Export (0) Print
Expand All

AuthorizeAttribute Class

Specifies the authorization filter that verifies the request's IPrincipal.

Namespace:  System.Web.Http
Assembly:  System.Web.Http (in System.Web.Http.dll)

[AttributeUsageAttribute(AttributeTargets.Class|AttributeTargets.Method, Inherited = true, 
	AllowMultiple = true)]
public class AuthorizeAttribute : AuthorizationFilterAttribute

The AuthorizeAttribute type exposes the following members.

  NameDescription
Public methodAuthorizeAttributeInitializes a new instance of the AuthorizeAttribute class.
Top

  NameDescription
Public propertyAllowMultipleGets a value that indicates whether multiple filters are allowed. (Inherited from FilterAttribute.)
Public propertyRolesGets or sets the authorized roles.
Public propertyTypeIdGets a unique identifier for this attribute. (Overrides Attribute.TypeId.)
Public propertyUsersGets or sets the authorized users.
Top

  NameDescription
Public methodEquals (Inherited from Attribute.)
Protected methodFinalize (Inherited from Object.)
Public methodGetHashCode (Inherited from Attribute.)
Public methodGetType (Inherited from Object.)
Protected methodHandleUnauthorizedRequestProcesses requests that fail authorization.
Protected methodIsAuthorizedIndicates whether the specified control is authorized.
Public methodIsDefaultAttribute (Inherited from Attribute.)
Public methodMatch (Inherited from Attribute.)
Protected methodMemberwiseClone (Inherited from Object.)
Public methodOnAuthorizationCalls when an action is being authorized. (Overrides AuthorizationFilterAttribute.OnAuthorization(HttpActionContext).)
Public methodOnAuthorizationAsync (Inherited from AuthorizationFilterAttribute.)
Public methodToString (Inherited from Object.)
Top

  NameDescription
Explicit interface implemetationPrivate method_Attribute.GetIDsOfNames (Inherited from Attribute.)
Explicit interface implemetationPrivate method_Attribute.GetTypeInfo (Inherited from Attribute.)
Explicit interface implemetationPrivate method_Attribute.GetTypeInfoCount (Inherited from Attribute.)
Explicit interface implemetationPrivate methodIAuthorizationFilter.ExecuteAuthorizationFilterAsyncExecutes the authorization filter during synchronization. (Inherited from AuthorizationFilterAttribute.)
Explicit interface implemetationPrivate method_Attribute.Invoke (Inherited from Attribute.)
Top

You can declare multiple AuthorizeAttribute per action. You can also use AllowAnonymousAttribute to disable authorization for a specific action.

To restrict access for every Web API controller, add the AuthorizeAttribute filter to the global filter list.

public static void Register(HttpConfiguration config)
{
    config.Filters.Add(new AuthorizeAttribute());
}

To restrict access for a specific controller, add the filter as an attribute to the controller.

// Require authorization for all actions on the controller.
[Authorize]
public class ValuesController : ApiController
{
    public HttpResponseMessage Get(int id) { ... }
    public HttpResponseMessage Post() { ... }
}

To restrict access for specific actions, add the attribute to the action method.

public class ValuesController : ApiController
{
    public HttpResponseMessage Get() { ... }

    // Require authorization for a specific action.
    [Authorize]
    public HttpResponseMessage Post() { ... }
}

You can restrict the controller and then allow anonymous access to specific actions, by using the [AllowAnonymous] attribute. In the following example, the Post method is restricted, but the Get method allows anonymous access.

[Authorize]
public class ValuesController : ApiController
{
    [AllowAnonymous]
    public HttpResponseMessage Get() { ... }

    public HttpResponseMessage Post() { ... }
}

You can also limit access to specific users or to users in specific roles.

// Restrict by user:
[Authorize(Users="Alice,Bob")]
public class ValuesController : ApiController
{
}
   
// Restrict by role:
[Authorize(Roles="Administrators")]
public class ValuesController : ApiController
{
}

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.
Show:
© 2014 Microsoft