Simplest way to protect whole folder (with authentication) using asp.net MVC and OpenID

Question

I'm really new to asp.net and mvc, so I'm a bit lost.

I'm managed to log in with OpenID in my application using this Tutorial.

But I'm not sure if just setting Session["Admin"] = true is the right path to follow, so far my code is something like this:

switch (openid.Response.Status)
{
  case AuthenticationStatus.Authenticated:
    if (openid.Response.ClaimedIdentifier.ToString() == Settings.Default.AdminClaimedIdentifier)
      Session["Admin"] = true;                  
    FormsAuthentication.RedirectFromLoginPage(openid.Response.ClaimedIdentifier, false);
    break;
  ...
}

The application I'm trying to write only needs one Administrator right now, and I found it to be very easy to just have this admin's OpenID in the Settings.

Basically what I want to do is have one Admin's OpenID in the Settings and them protected a whole folder based on this authentication, so every action inside it and it's subfolders needs Admin rights, something like: ~/Admin/whatever/edit/1 needs authentication.

Which would be the simplest and cleanest possible way to do this kind of authentication?

Answer 1

I don't know about OpenId but normally you would place the following either at the top of your controller class to lock the whole folder, or at the ActionResult to lock that action;

[Authorize(Roles="admin")]

Hope this helps.

Answer 2

OpenID provides you with Authentication (who are you?) where as limiting access to the "folder" or Admin Controller is Authorization(s) (what can you do?).

A simple solution which can also work for you in the future (based on your needs) is to use the RoleProvider which will allow you to use the Authorize attribute as griegs suggests.