tags:

views:

79

answers:

4
+1  Q: 

ASP.NET MVC 1.0 Authentication...

Hi,

I realise that I can prevent unauthenticated users from accessing views at controller level by applying the [Authorize] attribute and can also filter views down to individual users or roles using this. However, my question is regarding doing the opposite... Is there a way to deny authenticated users from certain views without having to manually add in checks to see if they're authenticated in the opening lines of the controller code? Ideally an [Unauthorized] attribute or an equivalent if such a thing exists?

The reason for this is that I don't want authenticated users to be able to visit the account creation pages of the site I'm working on, as well as other resources. I realise I could check them in the controller explicitly but I'd prefer to decorate the controller methods if at all possible.

Thanks :)

A: 

A simple way to accomplish this? Just leave the action untagged, and start with:

If(Request.IsAuthenticated)
  // redirect somewhere, or return another view...
Palantir  2009-09-29 15:05:13
Thanks for your response. I considered doing this but have opted to follow LukLed's suggestion above.
Mr Bog  2009-09-29 15:29:06
A: 

You can write your own authorization filter. Inherit from FilterAttribute and implement IAuthorizationFilter. Call it UnauthorizedAttibute and you will be able to use it like [Authorize].

Hear You can read about filters:

http://www.asp.net/LEARN/mvc/tutorial-14-cs.aspx

LukLed  2009-09-29 15:05:42
I've done just this :) Many thanks.
Mr Bog  2009-09-29 15:28:15
+2  A: 

This is along the lines of what LukLed was referring to:

public class UnAuthorizedAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        bool excludeCondition = false;

        if (excludeCondition)
            filterContext.Result = new HttpUnauthorizedResult();
        else
            base.OnAuthorization(filterContext);
    }


}

Simply put in the logic for your excludeCondition. You can also to choose to do things like redirect to other views. Just mark your code with [UnAuthorized]

Bomlin  2009-09-29 15:35:51
Many thanks. I would have set this as my accepted answer, but it seems rude to LukLed. I do appreciate the code example though :)
Mr Bog  2009-09-29 15:39:04
A: 

this could also be accomplished fairly simply if you are already using a roleprovider. then your actions would just need to be filtered by the appropriate role:

[Authorize(Roles = "Admin, Editor")]
Jamie M  2009-09-29 17:05:55

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication