Menu
I use Asp.Net MVC 3, C# together with ApplicationServices Membership (the standard way suing MS Sql 2008 db).
My folder structure is
CONTROLLERS
-- PageAController.cs
-- ADMIN
-- PageBController.cs
I have a Users some with Role "AdminRole", some with no rules associated (anonymouse).
I would like DENY access to the specific Controller and show a LOGIN page for PageAController.cs and to all Controllers within folder ADMIN for User that HAVE NOT the "AdminRole" associated.
680
Hope this helps
Use AuthorizeAttribute
You cannot use routing or web.config files to secure your MVC application. The only supported way to secure your MVC application is to apply the [Authorize] attribute to each controller and action method (except for the login/register methods). Making security decisions based on the current area is a Very Bad Thing and will open your application to vulnerabilities
[Authorize(Roles="AdminRole")]
public class PageAController
{
}
[Authorize(Roles="AdminRole,AnotherRole")]
public class PageBController
{
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
