Home/ Questions/Q 6021213
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T03:40:49+00:00

Currently I have [Authorize] attributes on all of the methods on my AdminController except

  • 0

Currently I have [Authorize] attributes on all of the methods on my AdminController except for the Logon action.

What’s the cleanest way to invert this, so I don’t have to remember to add the attributes to all methods, but rather add an attribute only to the method(s) that should be available without being logged in?

Would I be better just moving the Logon action to its own controller, and applying the [Authorize] attribute to the AdminController class?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    In ASP.NET MVC 3 you could implement a custom global action filter provider:

    public class MyProvider : IFilterProvider
{
    public IEnumerable<Filter> GetFilters(ControllerContext controllerContext, ActionDescriptor actionDescriptor)
    {
        var rd = controllerContext.RouteData;
        var controller = rd.GetRequiredString("controller");
        if (string.Equals("admin", controller, StringComparison.OrdinalIgnoreCase) &&
            string.Equals("logon", actionDescriptor.ActionName))
        {
            return Enumerable.Empty<Filter>();
        }

        return new[]
        {
            new Filter(new AuthorizeAttribute(), FilterScope.Action, 0)
        };
    }
}

    which could be registered in Application_Start:

    FilterProviders.Providers.Add(new MyProvider());

    Now if you are using some DI container such as NInject for example it supports filter binding syntax meaning that you could configure the kernel to inject the filter dynamically based on the context.

    The pros of this approach is that now nomatter what controller or action is being added to your application => it will require authorization.

    • 0