AuthorizeAttribute Class

 

Specifies that access to a controller or action method is restricted to users who meet the authorization requirement.

Namespace:   System.Web.Mvc
Assembly:  System.Web.Mvc (in System.Web.Mvc.dll)

Inheritance Hierarchy

System.Object
  System.Attribute
    System.Web.Mvc.FilterAttribute
      System.Web.Mvc.AuthorizeAttribute

Syntax

[AttributeUsageAttribute(AttributeTargets.Class | AttributeTargets.Method, 
    Inherited = true, AllowMultiple = true)]
public class AuthorizeAttribute : FilterAttribute, IAuthorizationFilter
[AttributeUsageAttribute(AttributeTargets::Class | AttributeTargets::Method, 
    Inherited = true, AllowMultiple = true)]
public ref class AuthorizeAttribute : FilterAttribute, IAuthorizationFilter
[<AttributeUsageAttribute(AttributeTargets.Class | AttributeTargets.Method,
    Inherited = true, AllowMultiple = true)>]
type AuthorizeAttribute = 
    class
        inherit FilterAttribute
        interface IAuthorizationFilter
    end
<AttributeUsageAttribute(AttributeTargets.Class Or AttributeTargets.Method,
    Inherited := True, AllowMultiple := True)>
Public Class AuthorizeAttribute
    Inherits FilterAttribute
    Implements IAuthorizationFilter

Constructors

Name Description
System_CAPS_pubmethod AuthorizeAttribute()

Initializes a new instance of the AuthorizeAttribute class.

Properties

Name Description
System_CAPS_pubproperty AllowMultiple

Gets or sets a value that indicates whether more than one instance of the filter attribute can be specified.(Inherited from FilterAttribute.)

System_CAPS_pubproperty Order

Gets or sets the order in which the action filters are executed.(Inherited from FilterAttribute.)

System_CAPS_pubproperty Roles

Gets or sets the user roles that are authorized to access the controller or action method.

System_CAPS_pubproperty TypeId

Gets the unique identifier for this attribute.(Overrides Attribute.TypeId.)

System_CAPS_pubproperty Users

Gets or sets the users that are authorized to access the controller or action method.

Methods

Name Description
System_CAPS_protmethod AuthorizeCore(HttpContextBase)

When overridden, provides an entry point for custom authorization checks.

System_CAPS_pubmethod Equals(Object)

(Inherited from Attribute.)

System_CAPS_protmethod Finalize()

(Inherited from Object.)

System_CAPS_pubmethod GetHashCode()

(Inherited from Attribute.)

System_CAPS_pubmethod GetType()

(Inherited from Object.)

System_CAPS_protmethod HandleUnauthorizedRequest(AuthorizationContext)

Processes HTTP requests that fail authorization.

System_CAPS_pubmethod IsDefaultAttribute()

(Inherited from Attribute.)

System_CAPS_pubmethod Match(Object)

(Inherited from Attribute.)

System_CAPS_protmethod MemberwiseClone()

(Inherited from Object.)

System_CAPS_pubmethod OnAuthorization(AuthorizationContext)

Called when a process requests authorization.

System_CAPS_protmethod OnCacheAuthorization(HttpContextBase)

Called when the caching module requests authorization.

System_CAPS_pubmethod ToString()

(Inherited from Object.)

Explicit Interface Implementations

Name Description
System_CAPS_pubinterfaceSystem_CAPS_privmethod _Attribute.GetIDsOfNames(Guid, IntPtr, UInt32, UInt32, IntPtr)

(Inherited from Attribute.)

System_CAPS_pubinterfaceSystem_CAPS_privmethod _Attribute.GetTypeInfo(UInt32, UInt32, IntPtr)

(Inherited from Attribute.)

System_CAPS_pubinterfaceSystem_CAPS_privmethod _Attribute.GetTypeInfoCount(UInt32)

(Inherited from Attribute.)

System_CAPS_pubinterfaceSystem_CAPS_privmethod _Attribute.Invoke(UInt32, Guid, UInt32, Int16, IntPtr, IntPtr, IntPtr, IntPtr)

(Inherited from Attribute.)

Remarks

Frequently, you need to require users to log in before granting access to restricted content. In some cases, you need to further restrict access to content to particular users or to members of a particular role.

To restrict access to an ASP.NET MVC view, you restrict access to the action method that renders the view. To accomplish this, the MVC framework provides the AuthorizeAttribute class.

Using AuthorizeAttribute

When you mark an action method with AuthorizeAttribute, access to that action method is restricted to users who are both authenticated and authorized. If you mark a controller with the attribute, all action methods in the controller are restricted. Within a controller that is marked with the AuthorizeAttribute attribute, you can use the AllowAnonymousAttribute attribute to specify that a particular action method is not restricted to only authorized users.

The Authorize attribute lets you indicate that authorization is restricted to predefined roles or to individual users. You use the Roles and Users properties to specify which roles or users are permitted to access the action method. This gives you a high degree of control over who is authorized to view any page on the site.

If an unauthorized user tries to access a method that is marked with the Authorize attribute, the MVC framework returns a 401 HTTP status code. If the site is configured to use ASP.NET forms authentication, the 401 status code causes the browser to redirect the user to the login page.

Deriving from AuthorizeAttribute

If you derive from the AuthorizeAttribute class, the derived type must be thread safe. Therefore, do not store state in an instance of the type itself (for example, in an instance field) unless that state is meant to apply to all requests. Instead, store state per request in the Items property, which is accessible through the context objects passed to AuthorizeAttribute.

Examples

The following example shows a simplified account controller that restricts or permits access to action methods. The AuthorizeAttribute attribute is applied to the controller so the user must be authorized to access any of the action methods; however, the AllowAnonymousAttribute attribute is applied to the Register method to override the requirement for the user to be authorized. The Manage and LogOff methods are restricted to authorized users.

[Authorize] 
public class AccountController : Controller
{
    public AccountController () { . . . }
    
    [AllowAnonymous]
    public ActionResult Register() { . . . }

    public ActionResult Manage() { . . . }

    public ActionResult LogOff() { . . . }
. . .
} 

The following example shows how to specify that a controller is only available to users in the Administrators roles.

[Authorize(Roles="Administrators")]
public class AdminController : Controller
{
    . . .
}

The following example shows how to limit access to a controller to only the specified users.

[Authorize(Users="Alice,Bob")]
public class RestrictedContentController : Controller
{
    . . .
}

Thread Safety

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

See Also

System.Web.Mvc Namespace

Return to top