In ASP.NET MVC, by default, all the controller action methods are accessible to both anonymous and authenticated
users. If you want action methods, to be available only for
authenticated and authorised users, then use Authorize attribute. Let us
understand "Authorize" and "AllowAnonymous" action filters with an example.
1. Create a blank asp.net mvc4 application. Name your application MVCDemo.
2. Right click on the "Controllers" folder and add HomeController. Copy and paste the following code.
public class HomeController : Controller
{
public ActionResult NonSecureMethod()
{
return View();
}
public ActionResult SecureMethod()
{
return View();
}
}
3. Right click on NonSecureMethod() and add a view with name = NonSecureMethod. Similarly add a view with name = SecureMethod.
4. Associate MVCDemo project with IIS.
a) Right click on the project name in "solution explorer" and select "Properties"
b) Click on "Web" tab
c) Select "Use Local IIS Web Server". In the "Project Url" textbox, type - http://localhost/MVCDemo
d) Click "Create Virtual Directory" button
5. Open IIS. Expand "Sites" and then "Default Web Site" and select "MVCDemo". Double click on "Authentication" icon. Enable "Anonymous Authentication" and "Windows Authentication", if they are not already enabled.
6. At this point, you will be able to access, both "SecureMethod" and "NonSecureMethod", by visiting the following URLs.
http://localhost/MVCDemo/Home/SecureMethod
http://localhost/MVCDemo/Home/NonSecureMethod
7. If you want "SecureMethod" to be available only for authenticated users, then decorate it with "Authorize" attribute.
[Authorize]
public ActionResult SecureMethod()
{
return View();
}
8. Now, if you navigate to "http://localhost/MVCDemo/Home/SecureMethod",
then you will be prompted for your windows credentials. If you don't
provide valid windows credentials or if you click cancel, you will get
an error - 401 - Unauthorized: Access is
denied due to invalid credentials. You do not have permission to view
this directory or page using the credentials that you supplied. You should be able to access "NonSecureMethod"
9. Now remove the [Authorize] attribute from SecureMethod(), and apply it on the HomeController.
[Authorize]
public class HomeController : Controller
{
public ActionResult NonSecureMethod()
{
return View();
}
public ActionResult SecureMethod()
{
return View();
}
}
At this point, "Authorize"
attribute is applicable for all action methods in the HomeController.
So, only authenticated users will be able to access SecureMethod() and
NonSecureMethod().
10. To
allow anonymous access to NonSecureMethod(), apply [AllowAnonymous]
attribute. AllowAnonymous attribute is used to skip authorization
enforced by Authorize attribute.
[AllowAnonymous]
public ActionResult NonSecureMethod()
{
return View();
No comments:
Post a Comment