AspNetCore.Docs/aspnet/security/authorization/simple.rst

.. _security-authorization-simple:

Simple Authorization
====================

Authorization in MVC is controlled through the ``Authorize`` attribute and its various parameters. At its simplest applying the ``Authorize`` attribute to a controller or action limits access to the controller or action to any authorized user.

For example, the following code limits access to the AccountController to any authenticated user.

.. code-block:: c#

  [Authorize]
  public class AccountController : Controller
  {  
      public ActionResult Login()
      {      
      }

      public ActionResult Logout()
      {      
      }
  }

If you want to apply authorization to an action rather than the controller simply apply the ``Authorize`` attribute to the action itself;

.. code-block:: c#

  public class AccountController : Controller
  {  
      public ActionResult Login()
      {      
      }

      [Authorize]
      public ActionResult Logout()
      {      
      }
  }

Now only authenticated users can access the logout function.

You can also use the MVC's ``AllowAnonymous`` attribute to allow access by non-authenticated users to individual actions; for example

.. code-block:: c#

  [Authorize]
  public class AccountController : Controller
  {  
      [AllowAnonymous]
      public ActionResult Login()
      {      
      }

      public ActionResult Logout()
      {      
      }
  }

This would allow only authenticated users to the Account controller, except for the Login action, which is accessible by everyone, regardless of their authenticated or unauthenticated / anonymous status.

.. WARNING::
  ``[AllowAnonymous]`` bypasses all authorization statements. If you apply combine ``[AllowAnonymous]`` and any ``[Authorize]`` attribute then the Authorize attributes will always be ignored. For example if you apply ``[AllowAnonymous]`` at the controller level any ``[Authorize]`` attributes on the same controller, or on any action within it will be ignored.
Add Authz documentation and cleanup authn to its own section 2015-12-09 04:24:37 +08:00			`.. _security-authorization-simple:`

			`Simple Authorization`
			`====================`

			Authorization in MVC is controlled through the ``Authorize`` attribute and its various parameters. At its simplest applying the ``Authorize`` attribute to a controller or action limits access to the controller or action to any authorized user.

			`For example, the following code limits access to the AccountController to any authenticated user.`

			`.. code-block:: c#`

			`[Authorize]`
			`public class AccountController : Controller`
			`{`
			`public ActionResult Login()`
			`{`
			`}`

			`public ActionResult Logout()`
			`{`
			`}`
			`}`

			If you want to apply authorization to an action rather than the controller simply apply the ``Authorize`` attribute to the action itself;

			`.. code-block:: c#`

			`public class AccountController : Controller`
			`{`
			`public ActionResult Login()`
			`{`
			`}`

			`[Authorize]`
			`public ActionResult Logout()`
			`{`
			`}`
			`}`

			`Now only authenticated users can access the logout function.`

			You can also use the MVC's ``AllowAnonymous`` attribute to allow access by non-authenticated users to individual actions; for example

			`.. code-block:: c#`

			`[Authorize]`
			`public class AccountController : Controller`
			`{`
			`[AllowAnonymous]`
			`public ActionResult Login()`
			`{`
			`}`

			`public ActionResult Logout()`
			`{`
			`}`
			`}`

			`This would allow only authenticated users to the Account controller, except for the Login action, which is accessible by everyone, regardless of their authenticated or unauthenticated / anonymous status.`

			`.. WARNING::`
			``[AllowAnonymous]`` bypasses all authorization statements. If you apply combine ``[AllowAnonymous]`` and any ``[Authorize]`` attribute then the Authorize attributes will always be ignored. For example if you apply ``[AllowAnonymous]`` at the controller level any ``[Authorize]`` attributes on the same controller, or on any action within it will be ignored.