Simple Authorization?Simple AuthorizationPeople found this helpful
Authorization in MVC are controlled through the AuthorizeAttribute
attribute and its various parameters. At it simplest applying the AuthorizeAttribute
attribute to a controller or action limits access to the Controller or action to any AU thenticated user.
Authorization in MVC is implemented AuthorizeAttribute
through attributes and their different parameters. The simplest application of AuthorizeAttribute
a controller or method's properties is to restrict the use of authenticated users.
For example, the following code limits access to the all AccountController
authenticated user.
For example, the following code restricts any authorized user to connect to AccountController .
[Authorize] Public class accountcontroller:controller{ public actionresult Login () { } public ActionResult Logout () { }}
If you want to apply authorization to a action rather than the controller simply apply the AuthorizeAttribute
attribute to the action itself;
If you want to implement authorization on a method, rather than simply enforcing authorization on the controller, just AuthorizeAttribute
Place the attribute on the method.
Public class accountcontroller:controller{ public actionresult Login () { } [ Authorize] public actionresult Logout () { }}
Now only authenticated users can access the logout function.
Now, only authorized users can use the logout function.
You can also with the AllowAnonymousAttribute
attribute to allow access by non-authenticated users to individual actions; for example
You can also use AllowAnonymousAttribute
attributes to allow non-authorized users to use separate methods, such as:
[Authorize] Public class accountcontroller:controller{ [allowanonymous] public actionresult Login () { } Public actionresult Logout () { }}
This would allow only authenticated users to AccountController
the, except for the Login
action, which are accessible by everyone, Rega Rdless of their authenticated or unauthenticated/anonymous status.
This makes it possible for only authorized users to use AccountControllerexcept for the login method, which can be used by anyone who is authorized or not authorized and anonymous.
Warning Note
[allowanonymous]
bypasses all Authorization statements. If you apply combine [allowanonymous]
and any [authorize]
attribute then the authorize attributes would Always be ignored. For example if you apply [allowanonymous]
at the Controller level no [authorize]
attributes on the Same controller, or on any action within it'll be ignored.
[allowanonymous] ignores all authorization statements. If Federated uses [AllowAnonymous]
and [Authorize]
attributes, the authorize property is always ignored. For example, if you are using the controller level[AllowAnonymous],在同一个控制器的任何[Authorize]或者其中的任何方法将被忽略。
Security----Authorization----Simple Authorization