I like that approach too. I think that it would just depend on my application and the risk involved. By using the base controller, you're still validating that this route potentially exists. Using a constraint, the route would appear like it does not exist at all. So, I guess the best route would be whatever kind of experience you wanted for an unauthorized user.