Add authentication to ASP.Net Web Forms inside ASP.Net MVC 4

Question

I created a MVC Application. I created authentication on every controller, and it works. I'm redirected to login page if I'm not the authorize user. I got no problem with authorization(sitemapnode role) for controllers.

Now, I created a ASP.NET Web Form inside my ASP.Net MVC project. I put a reportviewer on the web form. I created a View on MVC, put the asp.net web form inside the iFrame tag, and that also works. I can view the reportviewer when I call the right controller.

BUT, I can still view or access the ASP.NET Web Form (with reportviewer) if I'm not authorized by simply typing the location of the ASP.NET Web Form.

How can I apply authorization on my web forms? Similar to the authorization on MVC. If I'm not the authorized user (let's say the 'admin'), I must be redirected to Login page or I must not be able to access the web form. How do I do that?

Answer 1

Bigger questions is why you need to mix MVC and WebForms but anyway...

MS documentation is probably going to be your biggest help:

http://www.asp.net/web-forms/tutorials/security/roles/role-based-authorization-cs

You can lock down in web.config similar to:

  <location path="YourPage.aspx">    
      <system.web>    
           <authorization>    
               <allow roles="sitemapnode" /> 
           </authorization>    
      </system.web>    
 </location>

Or at a page method level with attributes:

[PrincipalPermission(SecurityAction.Demand, Role = "sitemapnode")]

Answer 2

Use MVC Filters:

    using System;
    using System.Linq;
    using System.Web;
    using System.Web.Mvc;
    using System.Web.Routing;
    using System.Web.Security;
    using PortalAPI.SPModels;
    using SICommon.Enums;
    using SICommon.LoggingOperations;

    namespace SupplierPortal.Security {
        public class AuthorizedUser : AuthorizeAttribute {
            public bool IsAuthorized { get; set; }

            protected override bool AuthorizeCore(HttpContextBase httpContext) {

                if (Authenticated())
                  return this.IsAuthorized = true;
            }

            protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) {
                if (filterContext.HttpContext.Request.IsAjaxRequest()) {
                    filterContext.HttpContext.Response.StatusCode = 403;
                    filterContext.Result = new JsonResult {
                        Data = new {
                            Error = "SessionTimeOut"
                        },
                        JsonRequestBehavior = JsonRequestBehavior.AllowGet
                    };
                    filterContext.HttpContext.Response.End();
                } else {
                    filterContext.Result = new RedirectToRouteResult(
                        new RouteValueDictionary(
                            new {
                                controller = "Account",
                                action = "Login"
                            }
                        )
                    );
                }
                base.HandleUnauthorizedRequest(filterContext);
            }
        }
    }

    [AuthorizedUser(IsAuthorized = true)]
    public class myformclass(){
        //some code in here for form
    }