0

I am currently writing an MVC2 application using both windows authentication and active directory. I am still relatively new to MVC2, so I am a little confused about exactly where to implement any authorization code In addition to Authentication. I know that you edit the web.config file in the MVC2 application to enable windows authentication for instance. Is that all there is too it?

In terms of checking for a users roles once that user is authenticated through Windows Authentication, would that be implemented in the controllers? Should that be implemented outside the MVC application like in a library or something?

Any help with this would be appreciated.

SoftwareSavant
  • 9,467
  • 27
  • 121
  • 195

1 Answers1

1

Be careful not to mix authentication and authorization.

Authentication is making sure who the user is. Using windows authentication is pretty simple : enable it in IIS and in web.config, that's all. When a user goes to your site, if it's on a domain, he will be automatically authenticated, if browser security settings allows it (by default on Internet Explorer if the site is intranet zone). Otherwise he will be asked his user/password.

Authorization is making sure what the user can do. This is enabled via custom logic.

See :

Community
  • 1
  • 1
mathieu
  • 30,974
  • 4
  • 64
  • 90