Security----Authorization----Simple Authorization

Simple Authorization?Simple AuthorizationPeople found this helpful

Authorization in MVC are controlled through the AuthorizeAttribute attribute and its various parameters. At it simplest applying the AuthorizeAttribute attribute to a controller or action limits access to the Controller or action to any AU thenticated user.

Authorization in MVC is implemented AuthorizeAttribute through attributes and their different parameters. The simplest application of AuthorizeAttribute a controller or method's properties is to restrict the use of authenticated users.

For example, the following code limits access to the all AccountController authenticated user.

For example, the following code restricts any authorized user to connect to AccountController .

[Authorize]  Public class accountcontroller:controller{    public  actionresult Login ()    {    }      public ActionResult Logout ()    {    }}

If you want to apply authorization to a action rather than the controller simply apply the AuthorizeAttribute attribute to the action itself;

If you want to implement authorization on a method, rather than simply enforcing authorization on the controller, just AuthorizeAttribute Place the attribute on the method.

 Public class accountcontroller:controller{    public  actionresult Login ()    {    }    [ Authorize]    public  actionresult Logout ()    {    }}

Now only authenticated users can access the logout function.

Now, only authorized users can use the logout function.

You can also with the AllowAnonymousAttribute attribute to allow access by non-authenticated users to individual actions; for example

You can also use AllowAnonymousAttribute attributes to allow non-authorized users to use separate methods, such as:

[Authorize]  Public class accountcontroller:controller{    [allowanonymous]    public  actionresult Login ()    {    }      Public actionresult Logout ()    {    }}

This would allow only authenticated users to AccountController the, except for the Login action, which are accessible by everyone, Rega Rdless of their authenticated or unauthenticated/anonymous status.

This makes it possible for only authorized users to use AccountControllerexcept for the login method, which can be used by anyone who is authorized or not authorized and anonymous.

Warning Note

[allowanonymous] bypasses all Authorization statements. If you apply combine [allowanonymous] and any [authorize] attribute then the authorize attributes would Always be ignored. For example if you apply [allowanonymous] at the Controller level no [authorize] attributes on the Same controller, or on any action within it'll be ignored.

[allowanonymous] ignores all authorization statements. If Federated uses [AllowAnonymous] and [Authorize] attributes, the authorize property is always ignored. For example, if you are using the controller level[AllowAnonymous]，在同一个控制器的任何[Authorize]或者其中的任何方法将被忽略。

Security----Authorization----Simple Authorization