4

I read a couple of articles mentioning that you're supposed to have all of your controllers derive from a parent class with the [Authorize] attribute to not leave security holes in your site. (Example: article)

However, all controllers already derive from the parent Controller, which doesn't have the [Authorize] attribute. What is the best way to enforce this suggestion without having to add the attribute to every single controller?

Improve this question
5
  • 2
    I think it is a pretty good article that you have found. If you read it carefully it also explains that it is much easier with MVC3, as you can use global filters instead of a base class. There is even a code sample how to apply the authorize attribute globally. Then it even explains a nice solution for the cases when you don't want to apply the authorize attribute (e.g. for login/register pages). Commented Jul 21, 2011 at 12:14
  • I'll read it through again. It seems I have overlooked some important details. Commented Jul 21, 2011 at 12:17
  • 1
    @Phil, That's a great article, I've implemented it into my project. My question for you is how many controllers do you have? It seems like it is pretty easy to add this to your controllers at a class level, then as needed implement finer grain security at the method level. Just my two cents. Commented Jul 21, 2011 at 12:24
  • @Doug - Then upvote this question ;) My problem is that I'm losing control over the project further on but will probably be blamed if someone fracks it up so I'd like to implement something as proactive as possible (I know, the world invents better fools etc.. doesn't hurt to try at least!). I have around 10 controllers now, to actually answer your question. And yes, I agree, that would be a reasonable approach. Commented Jul 21, 2011 at 12:56
  • Like Doug said, I normally apply [Authorize] on each controller and decorate it with the specific roles that will have access. This extends to methods as well. For example, if I have a controller with [Authorize(Roles="Administrator,Role1")] I might have a method within the controller that is set to [Authorize(Roles="Administrator")]. Commented Jul 21, 2011 at 13:10

1 Answer 1

Reset to default
2

for MVC3 (and possibly 2 I do not remember) you can use global hooks like:

public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
    filters.Add(new HandleErrorAttribute());
}

protected void Application_Start()
{
    RegisterGlobalFilters(GlobalFilters.Filters);
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Global filters are mentioned prominently in the article linked to by the OP, although the tone of the question suggests that they may have been overlooked by the OP.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.