Merge pull request #36920 from dotnet/main

Merge to Live

Author: wadepickett

.openpublishing.redirection.json

@@ -1678,6 +1678,11 @@
             "source_path": "aspnetcore/security/authorization/iard.md",
             "redirect_url": "/aspnet/core/security/authorization/custom-authorization-policies-with-iauthorizationrequirementdata",
             "redirect_document_id": false
+        },
+        {
+            "source_path": "aspnetcore/security/authorization/razor-pages-authorization.md",
+            "redirect_url": "/aspnet/core/razor-pages/security/authorization/conventions",
+            "redirect_document_id": false
         }
     ]
 }

aspnetcore/blazor/security/index.md

@@ -30,7 +30,7 @@ If authorization rule enforcement and the security of data and code must be guar
 
 :::moniker-end
 
-[Razor Pages authorization conventions](xref:security/authorization/razor-pages-authorization) don't apply to routable Razor components. If a non-routable Razor component is [embedded in a page of a Razor Pages app](xref:blazor/components/integration), the page's authorization conventions indirectly affect the Razor component along with the rest of the page's content.
+[Razor Pages authorization conventions](xref:razor-pages/security/authorization/conventions) don't apply to routable Razor components. If a non-routable Razor component is [embedded in a page of a Razor Pages app](xref:blazor/components/integration), the page's authorization conventions indirectly affect the Razor component along with the rest of the page's content.
 
 :::moniker range="< aspnetcore-8.0"
 

aspnetcore/razor-pages/index.md

@@ -579,7 +579,7 @@ The configuration and settings in following sections is not required by most app
 To configure advanced options, use the <xref:Microsoft.Extensions.DependencyInjection.MvcServiceCollectionExtensions.AddRazorPages%2A> overload that configures <xref:Microsoft.AspNetCore.Mvc.RazorPages.RazorPagesOptions>:
 [!code-csharp[](~/razor-pages/index/6.0sample/RazorPagesContacts/Program.cs?name=snippet_ac&highlight=5-9)]
 
-Use the <xref:Microsoft.AspNetCore.Mvc.RazorPages.RazorPagesOptions> to set the root directory for pages, or add application model conventions for pages. For more information on conventions, see [Razor Pages authorization conventions](xref:security/authorization/razor-pages-authorization).
+Use the <xref:Microsoft.AspNetCore.Mvc.RazorPages.RazorPagesOptions> to set the root directory for pages, or add application model conventions for pages. For more information on conventions, see [Razor Pages authorization conventions](xref:razor-pages/security/authorization/conventions).
 
 To precompile views, see [Razor view compilation](xref:mvc/views/view-compilation).
 
@@ -604,7 +604,7 @@ Add <xref:Microsoft.Extensions.DependencyInjection.MvcRazorPagesMvcCoreBuilderEx
 * <xref:mvc/views/razor>
 * <xref:mvc/controllers/areas>
 * <xref:tutorials/razor-pages/razor-pages-start>
-* <xref:security/authorization/razor-pages-authorization>
+* <xref:razor-pages/security/authorization/conventions>
 * <xref:razor-pages/razor-pages-conventions>
 * <xref:test/razor-pages-tests>
 * <xref:mvc/views/partial>

aspnetcore/razor-pages/index/includes/index35.md

@@ -571,7 +571,7 @@ To configure advanced options, use the <xref:Microsoft.Extensions.DependencyInje
 
 [!code-csharp[](~/razor-pages/index/3.0sample/RazorPagesContacts/StartupRPoptions.cs?name=snippet)]
 
-Use the <xref:Microsoft.AspNetCore.Mvc.RazorPages.RazorPagesOptions> to set the root directory for pages, or add application model conventions for pages. For more information on conventions, see [Razor Pages authorization conventions](xref:security/authorization/razor-pages-authorization).
+Use the <xref:Microsoft.AspNetCore.Mvc.RazorPages.RazorPagesOptions> to set the root directory for pages, or add application model conventions for pages. For more information on conventions, see [Razor Pages authorization conventions](xref:razor-pages/security/authorization/conventions).
 
 To precompile views, see [Razor view compilation](xref:mvc/views/view-compilation).
 
