AspNetCore.Docs/aspnetcore/security/authorization/simple.md

---
title: Simple authorization in ASP.NET Core
author: rick-anderson
description: Learn how to use the Authorize attribute to restrict access to ASP.NET Core controllers and actions.
ms.author: riande
ms.date: 10/14/2016
uid: security/authorization/simple
---
# Simple authorization in ASP.NET Core

<a name="security-authorization-simple"></a>

Authorization in MVC is controlled through the `AuthorizeAttribute` attribute and its various parameters. At its simplest, applying the `AuthorizeAttribute` attribute to a controller or action limits access to the controller or action to any authenticated user.

For example, the following code limits access to the `AccountController` to any authenticated user.

```csharp
[Authorize]
public class AccountController : Controller
{
    public ActionResult Login()
    {
    }

    public ActionResult Logout()
    {
    }
}
```

If you want to apply authorization to an action rather than the controller, apply the `AuthorizeAttribute` attribute to the action itself:

```csharp
public class AccountController : Controller
{
   public ActionResult Login()
   {
   }

   [Authorize]
   public ActionResult Logout()
   {
   }
}
```

Now only authenticated users can access the `Logout` function.

You can also use the `AllowAnonymous` attribute to allow access by non-authenticated users to individual actions. For example:

```csharp
[Authorize]
public class AccountController : Controller
{
    [AllowAnonymous]
    public ActionResult Login()
    {
    }

    public ActionResult Logout()
    {
    }
}
```

This would allow only authenticated users to the `AccountController`, except for the `Login` action, which is accessible by everyone, regardless of their authenticated or unauthenticated / anonymous status.

> [!WARNING]
> `[AllowAnonymous]` bypasses all authorization statements. If you combine `[AllowAnonymous]` and any `[Authorize]` attribute, the `[Authorize]` attributes are ignored. For example if you apply `[AllowAnonymous]` at the controller level, any `[Authorize]` attributes on the same controller (or on any action within it) is ignored.
Add docfx content 2016-10-29 01:35:15 +08:00			`---`
Title, description, and H1 updates (3) (#5717) 2018-03-20 07:40:34 +08:00			`title: Simple authorization in ASP.NET Core`
Add docfx content 2016-10-29 01:35:15 +08:00			`author: rick-anderson`
Title, description, and H1 updates (3) (#5717) 2018-03-20 07:40:34 +08:00			`description: Learn how to use the Authorize attribute to restrict access to ASP.NET Core controllers and actions.`
Organize metadata (#5296) Updates 2018-01-29 23:21:31 +08:00			`ms.author: riande`
Add docfx content 2016-10-29 01:35:15 +08:00			`ms.date: 10/14/2016`
			`uid: security/authorization/simple`
			`---`
Title, description, and H1 updates (3) (#5717) 2018-03-20 07:40:34 +08:00			`# Simple authorization in ASP.NET Core`
Add docfx content 2016-10-29 01:35:15 +08:00
Fix invalid bookmarks (#4570) 2017-10-14 04:50:30 +08:00			`<a name="security-authorization-simple"></a>`
Add docfx content 2016-10-29 01:35:15 +08:00
Add missing description metadata to security docs (#4702) 2017-11-02 03:34:09 +08:00			Authorization in MVC is controlled through the `AuthorizeAttribute` attribute and its various parameters. At its simplest, applying the `AuthorizeAttribute` attribute to a controller or action limits access to the controller or action to any authenticated user.
Add docfx content 2016-10-29 01:35:15 +08:00
			For example, the following code limits access to the `AccountController` to any authenticated user.

fixed code snippets 2016-11-18 13:03:07 +08:00			```csharp
Add docfx content 2016-10-29 01:35:15 +08:00			`[Authorize]`
Add missing description metadata to security docs (#4702) 2017-11-02 03:34:09 +08:00			`public class AccountController : Controller`
			`{`
			`public ActionResult Login()`
			`{`
			`}`
Add docfx content 2016-10-29 01:35:15 +08:00
Add missing description metadata to security docs (#4702) 2017-11-02 03:34:09 +08:00			`public ActionResult Logout()`
			`{`
			`}`
			`}`
			```
Add docfx content 2016-10-29 01:35:15 +08:00
Dedent controller code sample 2017-12-07 05:05:16 +08:00			If you want to apply authorization to an action rather than the controller, apply the `AuthorizeAttribute` attribute to the action itself:
Add docfx content 2016-10-29 01:35:15 +08:00
fixed code snippets 2016-11-18 13:03:07 +08:00			```csharp
Add docfx content 2016-10-29 01:35:15 +08:00			`public class AccountController : Controller`
Dedent controller code sample 2017-12-07 05:05:16 +08:00			`{`
			`public ActionResult Login()`
Add docfx content 2016-10-29 01:35:15 +08:00			`{`
Dedent controller code sample 2017-12-07 05:05:16 +08:00			`}`
Add docfx content 2016-10-29 01:35:15 +08:00
Dedent controller code sample 2017-12-07 05:05:16 +08:00			`[Authorize]`
			`public ActionResult Logout()`
			`{`
Add docfx content 2016-10-29 01:35:15 +08:00			`}`
Dedent controller code sample 2017-12-07 05:05:16 +08:00			`}`
			```
Add docfx content 2016-10-29 01:35:15 +08:00
Add missing description metadata to security docs (#4702) 2017-11-02 03:34:09 +08:00			Now only authenticated users can access the `Logout` function.
Add docfx content 2016-10-29 01:35:15 +08:00
Replace AllowAnonymousAttribut by AllowAnonymous (#5397) Replace AllowAnonymousAttribut by AllowAnonymous for the name of the attribut 2018-02-09 00:56:26 +08:00			You can also use the `AllowAnonymous` attribute to allow access by non-authenticated users to individual actions. For example:
Add docfx content 2016-10-29 01:35:15 +08:00
fixed code snippets 2016-11-18 13:03:07 +08:00			```csharp
Add docfx content 2016-10-29 01:35:15 +08:00			`[Authorize]`
Add missing description metadata to security docs (#4702) 2017-11-02 03:34:09 +08:00			`public class AccountController : Controller`
			`{`
			`[AllowAnonymous]`
			`public ActionResult Login()`
			`{`
			`}`
Add docfx content 2016-10-29 01:35:15 +08:00
Add missing description metadata to security docs (#4702) 2017-11-02 03:34:09 +08:00			`public ActionResult Logout()`
			`{`
			`}`
			`}`
			```
Add docfx content 2016-10-29 01:35:15 +08:00
			This would allow only authenticated users to the `AccountController`, except for the `Login` action, which is accessible by everyone, regardless of their authenticated or unauthenticated / anonymous status.

Fix warning in Simple authorization topic (#7290) 2018-06-26 08:56:24 +08:00			`> [!WARNING]`
			> `[AllowAnonymous]` bypasses all authorization statements. If you combine `[AllowAnonymous]` and any `[Authorize]` attribute, the `[Authorize]` attributes are ignored. For example if you apply `[AllowAnonymous]` at the controller level, any `[Authorize]` attributes on the same controller (or on any action within it) is ignored.