Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to use the Authorize attribute both at the controller and action level?

Tags:

c#

security

asp.net-mvc

I have implemented my own custom Authorize attribute.

The attribute is applied both at the controller level and at the action level.

Here is an example of what I need to do:

[ClaimsAuthorize(Roles = "AdvancedUsers")]
public class SecurityController : Controller
{
    [ClaimsAuthorize(Roles = "Administrators")]
    public ActionResult AdministrativeTask()
    {
        return View();
    }

    public ActionResult SomeOtherAction()
    {
        return View();
    }
}

Currently if a user has the Administrator Role but not the AdvancedUsers role, he cannot execute "Administrative Task".

How can I change this behavior to perform a security check at the action level even if the user is not authorized at the controller level?

For the moment, the only solution I can think about is to implement 2 attributes: one for securing controllers, another for securing actions. Then I would play with the Order property to execute the one at the action level first.

However, I would prefer a solution with a single attribute if possible.

like image 263
rlesias Avatar asked Oct 16 '13 12:10

rlesias

People also ask

Where can the Authorize attribute can be applied?

You can place the Authorize attribute on a controller or on individual actions inside the controller. When we place the Authorize attribute on the controller itself, the authorize attribute applies to all of the actions inside.

How does the Authorize attribute work?

If a user is not authenticated, or doesn't have the required user name and role, then the Authorize attribute prevents access to the method and redirects the user to the login URL. When both Roles and Users are set, the effect is combined and only users with that name and in that role are authorized.

How do I use Authorize attribute in net core API?

Authorization in ASP.NET Core is controlled with AuthorizeAttribute and its various parameters. In its most basic form, applying the [Authorize] attribute to a controller, action, or Razor Page, limits access to that component to authenticated users. Now only authenticated users can access the Logout function.

Which method is used to implement Authorize attribute?

In ASP.NET Web API authorization is implemented by using the Authorization filters which will be executed before the controller action method executed. Web API provides a built-in authorization filter, AuthorizeAttribute. This filter checks whether the user is authenticated.

2 Answers

Use built-in [OverrideAuthorization]:

[ClaimsAuthorize(Roles = "AdvancedUsers")]
public class SecurityController : Controller
{
    [OverrideAuthorization]
    [ClaimsAuthorize(Roles = "Administrators")]
    public ActionResult AdministrativeTask()
    {
        return View();
    }

    public ActionResult SomeOtherAction()
    {
        return View();
    }
}

OverrideAuthorization Attribute is available for MVC 5 (at least) and up. Once you decorate the Action with it, also decorate with the new Role and that will take effect over the Controller level Role.

like image 134
Csaba Toth Avatar answered Oct 19 '22 03:10

Csaba Toth

This should not be possible. Imagine the logic which MVC uses with the authorization filters.

  1. When the controller is determined - check if there is an authorization filter that applies to that controller and execute it.
  2. When the action is known - do the same for the action.

In all cases a fail in authorization would short-circuit the pipeline.

like image 25
Ventsyslav Raikov Avatar answered Oct 19 '22 03:10

Ventsyslav Raikov
Sign in to Comment

Related questions

Multiple Enumerators for a Single C# Class
Calculating heat map colours
Markup.IStyle.Connector.Connect error on binding in WPF
Always have error "The ObjectContent 1 type failed to serialize the response body..."
Generic access to DbContext
How do I get the first child of an XElement?
is it thread safe to assign a new value to a static object in c#
C# TcpClient.Connect via a proxy
Different DataAnnotation attributes for derived classes
How do I install a C# class library in Visual Studio?
Difference in LINQ query results in .NET 3.5 and 4.5 [duplicate]
Proper way to handle the ampersand character in JSON string send to REST web service
Is Task.WhenAll required in the sample code?
C# Enum.ToString() with complete name
Dynamically apply validation rules at runtime with ASP.NET MVC 4
C# Socket.receive continuously receives 0 bytes and does not block in the loop
Get the properties of the current network connection
Why is this parameter not CLS-compliant?
c# fixed length string
Is C# += thread safe?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!