Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to use the Authorize attribute both at the controller and action level?

I have implemented my own custom Authorize attribute.

The attribute is applied both at the controller level and at the action level.

Here is an example of what I need to do:

[ClaimsAuthorize(Roles = "AdvancedUsers")]
public class SecurityController : Controller
{
    [ClaimsAuthorize(Roles = "Administrators")]
    public ActionResult AdministrativeTask()
    {
        return View();
    }

    public ActionResult SomeOtherAction()
    {
        return View();
    }
}

Currently if a user has the Administrator Role but not the AdvancedUsers role, he cannot execute "Administrative Task".

How can I change this behavior to perform a security check at the action level even if the user is not authorized at the controller level?

For the moment, the only solution I can think about is to implement 2 attributes: one for securing controllers, another for securing actions. Then I would play with the Order property to execute the one at the action level first.

However, I would prefer a solution with a single attribute if possible.

like image 263
rlesias Avatar asked Oct 16 '13 12:10

rlesias


People also ask

Where can the Authorize attribute can be applied?

You can place the Authorize attribute on a controller or on individual actions inside the controller. When we place the Authorize attribute on the controller itself, the authorize attribute applies to all of the actions inside.

How does the Authorize attribute work?

If a user is not authenticated, or doesn't have the required user name and role, then the Authorize attribute prevents access to the method and redirects the user to the login URL. When both Roles and Users are set, the effect is combined and only users with that name and in that role are authorized.

How do I use Authorize attribute in net core API?

Authorization in ASP.NET Core is controlled with AuthorizeAttribute and its various parameters. In its most basic form, applying the [Authorize] attribute to a controller, action, or Razor Page, limits access to that component to authenticated users. Now only authenticated users can access the Logout function.

Which method is used to implement Authorize attribute?

In ASP.NET Web API authorization is implemented by using the Authorization filters which will be executed before the controller action method executed. Web API provides a built-in authorization filter, AuthorizeAttribute. This filter checks whether the user is authenticated.


2 Answers

Use built-in [OverrideAuthorization]:

[ClaimsAuthorize(Roles = "AdvancedUsers")]
public class SecurityController : Controller
{
    [OverrideAuthorization]
    [ClaimsAuthorize(Roles = "Administrators")]
    public ActionResult AdministrativeTask()
    {
        return View();
    }

    public ActionResult SomeOtherAction()
    {
        return View();
    }
}

OverrideAuthorization Attribute is available for MVC 5 (at least) and up. Once you decorate the Action with it, also decorate with the new Role and that will take effect over the Controller level Role.

like image 134
Csaba Toth Avatar answered Oct 19 '22 03:10

Csaba Toth


This should not be possible. Imagine the logic which MVC uses with the authorization filters.

  1. When the controller is determined - check if there is an authorization filter that applies to that controller and execute it.
  2. When the action is known - do the same for the action.

In all cases a fail in authorization would short-circuit the pipeline.

like image 25
Ventsyslav Raikov Avatar answered Oct 19 '22 03:10

Ventsyslav Raikov