MVC5 Authentication: Authorize attribute on every controller or base controller

Question

I have been doing a lot of research on the best way to secure my MVC 5 application.

We have one Web.csproj with many WebAPI Controllers and also an MVC site with two areas - one for Admin and then the public facing website.

After reading this article which states that the Base Controller is best way, I decided to go with that approach.

However, I am personally not OK with the use of base controllers (see this stackoverflow answer for some of my reasoning).

So, given that I am using MVC 5 (ASP.Net Identity and OWIN Authentication) - can anyone shed some light on the pros and cons of each approach?

Answer 1

The current practice in MVC 5 is to apply the AuthorizeAttribute as a Global filter, and open up individual Actions/Controllers with the AllowAnonymousAttribute

So in App_Start\FilterConfig.cs add the following lines:

    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        ... existing filters

        // use the [AllowAnonymous] attribute to open up individual Actions/Controllers
        filters.Add(new System.Web.Mvc.AuthorizeAttribute());
        filters.Add(new RequireHttpsAttribute());
    }

note: for good measure I have also added the RequireHttpsAttribute as every authenticated request with ASP.Net Identity carries the auth cookie, which is vulnerable to Man In The Middle attacks if carried over regular HTTP.