Override / disable authorization in ASP.NET MVC 3

Question

Override / disable authorization in ASP.NET MVC 3

I wondered if it is possible to disable / override all authorization attributes.

On the development machine, the Active Directory organization is completely different from the operating environment. When I develop / test the development environment, I have to "delete" all authorization attributes.

The controller action methods use various types of active directory groups (in the Authorize attribute).

[Authorize] ... [Authorize(Roles="domain\HR")] ... [Authorize(Roles="domain\IT")] ...

Thanks in advance.

+6

authentication authorization asp.net-mvc-3

Turkdogan Tasdelen Mar 20 '12 at 8:14

source share

2 answers

Instead of overriding AuthorizeAttribute , did you think you were using your own? You can create your attribute and process the logic for validation.

Something like this:

 public class AuthorizeRolesAttribute : ActionFilterAttribute { public UserProfileRole[] Roles { get; set; } public override void OnActionExecuting(ActionExecutingContext filterContext) { var profile = ((ETMembershipUser)Membership.GetUser()).Profile; if (profile != null) { foreach (UserProfileRole role in Roles) { if (role == profile.Role) return; } } //throw new SecurityException("You can not access this page"); RouteValueDictionary redirectTargetDictionary = new RouteValueDictionary(); redirectTargetDictionary.Add("action", "Index"); redirectTargetDictionary.Add("controller", "Home"); filterContext.Result = new RedirectToRouteResult(redirectTargetDictionary); } }

0

Iridio Mar 20 '12 at 8:22

source share

Sergey Kudriavtsev · Accepted Answer · 2012-03-20T08:23:23+0000

I would do the following:

Enter your own authorization attribute, which will work by default in Release and will always allow action in Debug, i.e.

 public class MyAuthorizeAttribute: AuthorizeAttribute { protected override bool AuthorizeCore(HttpContextBase httpContext) { #if DEBUG return true; #else return base.AuthorizeCore(httpContext); #endif } }

Replace all existing Authorize attributes in your code with your own, i.e.

 [MyAuthorize] ... [MyAuthorize(Roles="domain\HR")] ... [MyAuthorize(Roles="domain\IT")] ...

Always develop in debug mode and publish in release mode

If you do not want to get attached to the Debug / Release theme, you can specify your own conditional compilation symbol in the project configuration - for example, DEVTEST and replace DEBUG with DEVTEST in step 1.

Override / disable authorization in ASP.NET MVC 3

More articles: