ASP.NET MVC Authentication

Question

ASP.NET MVC Authentication

it is possible to create something like this i ASP.NET MVC beta 1

I tried but

override bool OnPreAction(string actionName, 
                          System.Reflection.MethodInfo methodInfo)

is no longer visible and

override void OnActionExecuting(ActionExecutingContext filterContext)

don't give me access to the action name

+1

c # asp.net-mvc .net-3.5 c # -3.0

Nesizer 25 nov. '08 at 17:31

source to share

3 answers

Create custom attribute

+1

John Sheehan 25 nov. At 17:54

source to share

What is the reason why you don't want to decorate your actions with an authorization attribute? Sorry, but I think I can better understand your situation if I try to give a better answer than the one already asked.

0

Rune 25 nov. '08 at 19:02

source to share

Rune · Accepted Answer · 2008-11-25T17:54:21+0000

On the blog you link to, the author claims that

One way to tackle this problem is to use attribute based security as shown in this post. But then you have to decorate your actions with a safety attribute, which is not a good idea.

I think this is a great way to do it and it is supported by the framework. This will give you a nice declarative implementation. Check the Authorized Attribute in System.Web.Mvc. This will allow you to do something like this:

[Authorize(Roles="Admin, Editor")]
public ActionResult Delete(int id){
    (...)
}

Since the Delete action changes the state of your system, I would also add the AcceptVerbs attribute, for example:

[AcceptVerbs(HttpVerbs.Post)]
[Authorize(Roles="Admin, Editor")]
public ActionResult Delete(int id){
    (...)
}

This ensures that the action will not accept GET requests.

ASP.NET MVC Authentication

More articles: