Events
Power BI DataViz World Championships
Feb 14, 4 PM - Mar 31, 4 PM
With 4 chances to enter, you could win a conference package and make it to the LIVE Grand Finale in Las Vegas
Learn moreThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
One way to control access in your Razor Pages app is to use authorization conventions at startup. These conventions allow you to authorize users and allow anonymous users to access individual pages or folders of pages. The conventions described in this topic automatically apply authorization filters to control access.
View or download sample code (how to download)
The sample app uses cookie authentication without ASP.NET Core Identity. The concepts and examples shown in this topic apply equally to apps that use ASP.NET Core Identity. To use ASP.NET Core Identity, follow the guidance in Introduction to Identity on ASP.NET Core.
Use the AuthorizePage convention to add an AuthorizeFilter to the page at the specified path:
services.AddRazorPages(options =>
{
options.Conventions.AuthorizePage("/Contact");
options.Conventions.AuthorizeFolder("/Private");
options.Conventions.AllowAnonymousToPage("/Private/PublicPage");
options.Conventions.AllowAnonymousToFolder("/Private/PublicPages");
});
The specified path is the View Engine path, which is the Razor Pages root relative path without an extension and containing only forward slashes.
To specify an authorization policy, use an AuthorizePage overload:
options.Conventions.AuthorizePage("/Contact", "AtLeast21");
Note
An AuthorizeFilter can be applied to a page model class with the [Authorize]
filter attribute. For more information, see Authorize filter attribute.
Use the AuthorizeFolder convention to add an AuthorizeFilter to all of the pages in a folder at the specified path:
services.AddRazorPages(options =>
{
options.Conventions.AuthorizePage("/Contact");
options.Conventions.AuthorizeFolder("/Private");
options.Conventions.AllowAnonymousToPage("/Private/PublicPage");
options.Conventions.AllowAnonymousToFolder("/Private/PublicPages");
});
The specified path is the View Engine path, which is the Razor Pages root relative path.
To specify an authorization policy, use an AuthorizeFolder overload:
options.Conventions.AuthorizeFolder("/Private", "AtLeast21");
Use the AuthorizeAreaPage convention to add an AuthorizeFilter to the area page at the specified path:
options.Conventions.AuthorizeAreaPage("Identity", "/Manage/Accounts");
The page name is the path of the file without an extension relative to the pages root directory for the specified area. For example, the page name for the file Areas/Identity/Pages/Manage/Accounts.cshtml
is /Manage/Accounts.
To specify an authorization policy, use an AuthorizeAreaPage overload:
options.Conventions.AuthorizeAreaPage("Identity", "/Manage/Accounts", "AtLeast21");
Use the AuthorizeAreaFolder convention to add an AuthorizeFilter to all of the areas in a folder at the specified path:
options.Conventions.AuthorizeAreaFolder("Identity", "/Manage");
The folder path is the path of the folder relative to the pages root directory for the specified area. For example, the folder path for the files under Areas/Identity/Pages/Manage/ is /Manage.
To specify an authorization policy, use an AuthorizeAreaFolder overload:
options.Conventions.AuthorizeAreaFolder("Identity", "/Manage", "AtLeast21");
Use the AllowAnonymousToPage convention to add an AllowAnonymousFilter to a page at the specified path:
services.AddRazorPages(options =>
{
options.Conventions.AuthorizePage("/Contact");
options.Conventions.AuthorizeFolder("/Private");
options.Conventions.AllowAnonymousToPage("/Private/PublicPage");
options.Conventions.AllowAnonymousToFolder("/Private/PublicPages");
});
The specified path is the View Engine path, which is the Razor Pages root relative path without an extension and containing only forward slashes.
Use the AllowAnonymousToFolder convention to add an AllowAnonymousFilter to all of the pages in a folder at the specified path:
services.AddRazorPages(options =>
{
options.Conventions.AuthorizePage("/Contact");
options.Conventions.AuthorizeFolder("/Private");
options.Conventions.AllowAnonymousToPage("/Private/PublicPage");
options.Conventions.AllowAnonymousToFolder("/Private/PublicPages");
});
The specified path is the View Engine path, which is the Razor Pages root relative path.
It's valid to specify that a folder of pages requires authorization and then specify that a page within that folder allows anonymous access:
// This works.
.AuthorizeFolder("/Private").AllowAnonymousToPage("/Private/Public")
The reverse, however, isn't valid. You can't declare a folder of pages for anonymous access and then specify a page within that folder that requires authorization:
// This doesn't work!
.AllowAnonymousToFolder("/Public").AuthorizePage("/Public/Private")
Requiring authorization on the Private page fails. When both the AllowAnonymousFilter and AuthorizeFilter are applied to the page, the AllowAnonymousFilter takes precedence and controls access.
One way to control access in your Razor Pages app is to use authorization conventions at startup. These conventions allow you to authorize users and allow anonymous users to access individual pages or folders of pages. The conventions described in this topic automatically apply authorization filters to control access.
