23563

ASP.NET MVC: Restricting access using url

Question:

The URL for the administration section of my website always starts with Admin/. Is it possible in ASP.NET MVC to restrict access to users by using this part of the URL?

Obviously I would keep the [Authorize(Roles = "Administrator")] on appropriate controllers and actions but I wonder if it would be quicker for the application if it can just look at the URL instead of stepping into code.

Answer1:

Found the answer in Steven Sanderson's book, <a href="http://books.google.co.nz/books?id=Xb3a1xTSfZgC&pg=PA529&lpg=PA529&dq=ASP.NET+MVC:+Restricting+access+using+url&source=bl&ots=J9HbYav7ao&sig=aT3TSIBV8hVrlF1BHgdAbEsQBdI&hl=en&ei=jOieSoeeHYPQsQOq1O2PDg&sa=X&oi=book_result&ct=result&resnum=1#v=onepage&q=&f=false" rel="nofollow">Pro ASP.NET MVC Framework</a>.

Put the following code in your web.config file.

<location path ="Admin"> <system.web> <authorization> <deny users="?"/> <allow roles="Administrator"/> <deny users="*"/> </authorization> </system.web> </location>

This means for any URL matching ~/Admin/*, the application will deny access to unauthenticated visitors or any other visitors other than those with the role 'Administrator'.

Answer2:

That will work but you then tie the authorisation to your current Routing model. The beauty of authorising the Actions is that it abstracts the functionality (which is, actually, what you want to control) from the url structure that you are currently using.

It also means that you can Unit Test this functionality.

Answer3:

You can create a BaseAdminController, having all of your Admin Controllers extend this:

[Authorize(Roles = "Administrator")] public class BaseAdminController : Controller { }

Now, if you want it by URL, you did it correct already, but if you are just saving yourself from making sure it's on everything, above is the way. Then, you're tests can just make sure that all controllers in the Admin namespace extend this controller.

Recommend

  • LLDB: Must I build it from source (XCode project) to use it from the command line?
  • Passing in a querystring with a space?
  • ASP.NET MVC Paging, Preserving Current Query Parameters
  • Stop JMeter test execution only after n assertion errors
  • MVVM, ObservableCollection, async, etc
  • SQL: Query for a group that contains an exact set of users
  • SQL query comparing an attribute in multiple tuples based on values of another attribute within the
  • What is the best way to join ordered arrays?
  • Which table should be Parent table and which should be child table?
  • Proguard Exception java.io.IOException: Duplicate zip entry
  • Capturing STDOUT in RSpec
  • Is there an HTML code that can make my background picture transparent and my text non-transparent?
  • ASP.NET MVC2 Error: No parameterless constructor defined for this object
  • Distribute Range of Numbers between each threads
  • Compiling dlib on OS X
  • how does System.Web.HttpRequest::PathInfo work?
  • Scala multiline string placeholder
  • Does Mobilefirst provide a provision to access web services directly?
  • Connect .sks to skscene.h
  • Why does access(2) check for real and not effective UID?
  • Checking free space on FTP server
  • Spring Data JPA custom method causing PropertyReferenceException
  • Exchange data b/w iOS devices using Bluetooth 4.0
  • Sails.js/waterline: Executing waterline queries in toJSON function of a model?
  • C# - Serializing and deserializing static member
  • script to move all files from one location to another location
  • Sending data from AppleScript to FileMaker records
  • ILMerge & Keep Assembly Name
  • Symfony2: How to get request parameter
  • Jquery - Jquery Wysiwyg return html as a string
  • Run Powershell script from inside other Powershell script with dynamic redirection to file
  • Arrays break string types in Julia
  • How to include full .NET prerequisite for Wix Burn installer
  • WPF Applying a trigger on binding failure
  • Acquiring multiple attributes from .xml file in c#
  • How to CLICK on IE download dialog box i.e.(Open, Save, Save As…)
  • Java static initializers and reflection
  • How can I remove ASP.NET Designer.cs files?
  • Is it possible to post an object from jquery to bottle.py?
  • java string with new operator and a literal