You can set this up in web.config with the authorization element. <configuration> <system.web> <authorization> <allow roles=”domainname\Managers” /> <deny users=”*” /> </authorization> </system.web> </configuration> Basically domain groups are translated into roles when using <authentication mode=”Windows” />. You can read more about it on MSDN
You asked: If I have Authorize attribute on both controller and action, which one will take the effect? Both? To answer this simply: Both. The effect is to AND the two restrictions together. I’ll explain why below … Details So, there are a few reasons you could be asking this. You want to know how … Read more
You could write a custom [Authorize] attribute which would return JSON instead of throwing a 401 exception in case of unauthorized access which would allow client scripts to handle the scenario gracefully: [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)] public class MyAuthorizeAttribute : AuthorizeAttribute { protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) { if (filterContext.HttpContext.Request.IsAjaxRequest()) { filterContext.Result = new JsonResult { … Read more