What confused me about all of this is that there are actually two different AuthorizeAttributes:
- System.Web.Http.AuthorizeAttribute
- System.Web.Mvc.AuthorizeAttribute (use this one for Controllers)
First, create your LocalRequestOnly authorize attribute.
using System.Web;
using System.Web.Mvc;
namespace myWebsite
{
public class LocalRequestOnlyAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
return httpContext.Request.IsLocal;
}
}
}
Then add [LocalRequestOnly] attribute to either a Controller or Action (it'll work on both).
[LocalRequestOnly]
public class HomeController : Controller
{...}