How to secure Static Content under ASP.NET MVC and OWIN

As you can see in my previous post, I am currently working on securing an ASP.NET MVC Web Application based on OWIN. Because of that is this post some sort of continuation of my previous one.

So, my Web Application in pure Single Page Application that works on AngularJS and is being generated by a Gulp Task Runner as a static content. Because we also have some REST Web API Methods in our Application that are used by Single Page Application, it was not possible to implement the Security of our Web Application completely on Client via ADAL or any other Javascript Library so we used (in our case Active Directory Federation Services) Owin Security Provider and added it to our ASP.NET MVC Web Application. Now we can easily use [Authorize] Tags on our Web API Methods.

But now we had a Problem of securing our Single Page Application that is actually a static content in our ASP.NET MVC Web Application. For that I injected this simple Code Snippet that will be called upon every Request:

app.Use((context, cont) =>


if ((context.Authentication.User != null) &&

(context.Authentication.User.Identity != null) &&



return cont();




return Task.Delay(0);



It simply checks if the user is authenticated, and if not, it Challenges our OWIN Authentication Provider to authenticate the user (in our case ADFS). Now we don't even have to use our [Authorize] Tags because all Request will need to be authenticated, what can make some problems in certain cases if you have some Web API Methods that needs to be publicly exposed.

Posted Oct 10 2016, 12:38 PM by Armin Kalajdzija
Filed under: , , is a .Net Community Blog powered by daenet GmbH.