I know I can restrict the access to an ASP.NET MVC 3 application using the authorization tag in web.config
<authentication mode="Windows"></authentication>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />
<authorization>
<allow roles="MyDomainMyGroup" />
<deny users="*" />
<deny users="?" />
</authorization>
or decorating the controller base class with an [Authorize()] attribute (or even with a custom Authorize attribute)
[AdminOnly]
public class BaseController : Controller{}
The question is: are they alternative and equivalent approaches? Should I always use one approach rather than the other? Which elements should I keep in mind?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
I know I can restrict the access to an ASP.NET MVC 3 application using the authorization tag in web.config
No, don’t use this in ASP.NET MVC.
The question is: are they alternative and equivalent approaches?
No, they are not alternative. You should not use the <authorization> tag in web.config in an ASP.NET MVC application because it is based on paths, whereas MVC works with controller actions and routes. The correct way to do authorization in ASP.NET MVC is using the [Authorize] attribute.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0