MVC5 Authentication: Authorize attribute on every controller or base controller

Question

I have been doing a lot of research on the best way to secure my MVC 5 application.

We have one Web.csproj with many WebAPI Controllers and also an MVC site with two areas - one for Admin and then the public facing website.

After reading this article which states that the Base Controller is best way, I decided to go with that approach.

However, I am personally not OK with the use of base controllers (see this stackoverflow answer for some of my reasoning).

So, given that I am using MVC 5 (ASP.Net Identity and OWIN Authentication) - can anyone shed some light on the pros and cons of each approach?

Answer 1

The current practice in MVC 5 is to apply the AuthorizeAttribute as a Global filter, and open up individual Actions/Controllers with the AllowAnonymousAttribute

So in App_Start\FilterConfig.cs add the following lines:

    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        ... existing filters

        // use the [AllowAnonymous] attribute to open up individual Actions/Controllers
        filters.Add(new System.Web.Mvc.AuthorizeAttribute());
        filters.Add(new RequireHttpsAttribute());
    }

note: for good measure I have also added the RequireHttpsAttribute as every authenticated request with ASP.Net Identity carries the auth cookie, which is vulnerable to Man In The Middle attacks if carried over regular HTTP.

Answer 2

I would always use a base controller, for more reasons than just authentication and authorization...

To get to your question, what we ended up doing was rolling our own custom Authorisation Attributes with complex rules that all inherit from AuthorizeAttribute. Its pretty simple, all you do is inherit from the given attribute and then overwrite the OnAuthorization and AuthorizeCore methods.

Generally, all our controllers do not allow anon access, based on our baseController class. From there it gets as complicated as needed. But it always makes sense to use a base class for things like this and build on top of that. If you ever need to make a very wide system change quickly you tap it into the baseClass and thats it.