Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using custom authorization in MVC 4

I'm currently developing a Web API using the MVC 4 web API project type. I am currently at a stage where I need to add some security to the API. I am aware of the Authorize attribute, however, the client would prefer a different approach. For this I have tried to override the Authorize attribute in my own class and as a basic start I simply have the AuthorizeCore always returning false which should mean not authenticated. If i then add this to an Action within a controller, the action always completes and I always retrieve the data. I believe the reason may be due to the custom attribute not being registered in the web.config file, however, I am unsure how to go about this when not using forms authentication.

The code I am using to test is a fresh MVC 4 web API project with the custom attribute shown below.

public class Auth : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        return false;
    }
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        filterContext.Result = new RedirectResult("http://www.google.com");
    }
}

I have then added the attribute onto the Get method of the default ValuesController as such

[Auth]
public IEnumerable<string> Get()

However, when I navigate to domain/api/Values I am always presented with the data instead of the expected redirect to google. Any help is appreciated.

Edit: After looking around a little more I found this here: http://weblogs.asp.net/jgalloway/archive/2012/05/04/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way.aspx This suggests that I chose the wrong wrong AuthorizeAttribute class as I had chosen the one from System.Web.MVC rather than the one from System.Web.Http. It appears that the Http version does not allow the same level of configuration as the MVC version as it doesn't allow me to override the AuthorizeCore. Any more help on this is appreciated.

like image 768
bruinbrown Avatar asked Oct 14 '12 12:10

bruinbrown


People also ask

How do I create a custom authorization filter in Web API?

To implement a custom authorization filter, we need to create a class that derives either AuthorizeAttribute , AuthorizationFilterAttribute , or IAuthorizationFilter . AuthorizeAttribute : An action is authorized based on the current user and the user's roles.

How do I override OnAuthorization in .NET core?

Right-click on the solution and add a new class. Enter the class name and click on Add. Next Inherite Attribute, IAuthorizationFilter to CustomAuthorization class which has overridden the OnAuthorization method. The OnAuthorization Method has the AuthorizationFilterContext parameter.


1 Answers

It appears that the problem was caused by using the wrong version of AuthorizeAttribute. After using the version found in System.Web.Http the code returns the correct error code should the user not have the required permissions. As an example here is the equivalent code to what I put in the original question

using System;
using System.Web.Http;
using System.Net.Http;

public class AuthAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
    {
        HandleUnauthorizedRequest(actionContext);
    }

    protected override void HandleUnauthorizedRequest(System.Web.Http.Controllers.HttpActionContext actionContext)
    {
        var response = actionContext.Request.CreateResponse(System.Net.HttpStatusCode.Redirect);
        response.Headers.Add("Location", "http://www.google.com");
        actionContext.Response = response;
    }
}
like image 82
bruinbrown Avatar answered Oct 19 '22 04:10

bruinbrown