I'm no security expert, but it's my understanding that the [Authorize] attribute protects the entire component, when it's an @page component that can be reached via the Blazor Router. If you want to call a method in the @code block of a component, I believe you still have to load that component. If that @page component is protected and the user is unauthorized, they shouldn't be able to call the methods in the @code block either. If I'm incorrect, hopefully someone else will chime in. The other thing that complicates things a bit is that Blazor WebAssembly apps run in the client, so they are susceptible to being manipulated and it becomes difficult to enforce the authorization access rules. However, since the code is likely calling an API to retrieve the data, which should have its own access rules for its controller or method being called, I believe that should limit the potential for unauthorized access. It's important to mention that the [Authorize] attribute doesn't work in child components, only components with the @page directive that can be accessed via the Blazor Router. For more information, please check out: https://docs.microsoft.com/en-us/aspnet/core/blazor/security/?view=aspnetcore-5.0
[Authorize] attribute, needed in code behind Blazor page?
Hi, I have a quick question.
I'm using Roles based authorization on my pages like so '@attribute[Authorize(Roles="yadayada"]'.
And in the controller, '[Authorize(Roles ="yadayada")]'.
And in the Navigation menu '<AuthorizeView Roles="yadayada">'.
I guess my question is, on the Razor Page, does the one attribute[Authorize()] protect both the html and the code. Or do I need to apply the Authorize attribute to each function in the code section of the page?
I have dug around and I can't seem to get straight answers. I do seem to recall one post mentioning that the attribute will not work in the @code section but only the page and class scopes.
I tried adding it to my page code, it gave no build or run errors, but I can't say that I need it either.
Any thoughts?
Thanks
1 Posted 3 years ago by selliott