Authorization Filter In ASP.NET MVC

In this article, we are going to discuss the use of built-in Authorize and Allow Anonymous action filter attribute.

Introduction

In ASP.NET MVC, by default, all the action methods are accessible to both anonymous and authenticated users. But, if you want the action methods to be available only for authenticated and authorized users, then you need to use the AuthorizationFilter in MVC.

Step 1

Open Visual Studio 2015 or your an editor of your choice and create a new project.

Step 2

Choose "web application" project and give an appropriate name to your project.
 
Authorization Filter In ASP.NET MVC

Step 3

Select "empty" template, check on MVC checkbox, and click OK.
 
Authorization Filter In ASP.NET MVC

Step 4

Right-click on the controllers folder and add a new controller.
 
Authorization Filter In ASP.NET MVC

A window will appear. Choose MVC5 Controller-Empty and click "Add".

Authorization Filter In ASP.NET MVC

After clicking on "Add", another window will appear with DefaultController. Change the name to HomeController and click "Add". The HomeController will be added under the Controllers folder. Don’t change the Controller suffix for all controllers, change only the highlight - instead of Default, just change Home.

Authorization Filter In ASP.NET MVC

Complete code for HomeController

  1. using System;  
  2. using System.Collections.Generic;  
  3. using System.Linq;  
  4. using System.Web;  
  5. using System.Web.Mvc;  
  6.    
  7. namespace AuthorizationFilter_Demo.Controllers  
  8. {  
  9.     public class HomeController : Controller  
  10.     {  
  11.          
  12.         public ActionResult Index()  
  13.         {  
  14.             return View();  
  15.         }  
  16.    
  17.         [AllowAnonymous]  
  18.         public ActionResult NonSecured()  
  19.         {  
  20.             return View();  
  21.         }  
  22.         [Authorize]  
  23.         public ActionResult Secured()  
  24.         {  
  25.             return View();  
  26.         }  
  27.    
  28.         public ActionResult Login()  
  29.         {  
  30.             return View();  
  31.         }  
  32.     }  
  33. }  

Step 5

Right-click on Index method in HomeController. The "Add View" window will appear with default index name checked (use a Layout page), and click on "Add. Add three other views - NonSecured, Secured, and Login.
 
Authorization Filter In ASP.NET MVC

NonSecured View

Right-click on the NonSecured() and then, add a view with name NonSecured. Write the following code in NonSecure.cshtml view.

  1. @{  
  2.     ViewBag.Title = "NonSecured";  
  3. }  
  4.    
  5. <h2>This method can be accessed by everyone as it is non-secure method</h2>  

Secured View

Similarly, right-click on SecureMethod() and add a view with name SecureMethod. Then, write the following code in Secured.cshtml view.

  1. @{  
  2.     ViewBag.Title = "Secured";  
  3. }  
  4.    
  5. <h2>This method needs to be accessed by authorized users as it Secure Method</h2>  

Login View

Similarly, right-click on the Login() method and add the view with name Login.cshtml. Then, write the following code in Login.cshtml view.

  1. @{  
  2.     ViewBag.Title = "Login";  
  3. }  
  4.    
  5.    
  6. @using (Html.BeginForm())  
  7. {  
  8.     <div class="login-form">  
  9.         <h2 class="text-center">Log in</h2>  
  10.         <div class="form-group">  
  11.             <input type="text" class="form-control" placeholder="Username" required="required">  
  12.         </div>  
  13.         <div class="form-group">  
  14.             <input type="password" class="form-control" placeholder="Password" required="required">  
  15.         </div>  
  16.         <div class="form-group">  
  17.             <button type="submit" class="btn btn-primary btn-block">Log in</button>  
  18.         </div>  
  19.         <div class="clearfix">  
  20.             <label class="pull-left checkbox-inline"><input type="checkbox"> Remember me</label>  
  21.             <a href="#" class="pull-right">Forgot Password?</a>  
  22.         </div>  
  23.         <p class="text-center"><a href="#">Create an Account</a></p>  
  24.     </div>  
  25. }  

Step 6

Open web.config file and write the following code under the system.web section.

  1. <authentication mode="Forms">  
  2.      <forms loginUrl="/Home/Login"></forms>  
  3. </authentication>  

Step 7

Build and run your project by pressing ctrl + F5.

That’s it. Now, run the application and navigate to /Home/Secured. Then, you will see that it will redirect you to the Login method.

How to use AllowAnonymous in MVC?

If you want to allow anonymous access to the NonSecured of Home controller, then you need to decorate the AllowAnonymous attribute to that NonSecuredmethod as shown below. The AllowAnonymous attribute in MVC is used to skip the authorization which is enforced by Authorization Filter in MVC. 

  1. [AllowAnonymous]  
  2. public ActionResult NonSecured()  
  3. {  
  4.     return View();  
  5. }  

Now, run the application and navigate to /Home/NonSecured and you will see that it displays the page as expected and when you navigate to /Home/Secured, then it will redirect you to the Login page.