put that attribute on Controller level rather than each action method.

Improve this answer

Comments

1

You can use [Authorize] attribute above controller methods.

Please follow this link

Improve this answer

Comments

1

If you want the authentication rules to apply to all controller actions you can do this:

[someAuthAttribute]
public class HomeController : Controller
{
   // pseudo
    public ActionResult Index() {
       return response;
    }

    public ActionResult FacebookLogin(){
       return response;
    }

}

Where Index() and FacebookLogin() will adhere to the authentication rules of [someAuthAttribute]. You can also use this "hierarchy" to apply more specific rules to your action methods. Like this:

[someAuthAttribute]
public class HomeController : Controller
{
   // pseudo
    public ActionResult Index() {
       return response;
    }

    [someFBAuthAttribute]
    public ActionResult FacebookLogin(){
       return response;
    }
}
Improve this answer

Comments

0

You can inherit authorization from a base controller.

[Authorize(Roles = @"Domain\Group")]
public class BaseController : Controller

public class ChildController : BaseController
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.