2.3 KiB
title | author | description | keywords | ms.author | manager | ms.date | ms.topic | ms.assetid | ms.technology | ms.prod | uid |
---|---|---|---|---|---|---|---|---|---|---|---|
Simple Authorization | rick-anderson | This document explains how to use the Authorize attribute to restrict access to ASP.NET Core controllers and actions. | ASP.NET Core,authorization,AuthorizeAttribute | riande | wpickett | 10/14/2016 | article | 391bcaad-205f-43e4-badc-fa592d6f79f3 | aspnet | asp.net-core | security/authorization/simple |
Simple Authorization
Authorization in MVC is controlled through the AuthorizeAttribute
attribute and its various parameters. At its simplest, applying the AuthorizeAttribute
attribute to a controller or action limits access to the controller or action to any authenticated user.
For example, the following code limits access to the AccountController
to any authenticated user.
[Authorize]
public class AccountController : Controller
{
public ActionResult Login()
{
}
public ActionResult Logout()
{
}
}
If you want to apply authorization to an action rather than the controller simply apply the AuthorizeAttribute
attribute to the action itself:
public class AccountController : Controller
{
public ActionResult Login()
{
}
[Authorize]
public ActionResult Logout()
{
}
}
Now only authenticated users can access the Logout
function.
You can also use the AllowAnonymousAttribute
attribute to allow access by non-authenticated users to individual actions. For example:
[Authorize]
public class AccountController : Controller
{
[AllowAnonymous]
public ActionResult Login()
{
}
public ActionResult Logout()
{
}
}
This would allow only authenticated users to the AccountController
, except for the Login
action, which is accessible by everyone, regardless of their authenticated or unauthenticated / anonymous status.
[!WARNING]
[AllowAnonymous]
bypasses all authorization statements. If you apply combine[AllowAnonymous]
and any[Authorize]
attribute then the Authorize attributes will always be ignored. For example if you apply[AllowAnonymous]
at the controller level any[Authorize]
attributes on the same controller, or on any action within it will be ignored.