MVC Integration Testing with AuthorizeAttribute

Question

On an intranet site using windows authentication, and certain controller methods being marked with the "AuthorizeAttribute" controlling access to certain users/groups and roles, I'm trying to figure out the best way to allow "test users" to access these things.

Since <location> is off the table with MVC (security concerns), what is the best approach here?

My first thought is to implement the following:

1. A custom config section that essentially mirrors the <authorization> section
2. A custom attribute that inherits from "AuthorizeAttribute" which checks users against the custom config section
3. Use config transforms to remove the custom config section for QA and Release environments

Is there an easier/better way???

Answer 1

Update What I originally wrote used the attribute syntax on a class or method, but if you are using MVC3 you can also use a global action filter in (global.asax.cs) so you only have to do it once.

public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
#if DEBUG
    filters.Add(new AuthorizeAttribute() {Users="YourAccount"});
#endif
    //Your other global action filters
}

Original You could use #if DEBUG to only add the authorization to debug code.

#if DEBUG
    [Authorize(Users = "YourAccount")]
#endif

The Authorize attribute allows multiple so you don't have to repeat your production authorized user list or use an #else.