3

I am starting to migrate a ASP.NET Webforms application to ASP.NET MVC 3. The application has a public area which is accessible by all users (also anonymous users) and several areas which are only accessible by authenticated users which are in a specific role.

The WebForms project is organized like so:

Root folder -> contains all public pages
 |
 --- Private subfolder -> contains a few pages for ALL authenticated users
      |
      --- Customers subfolder -> contains pages for users in role "Customer"
      --- Suppliers subfolder -> contains pages for users in role "Supplier"
      --- Internals subfolder -> contains pages for users in role "Internal"
           |
           --- Admins subfolder -> contains pages for users in role "Admin"
      etc.

Currently the authorization is managed by web.config files which are in the different subfolders. For example the Customers subfolder contains the following web.config:

<configuration>
    <system.web>
        <authorization>
            <allow roles="Customer" />
            <deny users="*" />
        </authorization>
    </system.web>
</configuration>

In ASP.NET Webforms no more configuration is required then. This authorization is applied to all pages in the Customers subfolder.

What is the best way to migrate this structure to ASP.NET MVC 3? Or more specifically:

  • Do such web.config files with authorization settings still work in MVC on folder basis?
  • If not, is there another way to apply authorization requirements to all pages in a folder?
  • Can I still organize the various areas in separate folders, especially can I put individual Controllers, Views, Models subfolders under each of the folders Customers, Suppliers, etc. to keep all logic and markup close together?

Thanks for feedback!

Improve this question
1
  • 1
    you can look at the prodinner.codeplex.com sample to see how to use Authorization in mvc Commented May 8, 2011 at 18:27

2 Answers 2

Reset to default
3

Do such web.config files with authorization settings still work in MVC on folder basis

They do but should not be used.

If not, is there another way to apply authorization requirements to all pages in a folder?

In ASP.NET MVC there is no notion of folders. There are controllers, models and views. There are also areas. So you could create a Customers area and have a base controller that all controllers in this area derive from. Then you would decorate this base controller with the [Authorize] attribute. This way all derived controllers and action will require the user to be authorized in order to access them. You are not required to use an area to achieve this. You could still have a base controller in the main area decorated with this attribute and have all controllers that require authentication to derive from.

Here's a blog post you may take a look at about authorization in ASP.NET MVC.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

You can also create your own custom Authorize attribute if more specific behaviour is required.
Thanks! I will go the "area" route and apply the [Authorize] attribute to each controller manually. That's simple and good enough for the size of my application.
In WebForms we divided site structure into folders according to authorization logic, because it becames easy configurable. But in MVC you have many ways to solve authorization security problem, and you should divide logically. If there are only few pages for authorized users without specific roles - better to create special controller instead of area and base contoller. If some actions should be available for more than 1 role - you can merge pages in 1 controller. Don't use a bunch of base controller with role attribute and area as golden hummer. Think about more detailed usage of [Authorize]
1

The only supported way to secure your MVC application is to apply the [Authorize] attribute to each controller and action method.

Here is the link to Microsoft Rick Anderson's blog Securing your ASP.NET MVC 3 Application

Improve this answer

1 Comment

Thank you, that's a very useful blog post!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.