ASP.NET MVC Authorization

How require authorization within whole ASP .NET MVC application

Simplest way is to add Authorize attribute in the filter config to apply it to every controller.

public class FilterConfig
{
    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new HandleErrorAttribute());

        //Add this line
        filters.Add(new AuthorizeAttribute());
    }
}

Another way is to have all of your controllers inheriting from a base class. This is something I do often as there is almost always some shared code that all of my controllers can use:

[Authorize]
public abstract class BaseSecuredController : Controller
{
    //Various methods can go here
}

And now instead of inheriting from Controller, all of your controllers should inherit this new class:

public class MySecureController : BaseSecuredController
{
}

Note: Don't forget to add AllowAnonymous attribute when you need it to be accessible to non-logged in users.

ASP.NET MVC Authorize with login authentication not working

I already find my solution.

Everything is right !!

The reason that the authorization was not working was that I was debugging with IIS Expres and not with my project webapp.

I'm still learning a lot about ASP.NET and The Visual Studio Community plataform, this details really matter.

If anyone wants to use this Auth model, it's working fine.

How can we set authorization for a whole area in ASP.NET MVC?

Web.config-based security should almost never be used in an MVC application. The reason for this is that multiple URLs can potentially hit a controller, and putting these checks in Web.config invariably misses something. Remember - controllers are not associated with areas, routes are associated with areas. The MVC controller factory will happily serve controllers from the Areas/ folder for non-area requests if there's no conflict.

For example, using the default project structure, adding an Admin area with an AdminDefaultController, you can hit this controller via /Admin/AdminDefault/Index and /AdminDefault/Index.

The only supported solution is to put your attribute on a controller base class and to ensure that each controller within the area subclasses that base class.

Authentication & Authorization in MVC5

Based on my understanding of your question, you want to authenticate users with Active Directory, then authorize with local authorization mechanism.

If so, you could use OWIN cookie authentication middleware in ASP.NET MVC 5.

It has few moving pieces, so I created a sample application at GitHub. The followings are the database diagram and two main classes.

OwinAuthenticationService

private readonly HttpContextBase _context;
private const string AuthenticationType = "ApplicationCookie";

public OwinAuthenticationService(HttpContextBase context)
{
    _context = context;
}

public void SignIn(User user)
{
    IList<Claim> claims = new List<Claim>
    {
        new Claim(ClaimTypes.Sid, user.Id.ToString()),
        new Claim(ClaimTypes.Name, user.UserName),
        new Claim(ClaimTypes.GivenName, user.FirstName),
        new Claim(ClaimTypes.Surname, user.LastName),
    };

    foreach (string roleName in roleNames)
    {
        claims.Add(new Claim(ClaimTypes.Role, roleName));
    }

    ClaimsIdentity identity = new ClaimsIdentity(claims, AuthenticationType);

    IOwinContext context = _context.Request.GetOwinContext();
    IAuthenticationManager authenticationManager = context.Authentication;

    authenticationManager.SignIn(identity);
}

public void SignOut()
{
    IOwinContext context = _context.Request.GetOwinContext();
    IAuthenticationManager authenticationManager = context.Authentication;

    authenticationManager.SignOut(AuthenticationType);
}

Startup.cs

You also need to configure Startup for all those to happen.

[assembly: OwinStartup(typeof(YourApplication.Startup))]
namespace YourApplication
{
    public class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = "ApplicationCookie",
                LoginPath = new PathString("/Account/Login")
            });
        }
    }
}

Usage

Then you can start using [Authorize] attribute in Controller and Action methods.

[Authorize(Roles = "Power Users")]
public class UsersController : Controller
{
   // ...
}

ASP .NET 4.7 MVC Authentication and Authorization Identity

you can used the [Authorize] Attribute my friend ,

first : add the AuthorizeAttribute filter to the global filter list:

 public static void Register(HttpConfiguration config)
    {
        config.Filters.Add(new AuthorizeAttribute());
    }

second : to secure your controller ,add the filter as an attribute to the controller

// Require authorization for all actions on the controller.
[Authorize]
public class ValuesController : ApiController
{
    public HttpResponseMessage Get(int id) { ... }
    public HttpResponseMessage Post() { ... }
}

three to secure your action , add the attribute to the action method:

public class ValuesController : ApiController
{
    public HttpResponseMessage Get() { ... }

    // Require authorization for a specific action.
    [Authorize]
    public HttpResponseMessage Post() { ... }
}

i advise you to visit this 2 link can help you more:

Authentication and Authorization in ASP.NET Web API

MVC Web API: Authorization & Authentication

---

Related Topics