Creating a AuthorizeAttribute - what do I need to know?

Question

Here are my requirements:

• I\'ll be adding users to N amount of roles; defined in a database.

• I need to protect each controller action with

Answer 1

There are a bunch of ways to handle this. Darin's method and blowdarts (both very skilled individuals - one of them is a security author as well) are decent in the link you provided.

One thing to watch out for is the cache. If you use server side outputcache caching, you may inadvertently cache something for one user that gets returned to another user. Please see:

OutputCache and Authorize filters in MVC3

and

Why can't I combine [Authorize] and [OutputCache] attributes when using Azure cache (.NET MVC3 app)?

and

MVC Custom Authentication, Authorization, and Roles Implementation

for additional info on that and how to handle caching if you are using an authorize attribute.