Simple Authorization

Authorization in MVC is controlled through the AuthorizeAttribute attribute and its various parameters. At its simplest applying the AuthorizeAttribute attribute to a controller or action limits access to the controller or action to any authenticated user.

For example, the following code limits access to the AccountController to any authenticated user.

[Authorize]
   public class AccountController : Controller
   {
       public ActionResult Login()
       {
       }

       public ActionResult Logout()
       {
       }
   }

If you want to apply authorization to an action rather than the controller simply apply the AuthorizeAttribute attribute to the action itself;

public class AccountController : Controller
   {
       public ActionResult Login()
       {
       }

       [Authorize]
       public ActionResult Logout()
       {
       }
   }

Now only authenticated users can access the logout function.

You can also use the AllowAnonymousAttribute attribute to allow access by non-authenticated users to individual actions; for example

[Authorize]
   public class AccountController : Controller
   {
       [AllowAnonymous]
       public ActionResult Login()
       {
       }

       public ActionResult Logout()
       {
       }
   }

This would allow only authenticated users to the AccountController, except for the Login action, which is accessible by everyone, regardless of their authenticated or unauthenticated / anonymous status.

警告

[AllowAnonymous] bypasses all authorization statements. If you apply combine [AllowAnonymous] and any [Authorize] attribute then the Authorize attributes will always be ignored. For example if you apply [AllowAnonymous] at the controller level any [Authorize] attributes on the same controller, or on any action within it will be ignored.