Securing your Controllers with Attribute’s

Reading Time: 1 minutes

Today, while working on an ASP.NET MVC site, I wanted to do something special when securing a controller with the AuthorizeAttribute class:

Initially, Administrator and Management where static readonly instances of the Role class. The Or extension method would combine their internal names together in a new Role instance. Finally, because of the overridden ToString method, the Roles property would receive the correct end result. However, when compiling, attributes must know their exact value. Read: constant value. So I couldn’t assign Role instances at all.
Also, having to end with a ToString() call didn’t seem like a nice thing to do either.

So, back to the drawing board. This time, inside my Role class, I decided to declare my known roles as const string. But then I still can’t use that Or extension method, because that would – again – result in a non-constant expression. I can, however, do this:

Roles is a custom attribute, and is very simple indeed:

So now, you can specify as many roles as you like. And I’m quite happy with this.
But @chrissie pointed me towards www.fluentsecurity.net, which offers an entirely different approach. Also worth a look!