November 21, 2025 06:59 by
PeterDescribe URL-Based Authentication.
Securing particular URLs, files, or route patterns so that only authorized users may access them is known as URL-based authentication.
Examples:
/admin only for Admins
/reports/daily only for Managers
/api/* only for logged-in users
1. URL-Based Authentication in ASP.NET Core
1.1 Protect a Folder or Route Pattern
Example: protect all URLs starting with /admin.
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "admin",
pattern: "admin/{controller=Dashboard}/{action=Index}/{id?}")
.RequireAuthorization("AdminOnly");
});
Authorization policy:
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("AdminOnly",
policy => policy.RequireRole("Admin"));
});
1.2 Protect a Specific URL
app.MapGet("/reports/daily", () => "Daily Report")
.RequireAuthorization("ManagerOnly");
Policy:
options.AddPolicy("ManagerOnly",
policy => policy.RequireRole("Manager"));
});
1.3 Protect Controller Actions
[Authorize(Roles = "Admin")]
public IActionResult Settings()
{
return View();
}
This protects the URL /settings.
1.4 Custom Middleware to Block URLs
app.Use(async (context, next) =>
{
var path = context.Request.Path.Value;
if (path.StartsWith("/secret") && !context.User.Identity.IsAuthenticated)
{
context.Response.Redirect("/account/login");
return;
}
await next();
});
2. URL-Based Authentication in Classic ASP.NET MVC (Non-Core)
2.1 Protect a Folder Using web.config
<location path="Admin">
<system.web>
<authorization>
<deny users="?" />
<allow roles="Admin" />
</authorization>
</system.web>
</location>
2.2 Protect a Single Page
<location path="Reports/Monthly.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow roles="Manager" />
</authorization>
</system.web>
</location>
2.3 Protect Controller URL
[Authorize(Roles = "Admin")]
public ActionResult Dashboard()
{
return View();
}
3. Role-Based URL Control Example
[Authorize(Roles = "Admin, Manager")]
public IActionResult Index()
{
return View();
}
Route level:
endpoints.MapControllerRoute(
name: "report",
pattern: "reports/{*any}")
.RequireAuthorization("ManagerOnly");
4. URL-Based Authentication for Web APIs
[Authorize]
[Route("api/orders")]
public class OrdersController : ControllerBase
{
[HttpGet("{id}")]
public IActionResult Get(int id)
{
return Ok();
}
}
Protect all order-related API URLs:
app.MapControllerRoute("api-protected", "api/orders/{*path}")
.RequireAuthorization();
Conclusion
ASP.NET Core provides middleware, routing, and policies for URL-based protection. Classic ASP.NET MVC uses web.config and Authorize attributes.
European Best, cheap and reliable ASP.NET Core 10.0 hosting with instant activation. HostForLIFE.eu is #1 Recommended Windows and ASP.NET hosting in European Continent. With 99.99% Uptime Guaranteed of Relibility, Stability and Performace. HostForLIFE.eu security team is constantly monitoring the entire network for unusual behaviour. We deliver hosting solution including Shared hosting, Cloud hosting, Reseller hosting, Dedicated Servers, and IT as Service for companies of all size.
