tags:

views:

63

answers:

2
Q: 

Where to Authorize Access to a Controller

Hi All

I have the following Filter on my Controller:

[Authorize(Roles="Admin")] public class AdminOnlyController : Controller { // stuff }

I showed a couple of guys here at work what I'm doing, and a huge debate emerged with some of the guys claiming that Authorization should not be a responsibility of the Controller. This is the way I learned to do it, according to the book Pro ASP.NET MVC Framework by Steven Sanderson.

None of the other guys were able to suggest how it should be done, other than that it was wrong.

Is it? Is there a better way?

+1  A: 

There's two ways to assign authorization. The controller class or the ActionResult. As opposed to how else you could do it, I'm not very sure.

I don't really see the side of the argument where you argue against the controller managing who's authorized to invoke it. By having the authorization nearby, you follow theory (I forget the name) of 'declare it as close as you can to where you use it.'

It might depend on the background of your coworkers. If they're really used to using something like XML, then I bet they're suggesting some type of configuration file - which seems to be induced due to a more corporate type of programming.

On the flip side, There could be a benefit to extracting out authorization somewhere else (but within the application) so that it's easily modifiable, in case you end up adding a "PaidUser" for example. In that case you wouldn't have to go to every controller to update it. However, I think you end up falling into an all or nothing approach - where it's either in the controller, or it's all in some configuration file. Unless you create a scheme that your central authorization can be overridden by a controller's authorization, except at that point, you can easily lose control of who's managing what and you end up in an 'authorization soup' of sorts.

MunkiPhD  2009-10-01 11:44:42
+1  A: 

The simple answer is yes - that is the best way. The Controllers' Actions are the end point for ALL requests to the application. It makes perfect sense to put the authorisation there.

You could farm the authorisation out to IIS, but that worked better when access was controlled to files (.aspx etc). Now we have a MVC with which you have to control access to multiple actions within one controller.

Chris Arnold  2009-10-01 11:44:43

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data