ASP.NET Core 8.0 - Authorized Access
This article will describe authorization attributes and authorization conventions to restrict access to pages for anonymous users. You should review the earlier articles of the Cookies And Claims Project series. Registered users can download the ASP.NET Core 8.0 - Cookies And Claims Project for free.
Cookies And Claims Project and Article Series
Free project download for registered users!
I developed the Cookies And Claims Project (CACP) to demonstrate a simple cookie authentication scheme and claim-based authorization with a clear and modifiable design. The CACP is developed with Visual Studio 2022 and the MS Long Term Support (LTS) version .NET 8.0 framework. All Errors, Warnings, and Messages from Code Analysis have been mitigated. The CACP implements utilities like an AES Cipher, Password Hasher, native JavaScript client form validation, password requirements UI, Bootstrap Native message modal generator, loading/spinner generator, SignalR online user count, and an automatic idle logout for users with administration permissions.
- ASP.NET Core 8.0 - Cookies And Claims
- ASP.NET Core 8.0 - Cookie Authentication
- ASP.NET Core 8.0 - Remember Me Or Not
- ASP.NET Core 8.0 - Authorized Access
- ASP.NET Core 8.0 - Administrator Claim
- ASP.NET Core 8.0 - Admin Idle Logout
- ASP.NET Core 8.0 - Cookie Consent
- ASP.NET Core 8.0 - SignalR Online User Count
- ASP.NET Core 8.0 - AES Cipher
- ASP.NET Core 8.0 - Password Hasher
- ASP.NET Core 8.0 - Message Modal Generator
Updated as the articles become published.
If an anonymous user attempts to access a resource protected by authorization, they are redirected to the Log In page. You can implement authorization attributes with the Microsoft .AspNetCore .Authorization Namespace. In its most basic form, applying the [Authorize] attribute to a controller, action, or Razor Page, limits access to that component to authenticated users. See MS - Simple authorization in ASP.NET Core.
Pages > Members > Index.cshtml.cs:
[Authorize] public class IndexModel : PageModel
If you implement authorization conventions to limit access to a folder, you can use the [AllowAnonymous] attribute to allow anonymous access to a page in that folder.
Pages > Members > IdleLogout.cshtml.cs:
[AllowAnonymous] public class IdleLogoutModel() : PageModel
The CACP implements authorization conventions at startup to authorize users and allow anonymous users to access individual pages or folders of pages. See MS - Razor Pages authorization conventions in ASP.NET Core.
Program.cs:
builder.Services.AddRazorPages(options => { options.Conventions.AuthorizeFolder("/Account/Manage"); options.Conventions.AuthorizeFolder("/Members"); options.Conventions.AllowAnonymousToPage("/Members/IdleLogout"); options.Conventions.AuthorizeFolder("/Admin", AppSettings.AdministratorOnlyPolicy); }) .AddJsonOptions(options => { options.JsonSerializerOptions.PropertyNamingPolicy = null; }) .AddCookieTempDataProvider(options => { options.Cookie.IsEssential = true; });
The CACP implements AddJsonOptions to set PropertyNamingPolicy = null, which replaces camelCase with PascalCase during serializations. The CACP implements AddCookieTempDataProvider's CookieTempDataProviderOptions to set Cookie.IsEssential = true, which allows TempData before non-essential cookie consent. IsEssential defaults to false. This property is only considered when a user opts into the CookiePolicyMiddleware. If you are using the CookiePolicyMiddleware middleware together with CookieTempDataProvider, then either set this property to true or request user consent for non-essential cookies. See MS - CookieTempDataProviderOptions.Cookie Property.
Comments(0)