SyntaxFix

[asp.net-mvc-3] Authorize attribute in ASP.NET MVC

I am having a hard time to understand real use of [Authorize] attribute in ASP.NET MVC. As per the concept goes, if we decorate a controller method with [Authorize] attribute, only authenticated users are allowed to access the controllers.

I have developed an ASP.NET MVC application without decorating controllers with [Authorize] attribute. What I have observed is, if I implement authentication mechanism properly in my application using web.config or some other way, noway I can access the URL {controller}/{action}/{id} of a particular action method.

System always ask for login. That means my Controllers are secured. My question is this, when I can secure my controllers without using [Authorize] attribute, then what is the real need of it?

This question is related to asp.net-mvc-3

The answer is

The tag in web.config is based on paths, whereas MVC works with controller actions and routes.

It is an architectural decision that might not make a lot of difference if you just want to prevent users that aren't logged in but makes a lot of difference when you try to apply authorization based in Roles and in cases that you want custom handling of types of Unauthorized.

The first case is covered from the answer of BobRock.

The user should have at least one of the following Roles to access the Controller or the Action

[Authorize(Roles = "Admin, Super User")]

The user should have both these roles in order to be able to access the Controller or Action

[Authorize(Roles = "Super User")]
[Authorize(Roles = "Admin")]

The users that can access the Controller or the Action are Betty and Johnny

[Authorize(Users = "Betty, Johnny")]

In ASP.NET Core you can use Claims and Policy principles for authorization through [Authorize]. 

options.AddPolicy("ElevatedRights", policy =>
                  policy.RequireRole("Administrator", "PowerUser", "BackupAdministrator"));

[Authorize(Policy = "ElevatedRights")]

The second comes very handy in bigger applications where Authorization might need to be implemented with different restrictions, process and handling according to the case. For this reason we can Extend the AuthorizeAttribute and implement different authorization alternatives for our project.

public class CustomAuthorizeAttribute: AuthorizeAttribute  
{  
    public override void OnAuthorization(AuthorizationContext filterContext)  
    {  }
}

The "correct-completed" way to do authorization in ASP.NET MVC is using the [Authorize] attribute.

Using Authorize attribute seems more convenient and feels more 'MVC way'. As for technical advantages there are some.

One scenario that comes to my mind is when you're using output caching in your app. Authorize attribute handles that well.

Another would be extensibility. The Authorize attribute is just basic out of the box filter, but you can override its methods and do some pre-authorize actions like logging etc. I'm not sure how you would do that through configuration.

Real power comes with understanding and implementation membership provider together with role provider. You can assign users into roles and according to that restriction you can apply different access roles for different user to controller actions or controller itself. 

 [Authorize(Users = "Betty, Johnny")]
 public ActionResult SpecificUserOnly()
 {
     return View();
 }

or you can restrict according to group 

[Authorize(Roles = "Admin, Super User")]
public ActionResult AdministratorsOnly()
{
    return View();
}

It exists because it is more convenient to use, also it is a whole different ideology using attributes to mark the authorization parameters rather than xml configuration. It wasn't meant to beat general purpose config or any other authorization frameworks, just MVC's way of doing it. I'm saying this, because it seems you are looking for a technical feature advantages which are probably non... just superb convenience.

BobRock already listed the advantages. Just to add to his answer, another scenarios are that you can apply this attribute to whole controller, not just actions, also you can add different role authorization parameters to different actions in same controller to mix and match.

One advantage is that you are compiling access into the application, so it cannot accidentally be changed by someone modifying the Web.config.

This may not be an advantage to you, and might be a disadvantage. But for some kinds of access, it may be preferrable.

Plus, I find that authorization information in the Web.config pollutes it, and makes it harder to find things. So in some ways its preference, in others there is no other way to do it.

Using [Authorize] attributes can help prevent security holes in your application. The way that MVC handles URL's (i.e. routing them to a controller rather than to an actual file) makes it difficult to actually secure everything via the web.config file.

Read more here: http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx (via archive.org)

Source: Stackoverflow.com

Examples related to asp.net-mvc-3

Better solution without exluding fields from Binding IIs Error: Application Codebehind=“Global.asax.cs” Inherits=“nadeem.MvcApplication” Can we pass model as a parameter in RedirectToAction? return error message with actionResult Why is this error, 'Sequence contains no elements', happening? Failed to load resource: the server responded with a status of 500 (Internal Server Error) in Bind function 500.19 - Internal Server Error - The requested page cannot be accessed because the related configuration data for the page is invalid String MinLength and MaxLength validation don't work (asp.net mvc) How to set the value of a hidden field from a controller in mvc How to set a CheckBox by default Checked in ASP.Net MVC

Tags

Strikethrough Photobucket Precompiled-binaries Parsec Usb Unicode-normalization Acts-as-commentable Measure Minimum-requirements Ora-12705 Jsyntaxpane Google-finance-api Rewritemap Mining Bitarray Biological-neural-network Rootfs Defaultlocation Quicklisp Azure-worker-roles Asp.net-mvc-2-metadata Cost-based-optimizer Coroutine Sweave Writexml Istream-iterator Microsoft-runtime-library Candidate Multi-gpu Websitespark Scite Source-highlighting Bitsharp Smb Nsexception Notepad Flops Getpixel Scheduled-tasks Aopalliance Android-vibration Qbxml Logrotate Select Correlation Unrealscript Doctrine-inheritance Nmock-2.1 Mo Htmlspecialchars Plsqldeveloper Build-tools Graphicsmagick Django-authentication Mappings Idbcommand Xml Model Hierarchicaldatatemplate Comexception Pymongo Resolutions Planerotation Imageshack Derived-types Qt-vs-addin Claims-based-identity Sofea Dbdatareader Cat.net Lexical-analysis Piracy Last.fm Automation Loginfo High-traffic Addon-domain Nonclient Worksheet-function Packagemaker Continuations Autocompletebox Java-3d Config-spec Webservicetemplate Web-platform-installer Orientation Logical-grouping Strcmp Java-ee-6 Checkpoint Pop3 Call Membership Seam-carving N-tier-architecture Sigils Data-storage Foreign-key-relationship Formsauthentication