Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Custom authorizations in Web.API

My understanding of ASP.NET MVC is that for authorizations I should use something like -

public class IPAuthorize : AuthorizeAttribute {  protected override bool AuthorizeCore(HttpContextBase httpContext) {     //figure out if the ip is authorized      //and return true or false } 

But in Web API, there is no AuthorizeCore(..).

There is OnAuthorization(..) and the general advice for MVC is not to use OnAuthorization(..).

What should I use for custom authorizations in Web API?

like image 230
tom Avatar asked Mar 01 '13 00:03

tom


People also ask

How do I create a custom authorization filter in Web API?

To implement a custom authorization filter, we need to create a class that derives either AuthorizeAttribute , AuthorizationFilterAttribute , or IAuthorizationFilter . AuthorizeAttribute : An action is authorized based on the current user and the user's roles.

How do I create authentication and authorization in Web API?

Web API assumes that authentication happens in the host. For web-hosting, the host is IIS, which uses HTTP modules for authentication. You can configure your project to use any of the authentication modules built in to IIS or ASP.NET, or write your own HTTP module to perform custom authentication.


2 Answers

Authorization is done in an authorization filter - that mean you derive from System.Web.Http.AuthorizeAttribute and implement the IsAuthorized method.

You don't implement authorization in a normal action filter because they run later in the pipeline than authorization filters.

You also don't implement authentication in a filter (like parsing a JWT) - this is done even earlier in an extensibility point called MessageHandler.

like image 86
leastprivilege Avatar answered Oct 15 '22 13:10

leastprivilege


The method we use for is an custom ApiAuthorize attribute that inherits from System.Web.Http.AuthorizeAttribute. for example:

public class ApiAuthorizeAttribute : AuthorizeAttribute {     readonly CreditPointModelContext _ctx = new CreditPointModelContext();      public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)     {         if(Authorize(actionContext))         {             return;         }         HandleUnauthorizedRequest(actionContext);     }      protected override void HandleUnauthorizedRequest(System.Web.Http.Controllers.HttpActionContext actionContext)     {         var challengeMessage = new System.Net.Http.HttpResponseMessage(System.Net.HttpStatusCode.Unauthorized);         challengeMessage.Headers.Add("WWW-Authenticate", "Basic");         throw new HttpResponseException(challengeMessage);      }      private bool Authorize(System.Web.Http.Controllers.HttpActionContext actionContext)     {         try         {             //boolean logic to determine if you are authorized.               //We check for a valid token in the request header or cookie.           }         catch (Exception)         {             return false;         }     } } 
like image 33
Gareth Suarez Avatar answered Oct 15 '22 11:10

Gareth Suarez