Home/ Questions/Q 7092091
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T08:16:12+00:00

On an intranet site using windows authentication, and certain controller methods being marked with

  • 0

On an intranet site using windows authentication, and certain controller methods being marked with the “AuthorizeAttribute” controlling access to certain users/groups and roles, I’m trying to figure out the best way to allow “test users” to access these things.

Since <location> is off the table with MVC (security concerns), what is the best approach here?

My first thought is to implement the following:

  1. A custom config section that essentially mirrors the <authorization> section
  2. A custom attribute that inherits from “AuthorizeAttribute” which checks users against the custom config section
  3. Use config transforms to remove the custom config section for QA and Release environments

Is there an easier/better way???

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Update
    What I originally wrote used the attribute syntax on a class or method, but if you are using MVC3 you can also use a global action filter in (global.asax.cs) so you only have to do it once.

    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
#if DEBUG
    filters.Add(new AuthorizeAttribute() {Users="YourAccount"});
#endif
    //Your other global action filters
}

    Original
    You could use #if DEBUG to only add the authorization to debug code.

    #if DEBUG
    [Authorize(Users = "YourAccount")]
#endif

    The Authorize attribute allows multiple so you don’t have to repeat your production authorized user list or use an #else.

    • 0