I have an ASP.NET MVC4 web page that is, for the most part, accessed without authentication. There is a single page that I want to protect for admin-only access (ELMAH's error log, specifically). Since I only require a single admin login, I'd like to avoid the complexity of maintaining a user/password database.
I've done some research, and I've found that previous versions of ASP.NET provide the ability to use Forms Authentication with a password encrypted in the web.config:
<forms loginUrl="Admin" name=".ASPXFORMSAUTH">
<credentials passwordFormat="SHA1">
<user name="admin" password="encryptedPassword" />
</credentials>
</forms>
Then, the authentication controller uses FormsAuthentication.Authenticate and FormsAuthentication.RedirectFromLoginPage to validate entered credentials. However, I'm hesitant to use this solution because:
- The
FormsAuthentication.AuthenticateAPI is now obsolete. FormsAuthentication.RedirectFromLoginPagewill redirect the user directly, rather than returning aRedirectResult. This doesn't follow the MVC controller pipeline, and so things like unit testing would be more difficult.
Looking through MSDN samples and the default template, it appears that WebMatrix's WebSecurity.Login API is the new standard for doing Forms Authentication in MVC applications. But, I haven't found a way to use a local (i.e. config-based) authentication provider.
Is there a recommended way to do local authentication, or is this considered a bad practice? What's the simplest method to provide admin authentication without taking on external dependencies?
![Prime Path[POJ3126] [SPFA/BFS]](https://oscimg.oschina.net/oscnet/e1200f32e838bf1d387d671dc8e6894c37d.jpg "Prime Path[POJ3126] [SPFA/BFS]")
