Authorize attribute in ASP.NET MVC
Real power comes with understanding and implementation membership provider together with role provider. You can assign users into roles and according to that restriction you can apply different access roles for different user to controller actions or controller itself.
[Authorize(Users = "Betty, Johnny")]
public ActionResult SpecificUserOnly()
{
return View();
}
or you can restrict according to group
[Authorize(Roles = "Admin, Super User")]
public ActionResult AdministratorsOnly()
{
return View();
}
Using [Authorize] attributes can help prevent security holes in your application. The way that MVC handles URL's (i.e. routing them to a controller rather than to an actual file) makes it difficult to actually secure everything via the web.config file.
Read more here: http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx (via archive.org)
It exists because it is more convenient to use, also it is a whole different ideology using attributes to mark the authorization parameters rather than xml configuration. It wasn't meant to beat general purpose config or any other authorization frameworks, just MVC's way of doing it. I'm saying this, because it seems you are looking for a technical feature advantages which are probably non... just superb convenience.
BobRock already listed the advantages. Just to add to his answer, another scenarios are that you can apply this attribute to whole controller, not just actions, also you can add different role authorization parameters to different actions in same controller to mix and match.
Using Authorize attribute seems more convenient and feels more 'MVC way'. As for technical advantages there are some.
One scenario that comes to my mind is when you're using output caching in your app. Authorize attribute handles that well.
Another would be extensibility. The Authorize attribute is just basic out of the box filter, but you can override its methods and do some pre-authorize actions like logging etc. I'm not sure how you would do that through configuration.
The tag in web.config is based on paths, whereas MVC works with controller actions and routes.
It is an architectural decision that might not make a lot of difference if you just want to prevent users that aren't logged in but makes a lot of difference when you try to apply authorization based in Roles and in cases that you want custom handling of types of Unauthorized.
The first case is covered from the answer of BobRock.
The user should have at least one of the following Roles to access the Controller or the Action
[Authorize(Roles = "Admin, Super User")]
The user should have both these roles in order to be able to access the Controller or Action
[Authorize(Roles = "Super User")]
[Authorize(Roles = "Admin")]
The users that can access the Controller or the Action are Betty and Johnny
[Authorize(Users = "Betty, Johnny")]
In ASP.NET Core you can use Claims and Policy principles for authorization through [Authorize].
options.AddPolicy("ElevatedRights", policy =>
policy.RequireRole("Administrator", "PowerUser", "BackupAdministrator"));
[Authorize(Policy = "ElevatedRights")]
The second comes very handy in bigger applications where Authorization might need to be implemented with different restrictions, process and handling according to the case. For this reason we can Extend the AuthorizeAttribute and implement different authorization alternatives for our project.
public class CustomAuthorizeAttribute: AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{ }
}
The "correct-completed" way to do authorization in ASP.NET MVC is using the [Authorize] attribute.