View or download sample code (how to download)
The sample app uses cookie authentication without ASP.NET Core Identity. The concepts and examples shown in this topic apply equally to apps that use ASP.NET Core Identity. To use ASP.NET Core Identity, follow the guidance in Introduction to Identity on ASP.NET Core.
Use the AuthorizePage convention via AddRazorPagesOptions to add an AuthorizeFilter to the page at the specified path:
services.AddMvc()
.AddRazorPagesOptions(options =>
{
options.Conventions.AuthorizePage("/Contact");
options.Conventions.AuthorizeFolder("/Private");
options.Conventions.AllowAnonymousToPage("/Private/PublicPage");
options.Conventions.AllowAnonymousToFolder("/Private/PublicPages");
})
.SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
The specified path is the View Engine path, which is the Razor Pages root relative path without an extension and containing only forward slashes.
To specify an authorization policy, use an AuthorizePage overload:
options.Conventions.AuthorizePage("/Contact", "AtLeast21");
Note
An AuthorizeFilter can be applied to a page model class with the [Authorize]
filter attribute. For more information, see Authorize filter attribute.
Use the AuthorizeFolder convention via AddRazorPagesOptions to add an AuthorizeFilter to all of the pages in a folder at the specified path:
services.AddMvc()
.AddRazorPagesOptions(options =>
{
options.Conventions.AuthorizePage("/Contact");
options.Conventions.AuthorizeFolder("/Private");
options.Conventions.AllowAnonymousToPage("/Private/PublicPage");
options.Conventions.AllowAnonymousToFolder("/Private/PublicPages");
})
.SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
The specified path is the View Engine path, which is the Razor Pages root relative path.
To specify an authorization policy, use an AuthorizeFolder overload:
options.Conventions.AuthorizeFolder("/Private", "AtLeast21");
Use the AuthorizeAreaPage convention via AddRazorPagesOptions to add an AuthorizeFilter to the area page at the specified path:
options.Conventions.AuthorizeAreaPage("Identity", "/Manage/Accounts");
The page name is the path of the file without an extension relative to the pages root directory for the specified area. For example, the page name for the file Areas/Identity/Pages/Manage/Accounts.cshtml
is /Manage/Accounts.
To specify an authorization policy, use an AuthorizeAreaPage overload:
options.Conventions.AuthorizeAreaPage("Identity", "/Manage/Accounts", "AtLeast21");
Use the AuthorizeAreaFolder convention via AddRazorPagesOptions to add an AuthorizeFilter to all of the areas in a folder at the specified path:
options.Conventions.AuthorizeAreaFolder("Identity", "/Manage");
The folder path is the path of the folder relative to the pages root directory for the specified area. For example, the folder path for the files under Areas/Identity/Pages/Manage/ is /Manage.
To specify an authorization policy, use an AuthorizeAreaFolder overload:
options.Conventions.AuthorizeAreaFolder("Identity", "/Manage", "AtLeast21");
Use the AllowAnonymousToPage convention via AddRazorPagesOptions to add an AllowAnonymousFilter to a page at the specified path:
services.AddMvc()
.AddRazorPagesOptions(options =>
{
options.Conventions.AuthorizePage("/Contact");
options.Conventions.AuthorizeFolder("/Private");
options.Conventions.AllowAnonymousToPage("/Private/PublicPage");
options.Conventions.AllowAnonymousToFolder("/Private/PublicPages");
})
.SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
The specified path is the View Engine path, which is the Razor Pages root relative path without an extension and containing only forward slashes.
Use the AllowAnonymousToFolder convention via AddRazorPagesOptions to add an AllowAnonymousFilter to all of the pages in a folder at the specified path:
services.AddMvc()
.AddRazorPagesOptions(options =>
{
options.Conventions.AuthorizePage("/Contact");
options.Conventions.AuthorizeFolder("/Private");
options.Conventions.AllowAnonymousToPage("/Private/PublicPage");
options.Conventions.AllowAnonymousToFolder("/Private/PublicPages");
})
.SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
The specified path is the View Engine path, which is the Razor Pages root relative path.
It's valid to specify that a folder of pages that require authorization and than specify that a page within that folder allows anonymous access:
// This works.
.AuthorizeFolder("/Private").AllowAnonymousToPage("/Private/Public")
The reverse, however, isn't valid. You can't declare a folder of pages for anonymous access and then specify a page within that folder that requires authorization:
// This doesn't work!
.AllowAnonymousToFolder("/Public").AuthorizePage("/Public/Private")
Requiring authorization on the Private page fails. When both the AllowAnonymousFilter and AuthorizeFilter are applied to the page, the AllowAnonymousFilter takes precedence and controls access.
ASP.NET Core feedback
ASP.NET Core is an open source project. Select a link to provide feedback:
Events
Power BI DataViz World Championships
Feb 14, 4 PM - Mar 31, 4 PM
With 4 chances to enter, you could win a conference package and make it to the LIVE Grand Finale in Las Vegas
Learn more