Search code examples
c#asp.net-mvcmodel-view-controllerwifwindows-identity

Windows Identity Framework on ASP.NET MVC - how to authorize user per action basis?

Windows Identity Framework on ASP.NET MVC - how to authorize user per action basis?

Like:

    [Authorize]
    public ActionResult About()
    {
        return View();
    }

Instead of the whole site level security as is the default WIF site integration behaviour?

UPDATE: Maybe should the question goes like, how to allow anonymous users to access the site too?

Solution

  • Well as it turns out, authorization element has to be properly set in web.config.

    Default is something like:

        <authorization>
        <deny users="?" />
    </authorization>

    Which simply mean deny all anonymous users.

    But in MVC it should be like:

        <authorization>
        <!--<deny users="?" />-->
    </authorization>

    Which mean allow all users, and leave application to handle the authentication.

    So that mean default WIF setting have to be reverted:

    From:

    <authentication mode="None" />

    To something like:

    <authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>

    That so, per action authorization in MVC works. Nice. :)

    More on Authorization: http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx