I am having a hard time to understand real use of [Authorize]
attribute in ASP.NET MVC. As per the concept goes, if we decorate a controller method with [Authorize]
attribute, only authenticated users are allowed to access the controllers.
I have developed an ASP.NET MVC application without decorating controllers with [Authorize]
attribute. What I have observed is, if I implement authentication mechanism properly in my application using web.config or some other way, noway I can access the URL {controller}/{action}/{id}
of a particular action method.
System always ask for login. That means my Controllers are secured. My question is this, when I can secure my controllers without using [Authorize]
attribute, then what is the real need of it?
This attribute is useful when you want to use the Authorize attribute on a controller to protect all of the actions inside, but then there is this single action or one or two actions that you want to unprotect and allow anonymous users to reach that specific action.
The Authorize attribute enables you to restrict access to resources based on roles. It is a declarative attribute that can be applied to a controller or an action method. If you specify this attribute without any arguments, it only checks if the user is authenticated.
Usage. Then you can start using [Authorize] attribute in Controller and Action methods. [Authorize(Roles = "Power Users")] public class UsersController : Controller { // ... }
Real power comes with understanding and implementation membership provider together with role provider. You can assign users into roles and according to that restriction you can apply different access roles for different user to controller actions or controller itself.
[Authorize(Users = "Betty, Johnny")]
public ActionResult SpecificUserOnly()
{
return View();
}
or you can restrict according to group
[Authorize(Roles = "Admin, Super User")]
public ActionResult AdministratorsOnly()
{
return View();
}
Using [Authorize]
attributes can help prevent security holes in your application. The way that MVC handles URL's (i.e. routing them to a controller rather than to an actual file) makes it difficult to actually secure everything via the web.config file.
Read more here: http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx (via archive.org)
It exists because it is more convenient to use, also it is a whole different ideology using attributes to mark the authorization parameters rather than xml configuration. It wasn't meant to beat general purpose config or any other authorization frameworks, just MVC's way of doing it. I'm saying this, because it seems you are looking for a technical feature advantages which are probably non... just superb convenience.
BobRock already listed the advantages. Just to add to his answer, another scenarios are that you can apply this attribute to whole controller, not just actions, also you can add different role authorization parameters to different actions in same controller to mix and match.
Using Authorize
attribute seems more convenient and feels more 'MVC way'. As for technical advantages there are some.
One scenario that comes to my mind is when you're using output caching in your app. Authorize attribute handles that well.
Another would be extensibility. The Authorize
attribute is just basic out of the box filter, but you can override its methods and do some pre-authorize actions like logging etc. I'm not sure how you would do that through configuration.
The tag in web.config is based on paths, whereas MVC works with controller actions and routes.
It is an architectural decision that might not make a lot of difference if you just want to prevent users that aren't logged in but makes a lot of difference when you try to apply authorization based in Roles and in cases that you want custom handling of types of Unauthorized.
The first case is covered from the answer of BobRock.
The user should have at least one of the following Roles to access the Controller or the Action
[Authorize(Roles = "Admin, Super User")]
The user should have both these roles in order to be able to access the Controller or Action
[Authorize(Roles = "Super User")]
[Authorize(Roles = "Admin")]
The users that can access the Controller or the Action are Betty and Johnny
[Authorize(Users = "Betty, Johnny")]
In ASP.NET Core you can use Claims and Policy principles for authorization through [Authorize]
.
options.AddPolicy("ElevatedRights", policy =>
policy.RequireRole("Administrator", "PowerUser", "BackupAdministrator"));
[Authorize(Policy = "ElevatedRights")]
The second comes very handy in bigger applications where Authorization might need to be implemented with different restrictions, process and handling according to the case. For this reason we can Extend the AuthorizeAttribute and implement different authorization alternatives for our project.
public class CustomAuthorizeAttribute: AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{ }
}
The "correct-completed" way to do authorization in ASP.NET MVC is using the [Authorize]
attribute.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With