ASP.NET Core 8.0 - Authorized Access

This article will describe authorization attributes and authorization conventions to restrict access to pages for anonymous users. You should review the earlier articles of the Cookies And Claims Project series. Registered users can download the ASP.NET Core 8.0 - Cookies And Claims Project for free.

Cookies And Claims Project and Article Series

Free project download for registered users!

I developed the Cookies And Claims Project (CACP) to demonstrate a simple cookie authentication scheme and claim-based authorization with a clear and modifiable design. The CACP is developed with Visual Studio 2022 and the MS Long Term Support (LTS) version .NET 8.0 framework. All Errors, Warnings, and Messages from Code Analysis have been mitigated. The CACP implements utilities like an AES Cipher, Password Hasher, native JavaScript client form validation, password requirements UI, Bootstrap Native message modal generator, loading/spinner generator, SignalR online user count, and an automatic idle logout for users with administration permissions.

If an anonymous user attempts to access a resource protected by authorization, they are redirected to the Log In page. You can implement authorization attributes with the Microsoft .AspNetCore .Authorization Namespace. In its most basic form, applying the [Authorize] attribute to a controller, action, or Razor Page, limits access to that component to authenticated users. See MS - Simple authorization in ASP.NET Core.

Pages > Members > Index.cshtml.cs:
[Authorize]
public class IndexModel : PageModel

If you implement authorization conventions to limit access to a folder, you can use the [AllowAnonymous] attribute to allow anonymous access to a page in that folder.

Pages > Members > IdleLogout.cshtml.cs:
[AllowAnonymous]
public class IdleLogoutModel() : PageModel

The CACP implements authorization conventions at startup to authorize users and allow anonymous users to access individual pages or folders of pages. See MS - Razor Pages authorization conventions in ASP.NET Core.

Program.cs:
builder.Services.AddRazorPages(options =>
    {
        options.Conventions.AuthorizeFolder("/Account/Manage");
        options.Conventions.AuthorizeFolder("/Members");
        options.Conventions.AllowAnonymousToPage("/Members/IdleLogout");
        options.Conventions.AuthorizeFolder("/Admin", AppSettings.AdministratorOnlyPolicy);
    })
    .AddJsonOptions(options => { options.JsonSerializerOptions.PropertyNamingPolicy = null; })
    .AddCookieTempDataProvider(options => { options.Cookie.IsEssential = true; });

The CACP implements AddJsonOptions to set PropertyNamingPolicy = null, which replaces camelCase with PascalCase during serializations. The CACP implements AddCookieTempDataProvider's CookieTempDataProviderOptions to set Cookie.IsEssential = true, which allows TempData before non-essential cookie consent. IsEssential defaults to false. This property is only considered when a user opts into the CookiePolicyMiddleware. If you are using the CookiePolicyMiddleware middleware together with CookieTempDataProvider, then either set this property to true or request user consent for non-essential cookies. See MS - CookieTempDataProviderOptions.Cookie Property.

Ken Haggerty
Created 07/24/24
Updated 08/29/24 16:15 GMT

Log In or Reset Quota to read more.

Article Tags:

Authentication
Successfully completed. Thank you for contributing.
Contribute to enjoy content without advertisments.
Something went wrong. Please try again.

Comments(0)

Loading...
Loading...

Not accepting new comments.

Submit your comment. Comments are moderated.

User Image.
DisplayedName - Member Since ?