2.2 KiB
| title | author | description | keywords | ms.author | manager | ms.date | ms.topic | ms.assetid | ms.technology | ms.prod | uid |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Simple Authorization | rick-anderson | ASP.NET Core, | riande | wpickett | 10/14/2016 | article | 391bcaad-205f-43e4-badc-fa592d6f79f3 | aspnet | asp.net-core | security/authorization/simple |
Simple Authorization
Authorization in MVC is controlled through the AuthorizeAttribute attribute and its various parameters. At its simplest applying the AuthorizeAttribute attribute to a controller or action limits access to the controller or action to any authenticated user.
For example, the following code limits access to the AccountController to any authenticated user.
[Authorize]
public class AccountController : Controller
{
public ActionResult Login()
{
}
public ActionResult Logout()
{
}
}
If you want to apply authorization to an action rather than the controller simply apply the AuthorizeAttribute attribute to the action itself;
public class AccountController : Controller
{
public ActionResult Login()
{
}
[Authorize]
public ActionResult Logout()
{
}
}
Now only authenticated users can access the logout function.
You can also use the AllowAnonymousAttribute attribute to allow access by non-authenticated users to individual actions; for example
[Authorize]
public class AccountController : Controller
{
[AllowAnonymous]
public ActionResult Login()
{
}
public ActionResult Logout()
{
}
}
This would allow only authenticated users to the AccountController, except for the Login action, which is accessible by everyone, regardless of their authenticated or unauthenticated / anonymous status.
[!WARNING]
[AllowAnonymous]bypasses all authorization statements. If you apply combine[AllowAnonymous]and any[Authorize]attribute then the Authorize attributes will always be ignored. For example if you apply[AllowAnonymous]at the controller level any[Authorize]attributes on the same controller, or on any action within it will be ignored.