I have a custom AuthorizationFilter
class to handle authorization to my API.
Now, I need to enhance it by adding some attributes to methods which will be read only in
some situations.
I can get the controller from actionContext.ControllerContext
but:
How can I know which Controller
method will be called from the IsAuthorized
method of my custom AuthorizeAttribute
class? So I can get it's attributes with reflection.
Edit: Adding more info-
If I get a call like localhost/api/myapi/?id=4
I want to get the real name of the method that will be executed in the controller like GetById(int id).
That way I could check if the method has any custom attributes I need added to it.
To handle this scenario, we have the option to apply the attribute named OverrideAuthorization on the Contact method in the Home controller. Apply this on the method, as below. That's it.
Look in the route dictionary for the key "controller". Take the value for this key and append the string "Controller" to get the controller type name. Look for a Web API controller with this type name.
Web API provides a built-in authorization filter, AuthorizeAttribute. This filter checks whether the user is authenticated. If not, it returns HTTP status code 401 (Unauthorized), without invoking the action. You can apply the filter globally, at the controller level, or at the level of individual actions.
The name of a controller class must end with "Controller" and it must be derived from System. Web. Http. ApiController class.
Authorization should be done by an authorization filter or inside the controller action. Here is the flow in the Web API 2 pipeline: Before invoking an action, Web API creates a list of the authentication filters for that action. This includes filters with action scope, controller scope, and global scope.
The Authorization filters run before the controller action. If the request is not authorized, the filter returns an error response, and the action is not invoked. Web API provides a built-in authorization filter, Authorize Attribute. This filter checks whether the user is authenticated.
As mentioned above, name of the action methods in the Web API controller plays an important role. Action method name can be the same as HTTP verbs like Get, Post, Put, Patch or Delete as shown in the Web API Controller example above.
Authentication proves the identity of the client. Authorization determines whether the client can access a particular resource. In Web API, authentication filters handle authentication, but not authorization. Authorization should be done by an authorization filter or inside the controller action. Here is the flow in the Web API 2 pipeline:
I used these to get all the descriptors and arguments within an ActionFilterAttribute
actionContext.ActionArguments["selectorString"] actionContext.ActionDescriptor.ControllerDescriptor.ControllerName actionContext.ActionDescriptor.ActionName
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With