On an intranet site using windows authentication, and certain controller methods being marked with the "AuthorizeAttribute" controlling access to certain users/groups and roles, I'm trying to figure out the best way to allow "test users" to access these things.
Since <location> is off the table with MVC (security concerns), what is the best approach here?
My first thought is to implement the following:
- A custom config section that essentially mirrors the <authorization> section
- A custom attribute that inherits from "AuthorizeAttribute" which checks users against the custom config section
- Use config transforms to remove the custom config section for QA and Release environments
Is there an easier/better way???
Update What I originally wrote used the attribute syntax on a class or method, but if you are using MVC3 you can also use a global action filter in (global.asax.cs) so you only have to do it once.
Original You could use #if DEBUG to only add the authorization to debug code.
The Authorize attribute allows multiple so you don't have to repeat your production authorized user list or use an #else.