Authorize attribute in ASP.NET MVC

Question

Authorize attribute in ASP.NET MVC

I find it difficult to understand the actual use of the [Authorize] attribute in ASP.NET MVC. According to the concept, if we decorate the controller method with the [Authorize] attribute, access to the controllers is allowed only for authenticated users.

I developed an ASP.NET MVC application without decorating controllers with the [Authorize] attribute. I noticed that if I correctly implement the authentication mechanism in my application using web.config or in some other way, now I can access the URL {controller}/{action}/{id} specific action method.

The system always requests a login. This means that my controllers are protected. My question is, when I can protect my controllers without using the [Authorize] attribute, then what is its real need?

+58

asp.net-mvc-3

techmad Jun 01 2018-12-12T00:

source share

7 answers

BobRock · Answer 1 · 2012-06-01 09:56

Real power comes with an understanding and supplier of implementation membership along with a role provider. You can assign users to roles and, in accordance with this restriction, you can apply different access roles for different users to the actions of the controller or the controller itself.

  [Authorize(Users = "Betty, Johnny")] public ActionResult SpecificUserOnly() { return View(); }

or you can limit the group

 [Authorize(Roles = "Admin, Super User")] public ActionResult AdministratorsOnly() { return View(); }

Alex Vallejo · Answer 2 · 2013-05-15 17:22

Using the [Authorize] attributes can help prevent errors in your application. The way MVC processes the URL (i.e., routes them to the controller and not to the actual file) makes it difficult to actually protect everything through the web.config file.

More details here: http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx

m0s · Answer 3 · 2012-06-01 10:04

It exists because it is more convenient to use, as well as a completely different ideology that uses attributes to mark authorization parameters, and not for the xml configuration. It did not have to beat a general-purpose configuration or any other authorization framework, but simply an MVC way. I say this because it seems that you are looking for the benefits of a technical feature that are probably not ... just superior convenience.

BobRock already lists the benefits. To add to his answer, other scenarios are that you can apply this attribute to the entire controller, and not just to actions, you can also add different role authorization parameters for different actions in one controller for mixing and matching.

frennky · Answer 4 · 2012-06-01 14:49

Using the Authorize attribute seems more convenient and more "MVC". As for the technical advantages, there are some.

One scenario that comes to my mind is when you use output caching in your application. An authorized attribute handles this.

Another may be extensibility. The Authorize attribute is simply the main attribute of the filter, but you can override its methods and perform some actions that allow authorization, for example, logging, etc. I am not sure how you will do this with the configuration.

Erik Funkenbusch · Answer 5 · 2012-06-01 20:36

One of the advantages is that you compile access to the application, so it cannot be accidentally changed by anyone modifying Web.config.

This may not be an advantage for you and may be a disadvantage. But for some types of access, this may be preferable.

In addition, I find that the authorization information in Web.config pollutes it and makes it difficult to find things. Thus, in a sense, this is preference; in others, there is no other way to do this.

Anastasios Selmanis · Answer 6 · 2018-07-26 09:43

The tag in web.config is path-based, whereas MVC works with controller actions and routes.

This is an architectural solution that may not matter much if you just want to ban users who are not logged in, but it matters a lot when you try to apply role-based authorization and when you want to customize user processing. types of unauthorized.

The first case is covered from BobRock's answer.

The user must have at least one of the following roles to access the controller or action

 [Authorize(Roles = "Admin, Super User")]

The user must have both of these roles in order to have access to the controller or action.

 [Authorize(Roles = "Super User")] [Authorize(Roles = "Admin")]

Users who can access the controller or action are Betty and Johnny

 [Authorize(Users = "Betty, Johnny")]

In ASP.NET Core, you can use the principles of claims and policies for authorization through [Authorize] .

 options.AddPolicy("ElevatedRights", policy => policy.RequireRole("Administrator", "PowerUser", "BackupAdministrator")); [Authorize(Policy = "ElevatedRights")]

The second is very convenient in large applications where authorization may be required with various restrictions, processing and processing depending on the situation. For this reason, we can expand AuthorizeAttribute and implement various authorization options for our project.

 public class CustomAuthorizeAttribute: AuthorizeAttribute { public override void OnAuthorization(AuthorizationContext filterContext) { } }

The " properly completed " authentication method in ASP.NET MVC uses the [Authorize] attribute.

Ramakrishna P · Answer 7 · 2019-06-12 06:02

I don’t know for the contribution to the response to the stack overflow!

Please be sure to answer the question. Provide details and share your research! But avoid ...

Seeking help, clarifications or answers to other answers. Make statements based on opinion; back them up with links or personal experience.

Authorize attribute in ASP.NET MVC

More articles: