Menu
I'm trying out some of the new stuff in VS2013 RC with MVC5 and the new OWIN authentication middleware.
So, I'm used to using the [Authorize] attribute to limit actions by role but I'm trying to use claims/activity based authorization, and I can't find an equivalent attribute for it.
Is there an obvious one I'm missing or do I need to roll my own? I kinda expected there to be one out of the box.
What I'm looking for specifically is something along the lines of [Authorize("ClaimType","ClaimValue")] I suppose.
Thanks in advance.
432
The Authorize attribute enables you to restrict access to resources based on roles. It is a declarative attribute that can be applied to a controller or an action method. If you specify this attribute without any arguments, it only checks if the user is authenticated.
Using the [Authorize] Attribute Web API provides a built-in authorization filter, AuthorizeAttribute. This filter checks whether the user is authenticated. If not, it returns HTTP status code 401 (Unauthorized), without invoking the action.
I ended up just writing a simple attribute to handle it. I couldn't find anything in the framework right out of the box without a bunch of extra config. Listed below.
public class ClaimsAuthorizeAttribute : AuthorizeAttribute { private string claimType; private string claimValue; public ClaimsAuthorizeAttribute(string type, string value) { this.claimType = type; this.claimValue = value; } public override void OnAuthorization(AuthorizationContext filterContext) { var user = filterContext.HttpContext.User as ClaimsPrincipal; if (user != null && user.HasClaim(claimType, claimValue)) { base.OnAuthorization(filterContext); } else { base.HandleUnauthorizedRequest(filterContext); } } } Of course, you could remove the type and value params if you were happy to use the controller-action-verb triplet for claims somehow.
171
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With