Authorize attribute in ASP NET MVC

Question

I am having a hard time to understand real use of  Authorize  attribute in ASP NET MVC  As per the concept goes  if we decorate a controller method with  Authorize  attribute  only authenticated users are allowed to access the controllers    I have developed an ASP NET MVC application without decorating controllers with  Authorize  attribute  What I have observed is  if I implement authentication mechanism properly in my application using web config or some other way  noway I can access the URL  controller   action   id  of a particular action method    System always ask for login  That means my Controllers are secured  My question is this  when I can secure my controllers without using  Authorize  attribute  then what is the real need of it

User · Answer

The  tag in web config is based on paths  whereas MVC works with controller actions and routes    It is an architectural decision that might not make a lot of difference if you just want to prevent users that aren t logged in but makes a lot of difference when you try to apply authorization based in Roles and in cases that you want custom handling of types of Unauthorized   The first case is covered from the answer of BobRock    The user should have at least one of the following Roles to access the Controller or the Action   Authorize Roles    Admin  Super User      The user should have both these roles in order to be able to access the Controller or Action   Authorize Roles    Super User     Authorize Roles    Admin      The users that can access the Controller or the Action are Betty and Johnny   Authorize Users    Betty  Johnny      In ASP NET Core you can use Claims and Policy principles for authorization through  Authorize     options AddPolicy  ElevatedRights   policy   gt                    policy RequireRole  Administrator    PowerUser    BackupAdministrator       Authorize Policy    ElevatedRights      The second comes very handy in bigger applications where Authorization might need to be implemented with different restrictions  process and handling according to the case  For this reason we can Extend the AuthorizeAttribute and implement different authorization alternatives for our project   public class CustomAuthorizeAttribute  AuthorizeAttribute           public override void OnAuthorization AuthorizationContext filterContext                 The  correct-completed  way to do authorization in ASP NET MVC is using the  Authorize  attribute

User · Answer

Using  Authorize  attributes can help prevent security holes in your application  The way that MVC handles URL s  i e  routing them to a controller rather than to an actual file  makes it difficult to actually secure everything via the web config file  Read more here  http   blogs msdn com b rickandy archive 2012 03 23 securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute aspx  via archive org

User · Answer

Real power comes with understanding and implementation membership provider together with role provider  You can assign users into roles and according to that restriction you can apply different access roles for different user to controller actions or controller itself      Authorize Users    Betty  Johnny     public ActionResult SpecificUserOnly           return View         or you can  restrict according to group    Authorize Roles    Admin  Super User    public ActionResult AdministratorsOnly         return View

User · Answer

One advantage is that you are compiling access into the application  so it cannot accidentally be changed by someone modifying the Web config     This may not be an advantage to you  and might be a disadvantage   But for some kinds of access  it may be preferrable   Plus  I find that authorization information in the Web config pollutes it  and makes it harder to find things   So in some ways its preference  in others there is no other way to do it

User · Answer

Using Authorize attribute seems more convenient and feels more  MVC way   As for technical advantages there are some   One scenario that comes to my mind is when you re using output caching in your app  Authorize attribute handles that well   Another would be extensibility  The Authorize attribute is just basic out of the box filter  but you can override its methods and do some pre-authorize actions like logging etc  I m not sure how you would do that through configuration

User · Answer

It exists because it is more convenient to use  also it is a whole different ideology using attributes to mark the authorization parameters rather than xml configuration  It wasn t meant to beat general purpose config or any other authorization frameworks  just MVC s way of doing it  I m saying this  because it seems you are looking for a technical feature advantages which are probably non    just superb convenience   BobRock already listed the advantages  Just to add to his answer  another scenarios are that you can apply this attribute to whole controller  not just actions  also you can add different role authorization parameters to different actions in same controller to mix and match

[asp.net-mvc-3] Authorize attribute in ASP.NET MVC

Examples related to asp.net-mvc-3