0

Possible Duplicate:
Override Authorize Attribute in ASP.NET MVC

In ASP.NET MVC, you add the [Authorize] attribute above action methods to specify that users must be authenticated (and in the specified role where appropriate) to use that method.

This is a bit like 'opt-in' authentication - I have to remember to decorate every method I want to protect, which is error-prone.

How might I specify that everything requires authentication apart from the controllers or actions that I whitelist?

Improve this question
5
  • 1
    @Chris Marisic: I disagree. The linked article covers how to create a new Authorize attribute where you can specify that you don't require authorization. It doesn't cover how to require authorization by default. Presumably I need a new controller type or something. Commented Aug 1, 2011 at 13:39
  • @David you follow that question and then apply it as a global filter. Then you only attribute it on actions you want to opt out. The action level (or controller level) attributes will override the global action. Commented Aug 1, 2011 at 14:21
  • Oh, global filter? This is the piece of the pie of MVC knowledge I'm missing... :) Commented Aug 1, 2011 at 14:50
  • Ah, okay thanks. Are global filters just MVC 3? Commented Aug 1, 2011 at 14:53
  • @David yes MVC3. Prior to that your options generally consist of base class or tag it on all controllers then use specific actions to opt out. Commented Aug 1, 2011 at 15:37

2 Answers 2

Reset to default
2

Here's the basic idea. You should play with this to get the desired results - especially when some actions inside controller need authorization, some - not. As you know, each and every part of asp.net mvc framework can be customized. So is filter providing mechanism of it. First, create the IFilterProvider implementation for providing authorization filters

 public class AuthorizeFilterProvider : IFilterProvider
    {
        public List<Type> AuthorizationExcludedControllerTypes = new List<Type>();

        #region IFilterProvider Members

        public IEnumerable<Filter> GetFilters(ControllerContext controllerContext, ActionDescriptor actionDescriptor)
        {
            if (!AuthorizationExcludedControllerTypes.Contains(controllerContext.Controller.GetType()))
            {
                yield return new Filter(new AuthorizeAttribute(), FilterScope.Controller, null);
//return filter only if it is not included into AuthorizationExcludedControllerTypes list.
            }
        }

        #endregion
    }

And register filter provider into Global.asax

 protected void Application_Start()
        {
            ...

            AuthorizeFilterProvider authorizeFilterProvider = new AuthorizeFilterProvider();
            authorizeFilterProvider.AuthorizationExcludedControllerTypes.Add(typeof(HomeController));

            FilterProviders.Providers.Add(authorizeFilterProvider );

            ...

        }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

By default, you can't, but see this answer for information about creating your own custom authorization attribute to do it: Override Authorize Attribute in ASP.NET MVC.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.