I am currently preventing anonymous users access to my root application. /web.config <system.web> <authorization> <deny users="?" /> </authorization> </system.web...

I have spent the last week creating an API for an existing MVC application, and am now attempting to secure the API along with reworking the MVC side security as needed. Currently, the MVC applicat...

I am working on setting up a skeleton of custom policy based authorization which will have a set of business rules to authorized the currently logged on user. But, currently the skeleton always end...

I have a custom authorization filter for my API which checks against a token that is saved in the database. So like this override public void OnAuthorization(AuthorizationContext context) { if...

If I want to secure a particular section in my MVC app, I use [Authorize] for the ActionMethod. I also know that I can use it for the entire controller so that I don't have to specify it for each a...

How does one specify root location in web.config to allow unauthenticated users access it? The root location is served by default.aspx, but users normally don't see default.aspx, they just see htt...

I have an ASP.Net WebAPI 2 Application that uses Claims. The claims are stored as two additional columns in a standard Identity2 AspNetUsers table: CREATE TABLE [dbo].[AspNetUsers] ( [Id] INT IDE...

i've stepped through my code a million times and can't find a problem with my implementation.. in custom AuthorizeAttribute i overwrote 2 methods protected override bool AuthorizeCore(HttpCont...

I have created a customized role base authorization attribute.My idea is that when a user with role name "employee" Log In should not be allowed to access the "admin" page through URL. But when I i...

I'm having hard time in deciding an approach while implementing Authentication/Authorization scenario for my Web API (Service) - MVC (client) architecture project. Even though i have implemented Cu...

In ASP.NET the FormsAuthenticationModule intercepts any HTTP 401, and returns an HTTP 302 redirection to the login page. This is a pain for AJAX, since you ask for json and get the login page in ht...

I want to use authorization in the web.config to block access to SignUp.aspx to authenticated users. It cannot be accessed by user such as their roles is administrator and Guest. <location path...

I'm playing around with MVC 4 for the first time to check out what's been changed/added/etc compared to MVC 3. To start off, I created a blank MVC 4 Web Application and started building from scrat...

I have a requirement to implement user privilege elevation in an MVC3 web app, for both Forms and Windows authentication, but this question is critical for Windows auth. This is for a higher privil...

I am curious whether the order in which you supply the <allow> and <deny> elements in the element does matter?

I have decorated my base controller with a couple of action filters. They work fine. One of those filters sets up the request - does things like set the culture based on the domain, etc. I also h...