Authorize annotion:
Authorize annotion given in mvc to restrict the access to controller for authorized and unauthorized user.
Further the access can be restricted by their roles . It provides us to access the view for authorize users only, as view can be accessed using action methods in controllers .
Authorize attribute:
The authorize attribute "[Authorize]" is used to grant access to authorized user . If attribute is marked to action methods then the method will be accessed by authorize users only.
If it is marked on controller then all action method of controllers are granted for authorized users . Within an authorize marked controller you want to grant access to unauthorized user(eg contactus page)
marked it as AllowAnonymousAttribute or AllowAnonymous.
Further the access can be customized to predefined user . Users and roles can be used to specify that which users and roles are granted the access to controller or action methods ,providing high level of control and
security over pages.
In case a non authorized user tries to access action or controller with authorize attribute, MVC framework returns a 401 status code . In case site is configured with form authentication
then the status code 401 redirects to the login page .
In example below manage controller is accessible only if user is authorized. While other action can be accessed by anyone
public class AccountController : Controller
{
public AccountController () { . . . }
public ActionResult Register() { . . . }
public ActionResult Login() { . . . }
[Authorize]
public ActionResult Manage() { . . . }
}
Below the whole controller's action methods are for authorized user only.
[authorize]
public class AccountController : Controller
{
public AccountController () { . . . }
public ActionResult Register() { . . . }
public ActionResult Login() { . . . }
public ActionResult Manage() { . . . }
}
Below the whole controller action methods are for authorized user except for Login() action.
[authorize]
public class AccountController : Controller
{
public AccountController () { . . . }
public ActionResult Register() { . . . }
[AllowAnonymousAttribute]
public ActionResult Login() { . . . }
public ActionResult Manage() { . . . }
}
Further the authorization can be used for specific users only.
[Authorize(Users="Alice,Bob")]
public ActionResult Manage()
{
. . .
}
Or
[Authorize(Users="Alice,Bob")]
public class AbcController : Controller
{
. . .
}
Below the action can be granted access as per user roles .
[Authorize(Roles="admin")]
public ActionResult Manage()
{
. . .
}
Or
[Authorize(Roles="admin")]
public class AdminController : Controller
{
. . .
}
Properties:
AllowMultiple: Gets or sets a value that indicates whether more than one instance of the filter attribute can be specified. (Inherited from FilterAttribute.)
Order: Gets or sets the order in which the action filters are executed. (Inherited from FilterAttribute.)
Roles: Gets or sets the user roles that are authorized to access the controller or action method.
TypeId: Gets the unique identifier for this attribute. (Overrides Attribute.TypeId.)
Users: Gets or sets the users that are authorized to access the controller or action method.
refrences:
https://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute%28v=vs.118%29.aspx
0 Comment(s)