Migrating authorization logic from ASP.NET Webforms to ASP.NET MVC3

 

I am starting to migrate a ASP.NET Webforms application to ASP.NET MVC 3. The application has a public area which is accessible by all users (also anonymous users) and several areas which are only accessible by authenticated users which are in a specific role.

The WebForms project is organized like so: 

Root folder -> contains all public pages
 |
 --- Private subfolder -> contains a few pages for ALL authenticated users
      |
      --- Customers subfolder -> contains pages for users in role "Customer"
      --- Suppliers subfolder -> contains pages for users in role "Supplier"
      --- Internals subfolder -> contains pages for users in role "Internal"
           |
           --- Admins subfolder -> contains pages for users in role "Admin"
      etc.

Currently the authorization is managed by web.config files which are in the different subfolders. For example the Customers subfolder contains the following web.config : 

<configuration>
    <system.web>
        <authorization>
            <allow roles="Customer" />
            <deny users="*" />
        </authorization>
    </system.web>
</configuration>

In ASP.NET Webforms no more configuration is required then. This authorization is applied to all pages in the Customers subfolder.

What is the best way to migrate this structure to ASP.NET MVC 3? Or more specifically:

  • Do such web.config files with authorization settings still work in MVC on folder basis?
  • If not, is there another way to apply authorization requirements to all pages in a folder?
  • Can I still organize the various areas in separate folders, especially can I put individual Controllers , Views , Models subfolders under each of the folders Customers , Suppliers , etc. to keep all logic and markup close together?

    • Thanks for feedback!

    Do such web.config files with authorization settings still work in MVC on folder basis

    They do but should not be used.

    If not, is there another way to apply authorization requirements to all pages in a folder?

    In ASP.NET MVC there is no notion of folders. There are controllers, models and views. There are also areas. So you could create a Customers area and have a base controller that all controllers in this area derive from. Then you would decorate this base controller with the [Authorize] attribute. This way all derived controllers and action will require the user to be authorized in order to access them. You are not required to use an area to achieve this. You could still have a base controller in the main area decorated with this attribute and have all controllers that require authentication to derive from.

    Here's a blog post you may take a look at about authorization in ASP.NET MVC.

    The only supported way to secure your MVC application is to apply the [Authorize] attribute to each controller and action method.

    Here is the link to Microsoft Rick Anderson's blog Securing your ASP.NET MVC 3 Application

    链接地址: http://www.djcxy.com/p/90178.html

    上一篇: 在Asp.net MVC中限制对注册用户的访问

    下一篇: 将授权逻辑从ASP.NET Webforms迁移到ASP.NET MVC3