I'm trying to set default access to the methods on my controller, so I've added the [Authorize]
attribute on my ApiController
.
For the most part, unless overridden with the [AllowAnonymous]
attribute this works fine.
Now I want to add another level into the mix. For my authorized methods by default, I want them to require a specific role (such as admin) so I updated the controller level attribute to [Authorize(roles="admin")]
. For a few exceptions, I don't care what role they are (just being authenticated is good enough).
I thought I could stick with setting the Authorize attribute at the controller level and override it at the individual method level, but this doesn't appear to work the same way as [AllowAnonymous]
does.
Are there any suggestions out there on how to go about this without having to remember to decorate every new method with the default access level? Something like [Authorize(roles="*")]
? Even if I needed to have a default role that every user was a part of like AuthenticatedUsers, that would be fine.