@@ -596,7 +596,7 @@ Add <xref:Microsoft.Extensions.DependencyInjection.MvcRazorPagesMvcCoreBuilderEx
 * <xref:mvc/views/razor>
 * <xref:mvc/controllers/areas>
 * <xref:tutorials/razor-pages/razor-pages-start>
-* <xref:security/authorization/razor-pages-authorization>
+* <xref:razor-pages/security/authorization/conventions>
 * <xref:razor-pages/razor-pages-conventions>
 * <xref:test/razor-pages-tests>
 * <xref:mvc/views/partial>

aspnetcore/razor-pages/razor-pages-conventions.md

@@ -288,7 +288,7 @@ The Page filter (<xref:Microsoft.AspNetCore.Mvc.Filters.IPageFilter>) is a filte
 ## Additional resources
 
 * [Razor Pages Routing](https://www.learnrazorpages.com/razor-pages/routing)
-* <xref:security/authorization/razor-pages-authorization>
+* <xref:razor-pages/security/authorization/conventions>
 * <xref:mvc/controllers/areas#areas-with-razor-pages>
 
 :::moniker-end
@@ -569,7 +569,7 @@ The Page filter (<xref:Microsoft.AspNetCore.Mvc.Filters.IPageFilter>) is a filte
 
 ## Additional resources
 
-* <xref:security/authorization/razor-pages-authorization>
+* <xref:razor-pages/security/authorization/conventions>
 * <xref:mvc/controllers/areas#areas-with-razor-pages>
 
 :::moniker-end
@@ -825,7 +825,7 @@ The Page filter (<xref:Microsoft.AspNetCore.Mvc.Filters.IPageFilter>) is a filte
 
 ## Additional resources
 
-* <xref:security/authorization/razor-pages-authorization>
+* <xref:razor-pages/security/authorization/conventions>
 * <xref:mvc/controllers/areas#areas-with-razor-pages>
 
