Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Authorization in ASP .NET Core Razor pages

Tags:

c#

asp.net-core

razor-pages

I am unable to implement policy-based authorization in ASP .NET Core for an action on a razor page.

I read through this comprehensive document on authorization and used its examples as guidence.

Razor page action code:

[Authorize(Policy = "test")]
public async Task<IActionResult> OnGetCreateAsync(string id)

Code in service configuration:

_ = services.AddAuthorization(options => {
    options.AddPolicy("test", policy =>
        policy.RequireAssertion(context =>
            false));
});

I expect that if I call the action or endpoint service, e.g.

GET /Account?handler=Create

then the request will be denied with a 403 status response because the "test" policy states that everyone is unauthorized. However, in actual practice, the action is successfully called.

like image 391
shertu Avatar asked Aug 13 '19 12:08

shertu

People also ask

How do I Authorize a user in .NET Core?

Add the UseAuthentication middleware after UseRouting in the Configure method in the Startup file. This will enable us to authenticate using ASP.NET Core Identity. With all of this in place, the application Is all set to start using Identity.

What is authorization in ASP.NET Core?

Authentication is the process of determining a user's identity. Authorization is the process of determining whether a user has access to a resource. In ASP.NET Core, authentication is handled by the authentication service, IAuthenticationService, which is used by authentication middleware.

What is the use of razor pages in ASP.NET Core?

Razor Pages can make coding page-focused scenarios easier and more productive than using controllers and views. If you're looking for a tutorial that uses the Model-View-Controller approach, see Get started with ASP.NET Core MVC. This document provides an introduction to Razor Pages. It's not a step by step tutorial.

1 Answers

Razor Pages doesn't support [Authorize] at the handler level. i.e. You can only authorise a page as a whole, on the PageModel itself, as noted in the docs:

Policies can not be applied at the Razor Page handler level, they must be applied to the Page.

If authorising the page as a whole isn't a workable solution, you might need to move your OnGetCreateAsync handler into a controller/action pair, which can be attributed with [Authorize] accordingly.

There's also a related GitHub issue in the docs for this:

The [Authorize] filter attribute has been supported since 2.0 in Razor Pages, but note that it works at the page model class level

If you need a better workaround, see akbar's answer and Jim Yabro's answer.

like image 150
Kirk Larkin Avatar answered Oct 15 '22 23:10

Kirk Larkin
Sign in to Comment

Related questions

How does the SQLite Entity Framework 6 provider handle Guids?
What is the purpose of StreamReader when Stream.Read() exists?
Optional arguments in a generic Func<>
Where can I find Microsoft.Office.Interop.Word.dll (2010)?
Singleton Scope for EF's DbContext
Visual Studio 2015 RC Entity Framework 6.1.3 Migrations Error
What is C# 6.0 #pragma disable warnings feature?
How Can I bind DataContext to a Generic ViewModel in XAML?
UTF-16 safe substring in C# .NET
Is it possible to pass interpolated strings as parameter to a method?
Restart a crashed program with RegisterApplicationRestart without user prompt
System.Web.HttpContext.Current does not exist
Starting async method as Thread or as Task
Adding Query String Params to my Swagger Specs
IServiceCollection not found in web API with MVC 6
Jetbrains Rider + Visual Studio WPF
Linq performance: should I first use `where` or `select`
How to enable Application Logs in Azure for Net Core 2 App?
How to set NLog max file size?
How to get COUNT DISTINCT in translated SQL with EF Core

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!