George Kosmidis

Microsoft MVP | Cloud Solutions Architect | .NET Software Engineer | Organizer of Munich .NET Meetup | Speaker

ASP.NET MVC 5: “Authorization” by default for your web app

by George Kosmidis / Published 8 years and 2 months ago, modified 5 months ago

Securing your MVC app is a tricky business! Although security is a huge topic, one of the problems that you might encounter is that unauthenticated users are allowed by default to execute every action in your web app. This behaviour is potentially unsafe because you have to remember to decorate your actions with the authorize attribute each and every time, and humans are of course prone to errors!

This is why, I would suggest, authentication to be enforced by default, or differently [Authorize] attribute should be added behind the scenes to every action.

Thankfully, you can use global filters to do that!
Open App_Start folder, double click on FilterConfig.cs and add as a global filter the AuthorizeAttribute() like this:

using System.Web;
using System.Web.Mvc;

namespace MyNewProject {
    public class FilterConfig {
        public static void RegisterGlobalFilters( GlobalFilterCollection filters ) {
            filters.Add( new HandleErrorAttribute() );
            filters.Add( new AuthorizeAttribute() );

This way, every controller and action needs authorization before executing its code. The only thing you have to remember, is to allow access wherever you want (e.g. login actio ) using the AllowAnonymous attribute:

public ActionResult Login() {
    return View();

This page is open source. Noticed a typo? Or something unclear?
Edit Page Create Issue Discuss
Microsoft MVP - George Kosmidis

My next events!

Nürnberg Convention Center NCC Ost
Bernhard-Nocht-Straße 97, D-20359, Hamburg