Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Authorize attribute vs authorization node in web.config

Tags:

security

asp.net

asp.net-mvc-3

I know I can restrict the access to an ASP.NET MVC 3 application using the authorization tag in web.config

   <authentication mode="Windows"></authentication>
    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />
    <authorization>
      <allow roles="MyDomain\MyGroup" />
      <deny users="*" />
      <deny users="?" />
    </authorization>

or decorating the controller base class with an [Authorize()] attribute (or even with a custom Authorize attribute)

[AdminOnly]
public class BaseController : Controller{}

The question is: are they alternative and equivalent approaches? Should I always use one approach rather than the other? Which elements should I keep in mind?

like image 504
Arialdo Martini Avatar asked Jul 04 '11 12:07

Arialdo Martini

People also ask

What is Authorize attribute in Web API?

Web API provides a built-in authorization filter, AuthorizeAttribute. This filter checks whether the user is authenticated. If not, it returns HTTP status code 401 (Unauthorized), without invoking the action. You can apply the filter globally, at the controller level, or at the level of individual actions.

What is the Authorize attribute?

The Authorize attribute enables you to restrict access to resources based on roles. It is a declarative attribute that can be applied to a controller or an action method. If you specify this attribute without any arguments, it only checks if the user is authenticated.

When should we use Authorize attribute?

This attribute is useful when you want to use the Authorize attribute on a controller to protect all of the actions inside, but then there is this single action or one or two actions that you want to unprotect and allow anonymous users to reach that specific action.

What does Authorize attribute do in MVC?

In MVC, the 'Authorize' attribute handles both authentication and authorization. In general, it works well, with the help of extension to handle AJAX calls elegantly, and to distinguish between unauthorized users and those who are not logged in.

1 Answers

I know I can restrict the access to an ASP.NET MVC 3 application using the authorization tag in web.config

No, don't use this in ASP.NET MVC.

The question is: are they alternative and equivalent approaches?

No, they are not alternative. You should not use the <authorization> tag in web.config in an ASP.NET MVC application because it is based on paths, whereas MVC works with controller actions and routes. The correct way to do authorization in ASP.NET MVC is using the [Authorize] attribute.

like image 106
Darin Dimitrov Avatar answered Oct 27 '22 00:10

Darin Dimitrov
Sign in to Comment

Related questions

ASP.Net MVC 4 Custom ValidationAttribute Dependency Injection
Getting the name of the current Windows user returning "IIS APPPOOL/Sitename"
ASP.NET MVC 6 handling errors based on HTTP status code
Correct way to authorize an ASMX .NET web service from MVC 4 Project
Throw "IDX10223: Lifetime validation failed. The token is expired." when working Azure AD with Microsoft.Owin.Security.OpenIdConnect
ASP.net Identity Tutorial
How handle Application Error Exception code: 0xc00000fd
How to call a Scalar Function in Entity Framework Core
ASP.NET - Is it possible to trigger a postback from server code?
How to freeze GridView header?
How can I use the "Publish" function in Visual Studio 2008 without erasing the contents of the target folder?
Dynamically Change User Control in ASP.Net
How to remove AspxAutoDetectCookieSupport
ASP.Net Ajax $find() Jquery Equivalent
Technical differences between ASP.NET and Java Servlets / JSP
ASP.NET MVC using the Repository Pattern
Find out if X509Certificate2 is revoked?
How to lock user using forms authentication
Could not load file or assembly 'Microsoft.Windows.Design.Extensibility'?
StackOverflow like URL Routing

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!