Join Jess Chadwick for an in-depth discussion in this video Securing your pages from unauthorized access, part of ASP.NET Core: Razor Pages.
- [Narrator] At this point, we've got a pretty functional website. We're showing recipes, and we even have the ability to add an edit them. The only problem is that it's not just us that can add and edit these recipes. Anyone with access to the site can make those changes too. To solve that problem, let's take a look at a couple of ways to lock down the pages in your application to keep them from being accessed by unauthorized users. Regardless of the approach you use, the first step to locking down any page in your site is to enable authorization in your applications configuration.
To do this, go ahead and open up your application. Start up class and add the following line to its configure method, app dot use authentication. Then you'll need to tell ASP net core what kind of authentication you'd like to use. You can do that with a call to add authentication in the configure services method. Though this method does allow you to call it without any parameters, ASP dot net core really expects you to tell it what your default authentication scheme will be.
In this demo I'll be using cookie authentication, so I'll let ASP net core know that. Note that the cookie authentication default class is in the Microsoft dot ASP net core dot authentication dot cookies namespace, so be sure to add that reference. After I've done that, I'll also need to add a call to the add cookie extension method to properly configure the cookie authentication middleware.
And now that I've configured the site to support authentication, it's time to lock down some pages, and I'll start with the add edit page. The first approach to preventing a page from being accessed by unauthorized users is to simply apply the Microsoft dot ASP net core dot authorization dot authorize attribute on top of the page's page model class, like this. If this attribute looks familiar that's because it's the same one that you use to lock down ASP net core MVC controllers.
And that's it, to show that this page is locked down, I'll go ahead and run the site and try to access it. I know that this isn't the fanciest error page you've ever seen, but if you take a look at the URL it proves that I have in fact been locked out of the page, because ASP dot net core has redirected me to the default login page URL slash account slash login. Of course, this page doesn't exist, because I haven't created it yet, which is why I'm seeing this 404 error page.
I'm not going to implement the ability to login until later, on but I'll go ahead and create the login page now under a new folder named account so that we have something to see at this location. Under this folder I'll add a new razor page named login. I'll set the page's title, and now when I refresh I can see the page.
The next approach I'm going to show, while slightly more difficult to remember, is better when you need to lock down multiple pages at once, especially if those pages live in the same folder. To begin head back to the configure services method in the startup class, and then make a call to the add razor pages options method that's available after calling add MVC. The add razor pages options method takes a function parameter and in this function you're able to set a whole suite of configuration options to customize how the razor pages framework works.
First I'll show how to authenticate all of the pages in a folder at once. For example let's assume that I'm going to add more pages to that admin folder. Pages that help me administer my site so I don't want anyone else to have access to them, And I don't want to take a chance that I forget to put that authorize attribute on any of those pages, so to lock down an entire folder I simply make a call to options dot conventions dot authorize folder, and give it the path to the folder that I'd like to protect, in this case the admin folder.
Likewise let's assume that the new account folder that I just created will end up containing additional pages that show the user's profile or account information and I want to make sure that all of those pages are protected by default too. I can just add that folder as well. But wait a minute, right now that folder has the login page in it, and I definitely don't want that to be locked down. Otherwise no one would ever be able to authenticate, but that's fine. I can still protect the entire folder with a call to authorize folder, but then start punching holes in that protection with calls to the allow anonymous to page method, passing at the path to the page that I'd like to un-protect.
Now I can place another page in the account folder without putting any authorized attribute on it, like this. And then when I try to navigate to this page, I'll be blocked and redirected to the login page, which I can still access, because I've allowed anonymous access to this page, even though it lives in the a protected account folder.
Now that I've got everything all locked down, it's time to move on and wrap this up by showing how to implement the login page to actually allow users to access these pages that are so well protected.
- Creating a new application
- Setting up pages
- Rendering dynamic content
- Reusing markup with layouts
- Increasing the maintainability of pages
- Processing data
- Validating input
- Securing an application