AuthorizeAttribute Class

Represents an attribute that is used to restrict access by callers to an action method.

Inheritance Hierarchy


Namespace:  System.Web.Mvc
Assembly:  System.Web.Mvc (in System.Web.Mvc.dll)


<AttributeUsageAttribute(AttributeTargets.Class Or AttributeTargets.Method, Inherited := True,  _
    AllowMultiple := True)> _
Public Class AuthorizeAttribute _
    Inherits FilterAttribute _
    Implements IAuthorizationFilter
Dim instance As AuthorizeAttribute
[AttributeUsageAttribute(AttributeTargets.Class|AttributeTargets.Method, Inherited = true, 
    AllowMultiple = true)]
public class AuthorizeAttribute : FilterAttribute, 
[AttributeUsageAttribute(AttributeTargets::Class|AttributeTargets::Method, Inherited = true, 
    AllowMultiple = true)]
public ref class AuthorizeAttribute : public FilterAttribute, 
[<AttributeUsageAttribute(AttributeTargets.Class|AttributeTargets.Method, Inherited = true, 
    AllowMultiple = true)>]
type AuthorizeAttribute =  
        inherit FilterAttribute 
        interface IAuthorizationFilter 
public class AuthorizeAttribute extends FilterAttribute implements IAuthorizationFilter

The AuthorizeAttribute type exposes the following members.


  Name Description
Public method AuthorizeAttribute Initializes a new instance of the AuthorizeAttribute class.



  Name Description
Public property AllowMultiple Gets or sets a value that indicates whether more than one instance of the filter attribute can be specified. (Inherited from FilterAttribute.)
Public property Order Gets or sets the order in which the action filters are executed. (Inherited from FilterAttribute.)
Public property Roles Gets or sets the user roles.
Public property TypeId Gets the unique identifier for this attribute. (Overrides Attribute.TypeId.)
Public property Users Gets or sets the authorized users.



  Name Description
Protected method AuthorizeCore When overridden, provides an entry point for custom authorization checks.
Public method Equals (Inherited from Attribute.)
Protected method Finalize (Inherited from Object.)
Public method GetHashCode (Inherited from Attribute.)
Public method GetType (Inherited from Object.)
Protected method HandleUnauthorizedRequest Processes HTTP requests that fail authorization.
Public method IsDefaultAttribute (Inherited from Attribute.)
Public method Match (Inherited from Attribute.)
Protected method MemberwiseClone (Inherited from Object.)
Public method OnAuthorization Called when a process requests authorization.
Protected method OnCacheAuthorization Called when the caching module requests authorization.
Public method ToString (Inherited from Object.)


Explicit Interface Implementations

  Name Description
Explicit interface implemetationPrivate method _Attribute.GetIDsOfNames (Inherited from Attribute.)
Explicit interface implemetationPrivate method _Attribute.GetTypeInfo (Inherited from Attribute.)
Explicit interface implemetationPrivate method _Attribute.GetTypeInfoCount (Inherited from Attribute.)
Explicit interface implemetationPrivate method _Attribute.Invoke (Inherited from Attribute.)



Many Web applications require users to log in before the users are granted access to restricted content. In some applications, even users who are logged in might have restrictions on what content they can view or what fields they can edit.

To restrict access to an ASP.NET MVC view, you restrict access to the action method that renders the view. To accomplish this, the MVC framework provides the AuthorizeAttribute class.

This topic contains the following sections:

  • Using AuthorizeAttribute

  • Deriving from AuthorizeAttribute

Using AuthorizeAttribute

When you mark an action method with AuthorizeAttribute, access to that action method is restricted to users who are both authenticated and authorized. If you mark a controller with the attribute, all action methods in the controller are restricted.

The Authorize attribute lets you indicate that authorization is restricted to predefined roles or to individual users. This gives you a high degree of control over who is authorized to view any page on the site.

If an unauthorized user tries to access a method that is marked with the Authorize attribute, the MVC framework returns a 401 HTTP status code. If the site is configured to use ASP.NET forms authentication, the 401 status code causes the browser to redirect the user to the login page.

Deriving from AuthorizeAttribute

If you derive from the AuthorizeAttribute class, the derived type must be thread safe. Therefore, do not store state in an instance of the type itself (for example, in an instance field) unless that state is meant to apply to all requests. Instead, store state per request in the Items property, which is accessible through the context objects passed to AuthorizeAttribute.


The following example shows several ways to use AuthorizeAttribute. The HomeController class has three action methods that are marked with the Authorize attribute, and two that are not marked. On the AuthenticatedUsers method, the attribute limits access to users who are logged in. On the AdministratorsOnly method, the attribute limits access to users who have been assigned to either the Admin role or the Super User role. On the SpecificUserOnly method, the attribute limits access to the users whose names are Betty or Johnny. The Index and About methods can be accessed by anyone, even anonymous users.

Thread Safety

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

See Also


System.Web.Mvc Namespace