0

I was wanting to use an attribute in some of my class methods that would make sure that the user is an authorized before using the method that they called.

I was wanting to do something like

[Authorized()]
public void updateSomething()
{
//TODO:
}

I here is my attribute class

class AuthorizedAttribute : Attribute
    {
        public bool IsAuthorized { get; set; }
        public string UserName { get; set; }
        public string Password { get; set; }
        public string UserEmail { get; set; }

        public AuthorizedAttribute()
        {
            //This is not the actual implementation
            this.IsAuthorized = false;
        }

        public AuthorizedAttribute(string userEmail, string userPassword)
        {
            this.UserEmail = userEmail;
            this.Password = userPassword;
            this.UserName = string.Empty;

            BusinessLogic bc = new BusinessLogic();
            if (bc.VerifyCredentials(userEmail, userPassword))
            {
                this.IsAuthorized = true;
            }
            else
            {
                this.IsAuthorized = false;
            }
        }
    }

Could someone point me in the right direction? Some link would be great as well.

Thank you.

Improve this question

3 Answers 3

Reset to default
2

I think the fundemental mistake you have made here is to look at passing the credentials to the attribute. What the attribute should do is force an action to occur before the function you have called will take place.

So your attribute must be checked for by the request processing pipeline. i.e. when the function updateSomething() is called the calling assembly should be looking for the attribute which will then force an authorisation to occur using the current HttpContext and the User.Identity.

I have experience with the MVC AuthorizeAttribute and which can be extended by deriving from this attribute and adding authentication logic to it. 

public class TestAuthAttribute : AuthorizeAttribute
    {
        protected override bool AuthorizeCore(System.Web.HttpContextBase httpContext)
        {
            return ResultOfBusinsessLogic;
        }

    }

this can then be used on any controller action.

I hope this points you in the right direction.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I am still confused on how to create a class to be user as a attribute. On your example I do not understand how the attribute tag will call your AuthorizeCore method. Also do I not need a constructor for it?
Because the attribute descends from AuthorizeAttribute the MVC framework base will call the AuthorizeCore function on this attribute to find out if the user is able to continue. I think you may need to see BrokenGlass's answer to point in the right direction for asp.net forms.
thanks. I actually did not know that attribute came from MVC.
0

Have you looked at the built-in AuthorizeAttribute?

Improve this answer

Comments

0

If you are using Forms authentication / roles this is already built in - check out the PrincipalPermission attribute.

Sample usage:

[PrincipalPermission(SecurityAction.Demand, Role = "Admin")]
Improve this answer

1 Comment

I am not. What I am creating is just a class library.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.