Area level security for asp.net mvc

Question

I know it is possible to decorate a controller with the Authorize attribute to control access, what I don\'t know is the accepted or proper way to enforce security across al

Answer 1

The only safe way of doing this in an MVC application is to do what David suggests - attributing a base controller and having all controllers in the area subclass that base controller.

Using a tag for authorization in MVC will open security holes in your application. You're not interested in securing URLs or routes. You want to secure the controllers themselves, since they're the actual resources you're trying to protect. Therefore the protections need to be placed directly on the controllers.

Furthermore, remember that an area is really just a fancy way of grouping routes, not controllers. Trying to use fancy logic to detect the current area and infer authorization settings will also open security holes in your application.