-
Notifications
You must be signed in to change notification settings - Fork 43
Securing controllers
FluentSecurity provides several options for securing controllers and their actions. You can choose to secure a single action or to secure a set of actions with just one line of code. Below we describe the methods available and how to use them.
For<TController>(action)
Allows you to secure a single controller action.
For<TController>()
Allows you to secure all controller actions of the specified controller.
ForAllControllers()
Allows you to secure all controller actions in the calling assembly.
ForAllControllersInAssembly(assembly1, assembly2, assembly3)
Allows you to secure all controller actions in the specified assembly.
ForAllControllersInAssemblyContainingType<TType>()
Allows you to secure all controller actions in the assembly of the specified type.
ForAllControllersInNamespaceContainingType<TType>()
Allows you to secure all controller actions in the namespace of the specified type.
As of version 2.0 we support securing controllers based on inheritance (base/abstract controllers).
ForAllControllersInheriting<TController>()
This method will locate controllers inheriting from the specified controller and allows you to apply policies to all their actions (including inherited actions). This also works for generic base controllers.
There is also an overload that allows you to secure a specific action of a base controller.
ForAllControllersInheriting<TController>(action)
Using the syntax above will allow you to apply policies to the specifed action of the base controller and the controllers inheriting that action.
If the controller specified is marked as abstract, only controllers inheriting from that controller will be secured. However, if the controller is not abstract, the specified controller will also be secured with the same policies.
By default FluentSecurity will only locate controllers in the assembly of the base class. If you need to scan a specific set of assemblies you can do this by passing in an array of assemblies to the method as demonstrated below.
ForAllControllersInheriting<TController>(assembly1, assembly2, assembly3)
ForAllControllersInheriting<TController>(action, assembly1, assembly2, assembly3)
As of version 2.0 we support securing controller actions based on a predicate.
ForActionsMatching(filter)
In the following example we secure all actions in the calling assembly where the action name starts with the word "Delete".
configuration.ForActionsMatching(info => info.ActionName.StartsWith("Delete"))
An object of type ControllerActionInfo is passed to the predicate and contains the following properties that you can base your predicate on:
- ControllerType - The type of the controller being scanned.
- ActionName - The action name of the current action method.
- ActionResultType - The return type of the current action method.
By default, only the calling assembly is scanned. If you need to scan a specific set of assemblies, you can do so using the syntax below.
ForActionsMatching(filter, assembly1, assembly2, assembly3)
As of version 2.0 we support securing async controllers with FluentSecurity.
If you are using MVC4 there are no extra steps you have to take in order for this to work.
public class LongRunningMvc4Controller : Controller
{
public async Task<ActionResult> Index()
{
...
}
}
If you are using MVC3 you need to make sure you decorate the action you are securing with the ActionName attribute in order for FluentSecurity to figure out the name of the controller action.
public class LongRunningMvc3Controller : AsyncController
{
[ActionName("Index")]
public Task<ActionResult> IndexAsync()
{
...
}
public ActionResult IndexCompleted()
{
...
}
}