Windows Identity Framework on ASP.NET MVC - how to authorize user per action basis?

Windows Identity Framework on ASP.NET MVC - how to authorize user per action basis?

Like:

    [Authorize]
    public ActionResult About()
    {
        return View();
    }

Instead of the whole site level security as is the default WIF site integration behaviour?

UPDATE: Maybe should the question 开发者_C百科goes like, how to allow anonymous users to access the site too?

Well as it turns out, authorization element has to be properly set in web.config.

Default is something like:

    <authorization>
        <deny users="?" />
    </authorization>

Which simply mean deny all anonymous users.

But in MVC it should be like:

    <authorization>
        <!--<deny users="?" />-->
    </authorization>

Which mean allow all users, and leave application to handle the authentication.

So that mean default WIF setting have to be reverted:

From:

<authentication mode="None" />

To something like:

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>

That so, per action authorization in MVC works. Nice. :)

More on Authorization: http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx

You are able to configure site authentication model in Web.config

http://msdn.microsoft.com/en-us/library/aa291347(v=vs.71).aspx