 :::moniker-end

aspnetcore/razor-pages/security/authorization/conventions.md

@@ -0,0 +1,183 @@
+---
+title: Razor Pages authorization conventions in ASP.NET Core
+author: wadepickett
+description: Learn how to control access to pages with conventions that authorize users and allow anonymous users to access pages or folders of pages.
+monikerRange: '>= aspnetcore-2.1'
+ms.author: wpickett
+ms.custom: mvc
+ms.date: 03/25/2026
+uid: razor-pages/security/authorization/conventions
+---
+# Razor Pages authorization conventions in ASP.NET Core
+
+One way to control access in a Razor Pages app is to use authorization conventions at startup. These conventions allow the app to authorize users and allow anonymous users to access individual pages or folders of pages. The conventions described in this article automatically apply [authorization filters](xref:mvc/controllers/filters#authorization-filters) to control access.
+
+[View or download sample code](https://github.com/dotnet/AspNetCore.Docs.Samples/tree/main/security/authorization/RazorPagesAuthorization) ([how to download](xref:fundamentals/index#how-to-download-a-sample))
+
+The sample app uses [cookie authentication without ASP.NET Core Identity](xref:security/authentication/cookie). To use ASP.NET Core Identity, follow the guidance in <xref:security/authentication/identity>.
+
+## Require authorization to access a page
+
+Use the <xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AuthorizePage%2A> convention to add an <xref:Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter> to the page at the specified path:
+
+:::moniker range=">= aspnetcore-10.0"
+
+:::code language="csharp" source="~/../AspNetCore.Docs.Samples/security/authorization/RazorPagesAuthorization/10.x/AuthorizationSample/Program.cs" id="snippet1" highlight="3":::
+
+:::moniker-end
+
+:::moniker range=">= aspnetcore-3.0 < aspnetcore-10.0"
+
+:::code language="csharp" source="~/../AspNetCore.Docs.Samples/security/authorization/RazorPagesAuthorization/3.x/AuthorizationSample/Startup.cs" id="snippet1" highlight="3":::
+
+:::moniker-end
+
+:::moniker range="< aspnetcore-3.0"
+
+:::code language="csharp" source="~/../AspNetCore.Docs.Samples/security/authorization/RazorPagesAuthorization/2.x/AuthorizationSample/Startup.cs" id="snippet1" highlight="2,4":::
+
+:::moniker-end
+
+The specified path is the View Engine path, which is the Razor Pages root relative path without an extension and containing only forward slashes.
+
+To specify an [authorization policy](xref:security/authorization/policies), use an [`AuthorizePage` overload](xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AuthorizePage%2A):
+
+```csharp
+options.Conventions.AuthorizePage("/Contact", "AtLeast21");
+```
+
+> [!NOTE]
+> An <xref:Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter> can be applied to a page model class with the `[Authorize]` filter attribute. For more information, see <xref:razor-pages/filter#authorize-filter-attribute>.
+
+## Require authorization to access a folder of pages
+
+Use the <xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AuthorizeFolder%2A> convention to add an <xref:Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter> to all of the pages in a folder at the specified path:
+
+:::moniker range=">= aspnetcore-10.0"
+
+:::code language="csharp" source="~/../AspNetCore.Docs.Samples/security/authorization/RazorPagesAuthorization/10.x/AuthorizationSample/Program.cs" id="snippet1" highlight="4":::
+
+:::moniker-end
+
+:::moniker range=">= aspnetcore-3.0 < aspnetcore-10.0"
+
+:::code language="csharp" source="~/../AspNetCore.Docs.Samples/security/authorization/RazorPagesAuthorization/3.x/AuthorizationSample/Startup.cs" id="snippet1" highlight="4":::
+
+:::moniker-end
+
+:::moniker range="< aspnetcore-3.0"
+
+:::code language="csharp" source="~/../AspNetCore.Docs.Samples/security/authorization/RazorPagesAuthorization/2.x/AuthorizationSample/Startup.cs" id="snippet1" highlight="2,5":::
+
+:::moniker-end
+
+The specified path is the View Engine path, which is the Razor Pages root relative path containing only forward slashes.
+
+To specify an [authorization policy](xref:security/authorization/policies), use an [`AuthorizeFolder` overload](xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AuthorizeFolder%2A):
+
+```csharp
+options.Conventions.AuthorizeFolder("/Private", "AtLeast21");
+```
+
+## Require authorization to access an area page
+
+Use the <xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AuthorizeAreaPage%2A> convention to add an <xref:Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter> to the area page at the specified path:
+
+```csharp
+options.Conventions.AuthorizeAreaPage("Identity", "/Manage/Accounts");
+```
+
+The page name is the path of the file without an extension relative to the pages root directory for the specified area. For example, the page name for the file `Areas/Identity/Pages/Manage/Accounts.cshtml` is `/Manage/Accounts`.
+
+To specify an [authorization policy](xref:security/authorization/policies), use an [`AuthorizeAreaPage` overload](xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AuthorizeAreaPage%2A):
+
+```csharp
+options.Conventions.AuthorizeAreaPage("Identity", "/Manage/Accounts", "AtLeast21");
+```
+
+## Require authorization to access a folder of areas
+
+Use the <xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AuthorizeAreaFolder%2A> convention to add an <xref:Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter> to all of the areas in a folder at the specified path:
+
+```csharp
+options.Conventions.AuthorizeAreaFolder("Identity", "/Manage");
+```
+
+The folder path is the path of the folder relative to the pages root directory for the specified area. For example, the folder path for the files under `Areas/Identity/Pages/Manage/` is `/Manage`.
+
+To specify an [authorization policy](xref:security/authorization/policies), use an [`AuthorizeAreaFolder` overload](xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AuthorizeAreaFolder%2A):
+
+```csharp
+options.Conventions.AuthorizeAreaFolder("Identity", "/Manage", "AtLeast21");
+```
+
+## Allow anonymous access to a page
+
+Use the <xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AllowAnonymousToPage%2A> convention to add an <xref:Microsoft.AspNetCore.Mvc.Authorization.AllowAnonymousFilter> to a page at the specified path:
+
+:::moniker range=">= aspnetcore-10.0"
+
+:::code language="csharp" source="~/../AspNetCore.Docs.Samples/security/authorization/RazorPagesAuthorization/10.x/AuthorizationSample/Program.cs" id="snippet1" highlight="5":::
+
+:::moniker-end
+
+:::moniker range=">= aspnetcore-3.0 < aspnetcore-10.0"
+
+:::code language="csharp" source="~/../AspNetCore.Docs.Samples/security/authorization/RazorPagesAuthorization/3.x/AuthorizationSample/Startup.cs" id="snippet1" highlight="5":::
+
+:::moniker-end
+
+:::moniker range="< aspnetcore-3.0"
+
+:::code language="csharp" source="~/../AspNetCore.Docs.Samples/security/authorization/RazorPagesAuthorization/2.x/AuthorizationSample/Startup.cs" id="snippet1" highlight="2,6":::
+
+:::moniker-end
+
+The specified path is the View Engine path, which is the Razor Pages root relative path without an extension and containing only forward slashes.
+
+## Allow anonymous access to a folder of pages
+
+Use the <xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AllowAnonymousToFolder%2A> convention to add an <xref:Microsoft.AspNetCore.Mvc.Authorization.AllowAnonymousFilter> to all of the pages in a folder at the specified path:
+
+:::moniker range=">= aspnetcore-10.0"
+
+:::code language="csharp" source="~/../AspNetCore.Docs.Samples/security/authorization/RazorPagesAuthorization/10.x/AuthorizationSample/Program.cs" id="snippet1" highlight="6":::
+
+:::moniker-end
+
+:::moniker range=">= aspnetcore-3.0 < aspnetcore-10.0"
+
+:::code language="csharp" source="~/../AspNetCore.Docs.Samples/security/authorization/RazorPagesAuthorization/3.x/AuthorizationSample/Startup.cs" id="snippet1" highlight="6":::
+
+:::moniker-end
+
+:::moniker range="< aspnetcore-3.0"
+
+:::code language="csharp" source="~/../AspNetCore.Docs.Samples/security/authorization/RazorPagesAuthorization/2.x/AuthorizationSample/Startup.cs" id="snippet1" highlight="2,7":::
+
+:::moniker-end
+
+The specified path is the View Engine path, which is the Razor Pages root relative path without an extension and containing only forward slashes.
+
+## Note on combining authorized and anonymous access
+
+The app can specify that a folder of pages requires authorization and that a page within that folder allows anonymous access:
+
+```csharp
+// This works.
+.AuthorizeFolder("/Private").AllowAnonymousToPage("/Private/Public")
+```
+
+The reverse, however, isn't valid. The app can't declare a folder of pages for anonymous access and specify a page within that folder that requires authorization:
+
+```csharp
+// This doesn't work!
+.AllowAnonymousToFolder("/Public").AuthorizePage("/Public/Private")
+```
+
+Requiring authorization on the Private page fails. When both the <xref:Microsoft.AspNetCore.Mvc.Authorization.AllowAnonymousFilter> and <xref:Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter> are applied to the page, the <xref:Microsoft.AspNetCore.Mvc.Authorization.AllowAnonymousFilter> takes precedence and controls access.
+
+## Additional resources
+
+* <xref:razor-pages/razor-pages-conventions>
+* <xref:Microsoft.AspNetCore.Mvc.ApplicationModels.PageConventionCollection>

