Dynamic Security for ASP.NET MVC

Question

Dynamic Security for ASP.NET MVC

I am developing an application in ASP.NET MVC, and the usual way to protect actions is to use an attribute Authorizethat protects the entire action.

[Authorize(Roles = "Managers")]
public AtionResult Info(int employeeId )

However, in our design, the application is data driven. Actions on one data set may be allowed, but not allowed on another data set.

// OK
http: // host / Employee / Info / 102

// Not OK
http: // host / Employee / Info / 105

Which template should we use for security for this project?

+3

design security asp.net-mvc

C. Ross Nov 26 '10 at 16:06

source share

2 answers

jfar · Answer 1 · 2010-11-26T16:11:30+0000

You can create a derived Authorize attribute to do whatever you want.

public class DynamicSecurity : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        //go to db
        return true;
    }
}

Lee D · Answer 2 · 2010-11-26T16:10:11+0000

, ActionFilterAttribute, OnActionExecuting - , - , / / , .

Dynamic Security for ASP.NET MVC

More articles: