How to do 'opt-out' authentication in ASP.NET MVC

Question

Possible Duplicate:
Override Authorize Attribute in ASP.NET MVC

In ASP.NET MVC, you add the [Authorize] attribute above action methods to specify that users must be authenticated (and in the specified role where appropriate) to use that method.

This is a bit like 'opt-in' authentication - I have to remember to decorate every method I want to protect, which is error-prone.

How might I specify that everything requires authentication apart from the controllers or actions that I whitelist?

@Chris Marisic: I disagree. The linked article covers how to create a new Authorize attribute where you can specify that you don't require authorization. It doesn't cover how to require authorization by default. Presumably I need a new controller type or something. — David, Aug 01 '11 at 13:39
@David you follow that question and then apply it as a global filter. Then you only attribute it on actions you want to opt out. The action level (or controller level) attributes will override the global action. — Chris Marisic, Aug 01 '11 at 14:21
Oh, global filter? This is the piece of the pie of MVC knowledge I'm missing... :) — David, Aug 01 '11 at 14:50
@David yes MVC3. Prior to that your options generally consist of base class or tag it on all controllers then use specific actions to opt out. — Chris Marisic, Aug 01 '11 at 15:37

score 2 · Answer 1 · answered Aug 01 '11 at 14:04

Here's the basic idea. You should play with this to get the desired results - especially when some actions inside controller need authorization, some - not. As you know, each and every part of asp.net mvc framework can be customized. So is filter providing mechanism of it. First, create the IFilterProvider implementation for providing authorization filters

 public class AuthorizeFilterProvider : IFilterProvider
    {
        public List<Type> AuthorizationExcludedControllerTypes = new List<Type>();

        #region IFilterProvider Members

        public IEnumerable<Filter> GetFilters(ControllerContext controllerContext, ActionDescriptor actionDescriptor)
        {
            if (!AuthorizationExcludedControllerTypes.Contains(controllerContext.Controller.GetType()))
            {
                yield return new Filter(new AuthorizeAttribute(), FilterScope.Controller, null);
//return filter only if it is not included into AuthorizationExcludedControllerTypes list.
            }
        }

        #endregion
    }

And register filter provider into Global.asax

 protected void Application_Start()
        {
            ...

            AuthorizeFilterProvider authorizeFilterProvider = new AuthorizeFilterProvider();
            authorizeFilterProvider.AuthorizationExcludedControllerTypes.Add(typeof(HomeController));

            FilterProviders.Providers.Add(authorizeFilterProvider );

            ...

        }

score 1 · Answer 2 · edited May 23 '17 at 10:34

1

By default, you can't, but see this answer for information about creating your own custom authorization attribute to do it: Override Authorize Attribute in ASP.NET MVC.

edited May 23 '17 at 10:34

Community

1
1

answered Aug 01 '11 at 13:32

James Sulak

31,389
11
53
57

How to do 'opt-out' authentication in ASP.NET MVC

2 Answers2