Simple Authorization¶

Authorization in MVC is controlled through the AuthorizeAttribute attribute and its various parameters. At its simplest applying the AuthorizeAttribute attribute to a controller or action limits access to the controller or action to any authorized user.

For example, the following code limits access to the AccountController to any authenticated user.

[Authorize]
public class AccountController : Controller
{
    public ActionResult Login()
    {
    }
    public ActionResult Logout()
    {
    }
}

If you want to apply authorization to an action rather than the controller simply apply the AuthorizeAttribute attribute to the action itself;

public class AccountController : Controller
{
    public ActionResult Login()
    {
    }
    [Authorize]
    public ActionResult Logout()
    {
    }
}

Now only authenticated users can access the logout function.

You can also use the AllowAnonymousAttribute attribute to allow access by non-authenticated users to individual actions; for example

[Authorize]
public class AccountController : Controller
{
    [AllowAnonymous]
    public ActionResult Login()
    {
    }
    public ActionResult Logout()
    {
    }
}

This would allow only authenticated users to the AccountController, except for the Login action, which is accessible by everyone, regardless of their authenticated or unauthenticated / anonymous status.

Warning

[AllowAnonymous] bypasses all authorization statements. If you apply combine [AllowAnonymous] and any [Authorize] attribute then the Authorize attributes will always be ignored. For example if you apply [AllowAnonymous] at the controller level any [Authorize] attributes on the same controller, or on any action within it will be ignored.

Simple Authorization¶

Is this page helpful?

Is this page helpful?