How can we set authorization for a whole area in ASP.NET MVC?

Question

I\'ve an Admin area and I want only Admins to enter the area. I considered adding the Authorized attribute to every controller in the Admin area. Isn\'t there an elegant sol

Answer 1

I have just been investigating this same issue. Since it is not possible to secure controllers based on areas, a simpler option comes to mind.

Create a base controller definition for each area that overrides Controller, and add the security require to this. Then you just have to ensure each controller in the area overrides AreaController instead of Controller. For example:

/// 

/// Base controller for all Admin area
/// 
[Authorize(Roles = "Admin")]
public abstract class AdminController : Controller { }

It does still require that you derive each controller in the Admin area from this base,

public class HomeController : AdminController
{
    // .. actions
}

but at least you have a single point where you define the security for the area.