Exclude a path from WIF authorization in MVC

Posted on 1/17/2014 @ 4:31 AM in #Vanilla .NET by | Feedback | 1064 views

This used to be so easy in ASP.NET 2.0, remember? All you had to do was <location path= something .. and just say authorization\allow users=”*” .. etc.

How do you do that in ASP.NET MVC that is using passive federation?

Well, its quite easy. Needs two steps,

a) Step #1, in the web.config, comment out the following part,


   1:  <authorization>
   2:        <deny users="?" />
   3:  </authorization>


b) Step #2, all the controllers that need authorization, put the [Authorize] attribute on top, like this,

   1:          [Authorize]
   2:          public ActionResult Index()
   3:          {
   4:              return View();
   5:          }


Now, to be honest, I don’t like this too much. It’s easy, but it also means it is unsecure by default. i.e. unless you remember to put the Authorize attribute on top, (extra step for programmer to do), the controller action is unauthorized. Also, if my app is going to an azure cloud service, I have to switch identity realm between localhost and *.cloudapp.net everytime I deploy. And in this switch, I loose the web.config setting everytime – this is error prone :-)

Did I miss the memo on this? Is there a better way?

Sound off but keep it civil:

Older comments..