Authorization for pure HTML pages with ASP.NET

Question

Is it possible to authorize pure HTML files with ASP.NET?

Currently our application uses ASP.NET Web API at server side and AngularJS at client side with "glue" layer of ASP.NET MVC with Razor. We consider eliminating the MVC & Razor layer completely for:

• not having a mix of 2 syntaxes above HTML - both Razor and Angular (at least no need to choose between the two when both can do the job)
• ability to completely extract client side from the solution and probably even use another IDE
• ability to easily replace ASP.NET Web API with a different server

Migration from Razor (asp.net) to Angular JS as a template engine - covers most Razor usages, but authorization. And this explains how to hide HTML pages for non-authenticated users - How to do Forms Authentication on purely HTML pages using ASP.NET?.

Is it possible in ASP.NET to serve HTML pages based on user roles? Probably it's enough to apply authorization for Web API only (which we already do), as raw pages doesn't have any sensitive content.

Answer 1

I agree with your last sentence. First step is to protect the WebAPI JSON services that provide the data. This might be sensitive information that should only be accessible for authorized users.

We have discussed the problem of HTML not being restricted to the role of the user within our dev group and we concluded to ignore this as template HTML without data is not sensitive.

I found an interesting video also talking about such problems here: Writing a Massive Angular App at Google NG Conf.

Answer 2

You can write an HttpModule. Such a module acts as a filter triggered whenever an HTTP request is received, processed, and a response is sent back.

Microsoft has written an example here.

In the module, you can do whatever you like including role-based access control or even attribute-based access control for advanced authorization use cases.