I create application where every action beside those which enable login should be out of limits for not logged user.
Should I add [Authorize] annotation before every class' headline? Like here:
namespace WebApplication2.Controllers {
[Authorize]
public class HomeController : Controller {
public ActionResult Index() {
return View();
}
public ActionResult About() {
ViewBag.Message = "Your application description page.";
return View();
}
public ActionResult Contact() {
ViewBag.Message = "Your contact page.";
return View();
}
}
}
or there is a shortcut for this? What if I want to change rules for one and only action in particular controller?
Simplest way is to add Authorize attribute in the filter config to apply it to every controller.
public class FilterConfig
{
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new HandleErrorAttribute());
//Add this line
filters.Add(new AuthorizeAttribute());
}
}
Another way is to have all of your controllers inheriting from a base class. This is something I do often as there is almost always some shared code that all of my controllers can use:
[Authorize]
public abstract class BaseSecuredController : Controller
{
//Various methods can go here
}
And now instead of inheriting from Controller, all of your controllers should inherit this new class:
public class MySecureController : BaseSecuredController
{
}
Note: Don't forget to add AllowAnonymous attribute when you need it to be accessible to non-logged in users.
To build upon DavidG's answer, if you need to require a certain role (in Windows authentication, for example, where everyone is authorized) you can do this:
public class FilterConfig
{
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new HandleErrorAttribute());
filters.Add(new AuthorizeAttribute { Roles = "MyApp Access" });
}
}
来源:https://stackoverflow.com/questions/24970955/how-require-authorization-within-whole-asp-net-mvc-application