Jul 21, 2015

Authorize and AllowAnonymous action filters in mvc

In ASP.NET MVC, by default, all the controller action methods are accessible to both anonymous and authenticated users. If you want action methods, to be available only for authenticated and authorised users, then use Authorize attribute. Let us understand "Authorize" and "AllowAnonymous" action filters with an example. 

 1. Create a blank asp.net mvc4 application. Name your application MVCDemo.
2. Right click on the "Controllers" folder and add HomeController. Copy and paste the following code.  public class HomeController : Controller {
    public ActionResult NonSecureMethod()
    {
        return View();
    }

    public ActionResult SecureMethod()
    {
        return View();
    }
}
3. Right click on NonSecureMethod() and add a view with name = NonSecureMethod. Similarly add a view with name = SecureMethod.
4. Associate MVCDemo project with IIS.  a) Right click on the project name in "solution explorer" and select "Properties" b) Click on "Web" tab c) Select "Use Local IIS Web Server". In the "Project Url" textbox, type - http://localhost/MVCDemo d) Click "Create Virtual Directory" button
5. Open IIS. Expand "Sites" and then "Default Web Site" and select "MVCDemo". Double click on "Authentication" icon. Enable "Anonymous Authentication" and "Windows Authentication", if they are not already enabled.
6. At this point, you will be able to access, both "SecureMethod" and "NonSecureMethod", by visiting the following URLs.

http://localhost/MVCDemo/Home/SecureMethod http://localhost/MVCDemo/Home/NonSecureMethod
7. If you want "SecureMethod" to be available only for authenticated users, then decorate it with "Authorize" attribute. [Authorize] public ActionResult SecureMethod() {
    return View();
}
8. Now, if you navigate to "http://localhost/MVCDemo/Home/SecureMethod", then you will be prompted for your windows credentials. If you don't provide valid windows credentials or if you click cancel, you will get an error - 401 - Unauthorized: Access is denied due to invalid credentials. You do not have permission to view this directory or page using the credentials that you supplied. You should be able to access "NonSecureMethod" 
9. Now remove the [Authorize] attribute from SecureMethod(), and apply it on the HomeController.

[Authorize] public class HomeController : Controller {
    public ActionResult NonSecureMethod()
    {
        return View();
    }

    public ActionResult SecureMethod()
    {
        return View();
    }
}
At this point, "Authorize" attribute is applicable for all action methods in the HomeController. So, only authenticated users will be able to access SecureMethod() and NonSecureMethod().
10. To allow anonymous access to NonSecureMethod(), apply [AllowAnonymous] attribute. AllowAnonymous attribute is used to skip authorization enforced by Authorize attribute. 

[AllowAnonymous] public ActionResult NonSecureMethod() {
    return View();

No comments:

Post a Comment