64 lines
2.1 KiB
ReStructuredText
64 lines
2.1 KiB
ReStructuredText
.. _security-authorization-simple:
|
|
|
|
Simple Authorization
|
|
====================
|
|
|
|
Authorization in MVC is controlled through the :dn:class:`~Microsoft.AspNetCore.Authorization.AuthorizeAttribute` attribute and its various parameters. At its simplest applying the :dn:class:`~Microsoft.AspNetCore.Authorization.AuthorizeAttribute` attribute to a controller or action limits access to the controller or action to any authenticated user.
|
|
|
|
For example, the following code limits access to the ``AccountController`` to any authenticated user.
|
|
|
|
.. code-block:: c#
|
|
|
|
[Authorize]
|
|
public class AccountController : Controller
|
|
{
|
|
public ActionResult Login()
|
|
{
|
|
}
|
|
|
|
public ActionResult Logout()
|
|
{
|
|
}
|
|
}
|
|
|
|
If you want to apply authorization to an action rather than the controller simply apply the :dn:class:`~Microsoft.AspNetCore.Authorization.AuthorizeAttribute` attribute to the action itself;
|
|
|
|
.. code-block:: c#
|
|
|
|
public class AccountController : Controller
|
|
{
|
|
public ActionResult Login()
|
|
{
|
|
}
|
|
|
|
[Authorize]
|
|
public ActionResult Logout()
|
|
{
|
|
}
|
|
}
|
|
|
|
Now only authenticated users can access the logout function.
|
|
|
|
You can also use the :dn:class:`~Microsoft.AspNetCore.Authorization.AllowAnonymousAttribute` attribute to allow access by non-authenticated users to individual actions; for example
|
|
|
|
.. code-block:: c#
|
|
|
|
[Authorize]
|
|
public class AccountController : Controller
|
|
{
|
|
[AllowAnonymous]
|
|
public ActionResult Login()
|
|
{
|
|
}
|
|
|
|
public ActionResult Logout()
|
|
{
|
|
}
|
|
}
|
|
|
|
This would allow only authenticated users to the ``AccountController``, except for the ``Login`` action, which is accessible by everyone, regardless of their authenticated or unauthenticated / anonymous status.
|
|
|
|
.. WARNING::
|
|
``[AllowAnonymous]`` bypasses all authorization statements. If you apply combine ``[AllowAnonymous]`` and any ``[Authorize]`` attribute then the Authorize attributes will always be ignored. For example if you apply ``[AllowAnonymous]`` at the controller level any ``[Authorize]`` attributes on the same controller, or on any action within it will be ignored.
|
|
|