I’m reading up on ASP .NET MVC, and I just got to a section talking about the Authorize attribute. It’s saying that the Authorize attribute is used to check that a user is authenticated against a Controller. Is this true? I know that the attribute is designed to be used for authorization purposes, but is it also a best practice to use this attribute for authentication?
If not, what is the best practice for verifying (not performing) authentication?
If so, why is it done this way? Am I missing something?
Authorizeattribute can be used to check to see whether the user is logged in. It can also be used to check if the user is a member of a specific role and has a specific name.It essentially does the same thing handled by
<authorization>section inweb.configwhen using Web forms.It doesn’t specify the authentication method. It’s handled by
<authentication>section inweb.configjust like Web forms.EDIT (clarification about authentication and authorization):
Authentication is identity verification. That is, you check to see who the user is. This can be performed by checking a user name and password, checking your Windows authentication token, scanning retina, voice identification or whatever else.
Authorization is the act of limiting access to a specific resource to users that satisfy a certain criteria. To be able to authorize a user to a resource, you should know the rights the user have. To check that, you should know who the user is in the first place. So the user have to be authenticated.
Essentially an empty
[Authorize]attribute does authorization, not authentication. It doesn’t check who you are. It just checks if the one who you verified to be does have access to the resource or not. However, its authorization criteria is “anyone successfully authenticated.” You can specify a different criteria. So, indeed it’s doing authorization, not authentication.