I have a ASP.NET website set up with Windows Authentication for a specific domain group (MYDOMAIN\MY_SITE_USERS). I want to add a controller with some actions that can be performed from a special Windows account, without access to the rest of the website.
So:
~ ==> only MYDOMAIN\MY_SITE_USERS
~/DoSomething ==> only MYDOMAIN\MY_SITE_USERS
~/SpecialAction/Do ==> only MYDOMAIN\SPECIAL_ACCOUNT
I've seen other answers (using location in Web.Config) for example:
<location path="~/SpecialAction/Do">
<system.webServer>
<security>
<authorization>
<add accessType="Deny" users="*"/>
<add accessType="Allow" users="MYDOMAIN\SPECIAL_ACCOUNT"/>
</authorization>
</security>
</system.webServer>
</location>
but my the problem is that with the above, then SPECIAL_ACCOUNT can access all the other pages since I need to add to the general:
<authentication mode="Windows" />
<identity impersonate="true"/>
<authorization>
<allow users="MYDOMAIN\SPECIAL_ACCOUNT" />
<allow users="MYDOMAIN\MY_SITE_USERS"/>
<deny users="?" />
<deny users="*" />
</authorization>
otherwise MYDOMAIN\SPECIAL_ACCOUNT can't login at all.
Have you tried to use any approach similar to the following one?
public static class ApplicationRoles
{
public const string SpecialAccount = @"domain\Special Account";
public const string MySiteUsers = @"domain\My Site Users";
}
[Authorize(Roles = ApplicationRoles.SpecialAccount)]
public class SpecialAction()
{
//stuff
}
[Authorize(Roles = ApplicationRoles.MySiteUsers)]
public class DoSomething()
{
//stuff
}
If you are looking for a web.config based solution, it would be worthy to have a look at Dynamic Controller/Action Authorization in ASP.NET MVC.