1

Windows Identity Framework on ASP.NET MVC - how to authorize user per action basis?

Like:

    [Authorize]
    public ActionResult About()
    {
        return View();
    }

Instead of the whole site level security as is the default WIF site integration behaviour?

UPDATE: Maybe should the question goes like, how to allow anonymous users to access the site too?

Peter Stegnar
  • 12,615
  • 12
  • 62
  • 80

2 Answers2

1

Well as it turns out, authorization element has to be properly set in web.config.

Default is something like:

    <authorization>
        <deny users="?" />
    </authorization>

Which simply mean deny all anonymous users.

But in MVC it should be like:

    <authorization>
        <!--<deny users="?" />-->
    </authorization>

Which mean allow all users, and leave application to handle the authentication.

So that mean default WIF setting have to be reverted:

From:

<authentication mode="None" />

To something like:

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>

That so, per action authorization in MVC works. Nice. :)

More on Authorization: http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx

Peter Stegnar
  • 12,615
  • 12
  • 62
  • 80
0

You are able to configure site authentication model in Web.config

http://msdn.microsoft.com/en-us/library/aa291347(v=vs.71).aspx

Alexander Beletsky
  • 19,453
  • 9
  • 63
  • 86
  • Yes I am aware of that settings, but how does this solve my problem? If I set the mode="Form" it also want authentication at the site level ... – Peter Stegnar Dec 21 '10 at 11:00