2

I'm trying to mix some MVC3 functionality into an existing WebForms application. I've followed a few guides, and got everything set up and working except for the authorization piece. The existing application has <deny users="*" /> sitting at the root web.config, and each subfolder has its own web.config that allows access to the pages within for specific roles.

My new understanding is that this style of can't/shouldn't be used on Controllers, and I should be using Authorize attributes instead. I've decorated my test "HomeController" class with [Authorize(Roles="AdminRole")], but I get an "Access Denied" page when I attempt to view the page.

If i change the root web.config to say <allow users="*" />, the page works. Does this mean that the attribute I added to the controller is working, but the root web.config setting is taking precedence over it? I don't want to mess with our existing authorization stuff since the site is well established and I'm just trying to add MVC in to play with. Am I missing something? Thanks for any insight you can provide.

Ocelot20
  • 10,510
  • 11
  • 55
  • 96
  • Apparently it's a bad idea - http://blogs.msdn.com/b/rickandy/archive/2010/08/24/securing-your-mvc-application.aspx – David Spence May 22 '12 at 14:51

1 Answers1

1

Ah this is a bit tricky as you are trying to use MVC security in an app already using Web Forms. If this was pure mvc the choice is simple. If you can't pull the mvc features out into a separate app then this leaves you in a bit of a pickle.

My first recommendation would be to try to extract the code. If you are using MVC to only provide restful features maybe also check out MVC4 web api to provide an api for your app and share the components used between them which would require pulling them out of your web app into a Domain library or some other appropriately named library.

With that said, not 100% sure if the allow users="*" is working as expected, but I believe it is. Its easy enough to test, simply change Roles="AdminRole" to Roles="placeholder" and try again.

Setting this though kills the rest of your auth so one idea could be to put all mvc routes under a particular url, such as "/api/" and allow * in the web.config to that path and then use mvc's security on all of your controller methods. This would have low impact to your main web app.

Adam Tuliper
  • 29,982
  • 4
  • 53
  • 71
  • Hmm...when I switch to `Roles="placeholder"`, I don't get an "Access Denied" page, I just get an empty response with a 401 code (which makes sense). I think your suggestion would work, but doesn't integrate as nicely as I had hoped. Going to leave this open for a bit before marking as resolved in case there are other ways to go about doing this. – Ocelot20 May 22 '12 at 16:27
  • Adam - is there any new guidance around this? I'm using MVC5 with WebForms running into this same exact situation - http://stackoverflow.com/questions/27785561/configuring-authorization-in-a-mixed-mvc-webforms-web-app – SB2055 Jan 05 '15 at 21:19
  • @SB2055 my guidance would be to upgrade to Identity, follow this for web forms: http://www.asp.net/web-forms/overview/getting-started/getting-started-with-aspnet-45-web-forms/membership-and-administration and mvc continues to use attributes. While I haven't tried to mix them personally, I cant see why it wouldnt work. Its using the same system. I cover Identity here: http://www.microsoftvirtualacademy.com/training-courses/customizing-asp-net-authentication-with-identity – Adam Tuliper Jan 22 '15 at 00:38