Chapter 28B. Authorization in MVC
Authorization refers to the process of determining what a user is authorized to do in your web application. In Lessons 26 and 27 you learned how to use various types of authentication to determine who the user is. In this lesson you learn how to control to which pages users have access.
Authorization works the same way regardless of how the user is authenticated. Authorization is configured in the ASP.NET MVC framework by using the authorization action filter.
Note
An action filter is an attribute that is used to decorate either an action method or a controller. For more information on action filters, see Lesson 14B.
If you decorate an action method with the Authorize attribute without specifying any additional properties, all anonymous users are prevented from invoking the action. The following example denies access to the About action method for all users who have not been authenticated:
[Authorize]
public ActionResult About()
{
return View();
}If a user tries to invoke an action method to which he does not have access and Forms authentication is enabled, he is redirected to the login page. By default all users can invoke any action method.
The Authorize attribute takes three named properties:
Order — This property indicates the order in which an action filter is executed in relation to the other action filters on the same action method.
Roles — This property contains a comma-separated list of roles that are able to invoke the action method.
Users — This ...
Get ASP.NET 4 24-Hour Trainer now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
