Authentication gives us a means to identify our users, but it is authorization that provides us a mechanism to enable or restrict the actions authenticated users may perform.
In ASP.NET MVC, access is restricted through the use of the Authorize
attributes that may be placed on controllers or actions. If the Authorize
attribute is at the controller level, anonymous users may be granted access to specific actions via the AllowAnonymous
keyword.
If you take a look at the AccountController
class, you will see the class declared with the Authorize
attribute. However, the Login
action is decorated with the AllowAnonymous
attribute:
[Authorize] public class AccountController : Controller { [AllowAnonymous] public ActionResult Login(string returnUrl) { ViewBag.ReturnUrl = returnUrl; return View(); } /* ... */ }
The application of the Authorize
attribute states that only authenticated users may access the account controller. The...