Authorize attribute in ASP.NET MVC

Question

I am having a hard time to understand real use of [Authorize] attribute in ASP.NET MVC. As per the concept goes, if we decorate a controller method with [Authorize] attribute, only authenticated users are allowed to access the controllers.

I have developed an ASP.NET MVC application without decorating controllers with [Authorize] attribute. What I have observed is, if I implement authentication mechanism properly in my application using web.config or some other way, noway I can access the URL {controller}/{action}/{id} of a particular action method.

System always ask for login. That means my Controllers are secured. My question is this, when I can secure my controllers without using [Authorize] attribute, then what is the real need of it?

Answer 1

Real power comes with understanding and implementation membership provider together with role provider. You can assign users into roles and according to that restriction you can apply different access roles for different user to controller actions or controller itself.

 [Authorize(Users = "Betty, Johnny")]
 public ActionResult SpecificUserOnly()
 {
     return View();
 }

or you can restrict according to group

[Authorize(Roles = "Admin, Super User")]
public ActionResult AdministratorsOnly()
{
    return View();
}