Support us .Net Basics C# SQL ASP.NET Aarvi MVC Slides C# Programs Subscribe Download

Part 70 - Authorize and AllowAnonymous action filters in mvc

Suggested Videos 
Part 67 - Action selectors
Part 68 - What is the use of NonAction attribute
Part 69 - Action filters

In this video, we will discuss Authorize and AllowAnonymous action filters in mvc.



In ASP.NET MVC, by default, all the controller action methods are accessible to both anonymous and authenticated users. If you want action methods, to be available only for authenticated and authorised users, then use Authorize attribute. Let us understand "Authorize" and "AllowAnonymous" action filters with an example.



1. Create a blank asp.net mvc4 application. Name your application MVCDemo.

2. Right click on the "Controllers" folder and add HomeController. Copy and paste the following code. 
public class HomeController : Controller
{
    public ActionResult NonSecureMethod()
    {
        return View();
    }

    public ActionResult SecureMethod()
    {
        return View();
    }
}

3. Right click on NonSecureMethod() and add a view with name = NonSecureMethod. Similarly add a view with name = SecureMethod.

4. Associate MVCDemo project with IIS. 
a) Right click on the project name in "solution explorer" and select "Properties"
b) Click on "Web" tab
c) Select "Use Local IIS Web Server". In the "Project Url" textbox, type - http://localhost/MVCDemo
d) Click "Create Virtual Directory" button

5. Open IIS. Expand "Sites" and then "Default Web Site" and select "MVCDemo". Double click on "Authentication" icon. Enable "Anonymous Authentication" and "Windows Authentication", if they are not already enabled.

6. At this point, you will be able to access, both "SecureMethod" and "NonSecureMethod", by visiting the following URLs.
http://localhost/MVCDemo/Home/SecureMethod
http://localhost/MVCDemo/Home/NonSecureMethod

7. If you want "SecureMethod" to be available only for authenticated users, then decorate it with "Authorize" attribute.
[Authorize]
public ActionResult SecureMethod()
{
    return View();
}

8. Now, if you navigate to "http://localhost/MVCDemo/Home/SecureMethod", then you will be prompted for your windows credentials. If you don't provide valid windows credentials or if you click cancel, you will get an error - 401 - Unauthorized: Access is denied due to invalid credentials. You do not have permission to view this directory or page using the credentials that you supplied. You should be able to access "NonSecureMethod" 

9. Now remove the [Authorize] attribute from SecureMethod(), and apply it on the HomeController.
[Authorize]
public class HomeController : Controller
{
    public ActionResult NonSecureMethod()
    {
        return View();
    }

    public ActionResult SecureMethod()
    {
        return View();
    }
}

At this point, "Authorize" attribute is applicable for all action methods in the HomeController. So, only authenticated users will be able to access SecureMethod() and NonSecureMethod().

10. To allow anonymous access to NonSecureMethod(), apply [AllowAnonymous] attribute. AllowAnonymous attribute is used to skip authorization enforced by Authorize attribute. 
[AllowAnonymous]
public ActionResult NonSecureMethod()
{
    return View();
}

4 comments:

  1. thanks alooot for your awesome job your way in ur explanation let me understand the concepts of mvc in most easily way but in that video when i tried creare virtuak directory on my vs 2012 as u did its keep pop up an error message says :unable to create the virtual directory the site for your url http://localhost/MvcAuthorize exits on both local iis webserver and the iis express web server you need to edit bla bla bla why this error and how i can fix it

    ReplyDelete
  2. Thanks Sir, you have given good explanation about [Authorize] attribute, But, this process will not implement in real-time environment actually, is there any another example to restrict accessing an Action Method with our User Login??

    ReplyDelete
  3. Authorize keyword is not working with MVC5. while using, it will not restrict the user level. It is allowing allowing all the users.why this and how i can fix it

    ReplyDelete

It would be great if you can help share these free resources