1

I created a MVC Application. I created authentication on every controller, and it works. I'm redirected to login page if I'm not the authorize user. I got no problem with authorization(sitemapnode role) for controllers.

Now, I created a ASP.NET Web Form inside my ASP.Net MVC project. I put a reportviewer on the web form. I created a View on MVC, put the asp.net web form inside the iFrame tag, and that also works. I can view the reportviewer when I call the right controller.

BUT, I can still view or access the ASP.NET Web Form (with reportviewer) if I'm not authorized by simply typing the location of the ASP.NET Web Form.

How can I apply authorization on my web forms? Similar to the authorization on MVC. If I'm not the authorized user (let's say the 'admin'), I must be redirected to Login page or I must not be able to access the web form. How do I do that?

Improve this question
2

2 Answers 2

Reset to default
2

Bigger questions is why you need to mix MVC and WebForms but anyway...

MS documentation is probably going to be your biggest help:

http://www.asp.net/web-forms/tutorials/security/roles/role-based-authorization-cs

You can lock down in web.config similar to:

  <location path="YourPage.aspx">    
      <system.web>    
           <authorization>    
               <allow roles="sitemapnode" /> 
           </authorization>    
      </system.web>    
 </location>

Or at a page method level with attributes:

[PrincipalPermission(SecurityAction.Demand, Role = "sitemapnode")]
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

ahhh because in MVC I cannot use ReportViewer, that's why I use web form for the reportviewer then use iframe tag in cshtml in MVC so I can view the reportviewer inside the iframe tag in MVC view
Use MVC filters they are made for this type global validation.
0

Use MVC Filters:

    using System;
    using System.Linq;
    using System.Web;
    using System.Web.Mvc;
    using System.Web.Routing;
    using System.Web.Security;
    using PortalAPI.SPModels;
    using SICommon.Enums;
    using SICommon.LoggingOperations;

    namespace SupplierPortal.Security {
        public class AuthorizedUser : AuthorizeAttribute {
            public bool IsAuthorized { get; set; }

            protected override bool AuthorizeCore(HttpContextBase httpContext) {

                if (Authenticated())
                  return this.IsAuthorized = true;
            }

            protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) {
                if (filterContext.HttpContext.Request.IsAjaxRequest()) {
                    filterContext.HttpContext.Response.StatusCode = 403;
                    filterContext.Result = new JsonResult {
                        Data = new {
                            Error = "SessionTimeOut"
                        },
                        JsonRequestBehavior = JsonRequestBehavior.AllowGet
                    };
                    filterContext.HttpContext.Response.End();
                } else {
                    filterContext.Result = new RedirectToRouteResult(
                        new RouteValueDictionary(
                            new {
                                controller = "Account",
                                action = "Login"
                            }
                        )
                    );
                }
                base.HandleUnauthorizedRequest(filterContext);
            }
        }
    }

    [AuthorizedUser(IsAuthorized = true)]
    public class myformclass(){
        //some code in here for form
    }
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.