Can we use <location> tag in web.config to refer to a controller in an MVC application

We have a requirement of restricting access to certain web endpoints in our application to a specific set of IP addresses.

In tradition web forms applications we have successfully used a combination of < location > and < ipSecurity > tags in开发者_JS百科 our web.config to restrict access to our handlers (ashx). Will this same approach work for a ASP.NET MVC application where the end point is a controller/action instead. Our first attempt of just specifying the controller name in the location's "path" attribute didn't work.

The other approach is to use MVC Authorize/Filter attributes on that controller to get the right restriction in place but we would prefer to control this purely from our web.config rather than in code.

Will this same approach work for a ASP.NET MVC application where the end point is a controller/action instead.

Maybe yes, maybe no. It's a considered bad practice to use this tag in an MVC application. I would recommend implementing a custom [Authorize] filter. Of course you could still externalize and read the list of authorized/unauthorized IP addresses from web.config to ease the administration and avoid you recompiling the application if they were to change.