aspnetcore/security/authorization/introduction.md

@@ -30,3 +30,4 @@ Consult the documentation on [simple authorization](xref:security/authorization/
 
 * <xref:fundamentals/minimal-apis/security>
 * <xref:blazor/security/index>
+* <xref:razor-pages/security/authorization/conventions>

aspnetcore/security/authorization/policies.md

@@ -118,7 +118,7 @@ Apply policies to Razor Pages by using the `[Authorize]` attribute with the poli
 
 Policies can ***not*** be applied at the Razor Page handler level, they must be applied to the Page.
 
-Policies can also be applied to Razor Pages by using an [authorization convention](xref:security/authorization/razor-pages-authorization).
+Policies can also be applied to Razor Pages by using an [authorization convention](xref:razor-pages/security/authorization/conventions).
 
 ## Apply policies to endpoints
 

aspnetcore/security/authorization/policies/includes/policies5.md

@@ -108,7 +108,7 @@ Policies are applied to Razor Pages by using the `[Authorize]` attribute with th
 
 Policies can ***not*** be applied at the Razor Page handler level, they must be applied to the Page.
 
-Policies can be applied to Razor Pages by using an [authorization convention](xref:security/authorization/razor-pages-authorization).
+Policies can be applied to Razor Pages by using an [authorization convention](xref:razor-pages/security/authorization/conventions).
 
 <a name="requirements"></a>