In ASP.NET MVC 4 and below we just add the following in Global.asax:
GlobalFilters.Filters.Add(new AuthorizeAttribute() { Roles = "Admin, SuperUser" });
Any idea how to do this in ASP.NET Core MVC?
Add( new AuthorizeAttribute() { Roles = "Admin, SuperUser" }); In . Net Core, we can add the filters globally by adding it to the MvcOptions. Filters collection in the ConfigureServices method in the Startup class.
If global. asax or its parent HttpApplication was part of ASP.NET and not windows native drivers then why can't ASP.NET Core hosting module directly communicate to it without having startup.
Authorization in ASP.NET Core is controlled with AuthorizeAttribute and its various parameters. In its most basic form, applying the [Authorize] attribute to a controller, action, or Razor Page, limits access to that component to authenticated users. Now only authenticated users can access the Logout function.
Filters in ASP.NET Core allow code to run before or after specific stages in the request processing pipeline. Built-in filters handle tasks such as: Authorization, preventing access to resources a user isn't authorized for. Response caching, short-circuiting the request pipeline to return a cached response.
From docs:
You can register a filter globally (for all controllers and actions) by adding it to the
MvcOptions.Filters
collection in theConfigureServices
method in theStartup
class:
You can not add AuthorizeAttribute
into MvcOptions.Filters
. Create an AuthorizationPolicy
and use AuthorizeFilter
:
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.RequireRole("Admin", "SuperUser")
.Build();
services.AddMvc(options =>
{
options.Filters.Add(new AuthorizeFilter(policy));
});
You can also use the below code. This is using a type rather than an instance.
services.AddMvc(options =>
{
options.Filters.Add(typeof(AuthorizeFilter));
});
And using Dependency Injection you can resolve the policy Object.
In case if you are using the Razor Page flavor of the ASP.NET Core 2.0 you could add global filters as follows:
services.AddMvc()
.AddRazorPagesOptions(options =>
{
options.Conventions.AuthorizeFolder("/"); // Require users to be authenticated.
options.Conventions.AuthorizeFolder("/", "YourPolicyName"); // Require a policy to be full filled globally.
});
Adding a new answer to expand on @maxspan's answer which I found immensely helpful.
I needed to enforce the presence of bearer token in my API. Here's what I ended up doing.
Startup.cs
.AuthorizationPolicy policy = new AuthorizationPolicyBuilder(JwtBearerDefaults.AuthenticationScheme).RequireAuthenticatedUser().Build();
services.AddSingleton(policy);
BearerTokenAuthorizationFilter
which extends from AuthorizeFilter
and retrieved the policy dependency.public class BearerTokenAuthorizationFilter : AuthorizeFilter
{
private readonly AuthorizationPolicy _policy;
public BearerTokenAuthorizationFilter(AuthorizationPolicy policy) : base(policy)
{
_policy = policy;
}
public override async Task OnAuthorizationAsync(AuthorizationFilterContext context)
{
//Use the policy here...
}
}
services.AddControllers(options =>
{
options.Filters.Add(typeof(BearerTokenAuthorizationFilter));
});
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With