enamrik
Reputation: 2312
Centralized Authorization of Controllers and Actions (ASP.NET MVC 3)
Are there any possible security issues or pitfalls to, within a custom AuthorizeAttibute (registered globally), apply authorization based on the controller type and action being called?
e.g. (not real code)
string controllerFullName=_filterContext.ActionDescriptor.ControllerDescriptor.ControllerType.FullName;
string minRequiredRole = GetControllerMinRequiredRole(controllerFullName);
if(User.MeetsRoleRequirement(minRequiredRole))
{
//give access
}
else
{
//no you're not allowed
}
Upvotes: 0
Views: 573
Answers (1)
Adam Tuliper
Reputation: 30152
The main issue is with Authorization caching - so there are a few things to know. Check out the links I've posted here:
Creating a AuthorizeAttribute - what do I need to know?
Look at the code to the existing attribute and how it handles caching to ensure you arent causing the same issue the base attribute prevents.
Upvotes: 1
Related Questions
- How to use the Authorize attribute both at the controller and action level?
- Asp.net MVC4: Authorize on both controller and action
- MVC5 Authentication: Authorize attribute on every controller or base controller
- ASP.NET MVC - use authorize attribute
- Restricting access to action methods in controller in Asp.net MVC
- Asp.Net MVC action based custom authorization
- asp.net MVC Controllers and authentication
- Stacking Authorization in MVC3 Controller
- Where to Authorize Access to a Controller
- Authorize all actions under specific controller (example: adminController)