Restricting Access to an Action Method in ASP.NET Core MVC
Introduction This post talks about a few options for restricting access to a given action method - or to all of them - on an ASP.NET Core MVC controller. It won’t be a general article about security in ASP.NET Core, just this aspect of it. Prerequisites We must always add authentication (who we are) and authorisation (what can we do) support to the ASP.NET Core pipeline. Authorisation requires authentication, but authentication can exist on its own, as long as some authentication scheme is provided: builder.Services.AddAuthentication() .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme); builder.Services.AddAuthorization(); //can take options as we will see later on Using Filters ASP.NET Core filters are well known and popular, they are probably the easiest way to restrict access to an endpoint. Filters can be applied: Through an attribute, to an action method or a controller Globally for all controllers and actions Custom Filters IAuthorizationFilter or IAsyn...