AspNetCore.Docs/aspnetcore/security/authorization/simple.md

76 lines
2.2 KiB
Markdown
Raw Normal View History

2016-10-29 01:35:15 +08:00
---
2017-07-01 07:47:15 +08:00
title: Simple Authorization
2016-10-29 01:35:15 +08:00
author: rick-anderson
2016-11-18 04:13:02 +08:00
description:
keywords: ASP.NET Core,
2016-10-29 01:35:15 +08:00
ms.author: riande
manager: wpickett
ms.date: 10/14/2016
ms.topic: article
ms.assetid: 391bcaad-205f-43e4-badc-fa592d6f79f3
2016-11-17 08:24:57 +08:00
ms.technology: aspnet
ms.prod: asp.net-core
2016-10-29 01:35:15 +08:00
uid: security/authorization/simple
---
# Simple Authorization
<a name=security-authorization-simple></a>
Authorization in MVC is controlled through the `AuthorizeAttribute` attribute and its various parameters. At its simplest applying the `AuthorizeAttribute` attribute to a controller or action limits access to the controller or action to any authenticated user.
2016-10-29 01:35:15 +08:00
For example, the following code limits access to the `AccountController` to any authenticated user.
2016-11-18 13:03:07 +08:00
```csharp
2016-10-29 01:35:15 +08:00
[Authorize]
public class AccountController : Controller
{
public ActionResult Login()
{
}
public ActionResult Logout()
{
}
}
2016-11-18 13:03:07 +08:00
```
2016-10-29 01:35:15 +08:00
If you want to apply authorization to an action rather than the controller simply apply the `AuthorizeAttribute` attribute to the action itself;
2016-10-29 01:35:15 +08:00
2016-11-18 13:03:07 +08:00
```csharp
2016-10-29 01:35:15 +08:00
public class AccountController : Controller
{
public ActionResult Login()
{
}
[Authorize]
public ActionResult Logout()
{
}
}
2016-11-18 13:03:07 +08:00
```
2016-10-29 01:35:15 +08:00
Now only authenticated users can access the logout function.
You can also use the `AllowAnonymousAttribute` attribute to allow access by non-authenticated users to individual actions; for example
2016-10-29 01:35:15 +08:00
2016-11-18 13:03:07 +08:00
```csharp
2016-10-29 01:35:15 +08:00
[Authorize]
public class AccountController : Controller
{
[AllowAnonymous]
public ActionResult Login()
{
}
public ActionResult Logout()
{
}
}
2016-11-18 13:03:07 +08:00
```
2016-10-29 01:35:15 +08:00
This would allow only authenticated users to the `AccountController`, except for the `Login` action, which is accessible by everyone, regardless of their authenticated or unauthenticated / anonymous status.
>[!WARNING]
> `[AllowAnonymous]` bypasses all authorization statements. If you apply combine `[AllowAnonymous]` and any `[Authorize]` attribute then the Authorize attributes will always be ignored. For example if you apply `[AllowAnonymous]` at the controller level any `[Authorize]` attributes on the same controller, or on any action within it will be ignored.