Simple AuthorizationΒΆ

Authorization in MVC is controlled through the Authorize attribute and its various parameters. At its simplest applying the Authorize attribute to a controller or action limits access to the controller or action to any authorized user.

For example, the following code limits access to the AccountController to any authenticated user.

[Authorize]
public class AccountController : Controller
{
    public ActionResult Login()
    {
    }

    public ActionResult Logout()
    {
    }
}

If you want to apply authorization to an action rather than the controller simply apply the Authorize attribute to the action itself;

public class AccountController : Controller
{
    public ActionResult Login()
    {
    }

    [Authorize]
    public ActionResult Logout()
    {
    }
}

Now only authenticated users can access the logout function.

You can also use the MVC’s AllowAnonymous attribute to allow access by non-authenticated users to individual actions; for example

[Authorize]
public class AccountController : Controller
{
    [AllowAnonymous]
    public ActionResult Login()
    {
    }

    public ActionResult Logout()
    {
    }
}

This would allow only authenticated users to the Account controller, except for the Login action, which is accessible by everyone, regardless of their authenticated or unauthenticated / anonymous status.

Warning

[AllowAnonymous] bypasses all authorization statements. If you apply combine [AllowAnonymous] and any [Authorize] attribute then the Authorize attributes will always be ignored. For example if you apply [AllowAnonymous] at the controller level any [Authorize] attributes on the same controller, or on any action within it will be ignored.