3

How can I make IsAuthorized return my custom object while function returns false?

In my WebAPI project I have a class like;

public class CustomAuthorizeAttribute : AuthorizeAttribute
    {
        protected override bool IsAuthorized(System.Web.Http.Controllers.HttpActionContext actionContext)
        {

            StandardWebAPIResponse invalidUserResponse = new StandardWebAPIResponse()
                    {
                        code = (int) Constants.ErrorCodes.InvalidCredentials,
                        data = "InvalidCredentials.",
                        StatusCode = HttpStatusCode.Unauthorized
                    };
                    actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized,
                        invalidUserResponse);
                    // if I set this to true I am getting 401 with my custom object
                    // otherwise it gives me default error message 
                    // {"Message":"Authorization has been denied for this request."}
                    return false;
        }
    }

For some reason when I return false from IsAuthorized function, it does not return my custom invalidUserResponse object. But if I return true it returns it.

How can I resolve this issue?

Improve this question
4
  • 2
    You should override the OnAuthorization method, that use the IsAuthorized and flushs the response, or force a flush at your method. Commented Jun 17, 2015 at 15:59
  • How can I flush response, thus I could not find that function/option. Commented Jun 17, 2015 at 16:22
  • 1
    Yeah, I checked, they took .End() away from the Http namespace. You should override the OnAuthorization then, makes more sense fill the response there. Commented Jun 17, 2015 at 16:32
  • Thanks a lot, it works now. You can make your comments as a response then I can mark as an answer. It may help others too. Commented Jun 17, 2015 at 16:36

3 Answers 3

Reset to default
5

I know this question has been answered but I feel like it is slightly wrong. I don't think that a message for unauthorized request should be handled by OnAuthorization but should be handled by HandleUnauthorizedRequest. I'm not sure if it will cause any major problems putting it in OnAuthorization, but presumably the reason you were getting the message when true and not false is because the base class writes over your response in HandleUnauthorizedRequest.

It is a subtle thing but the OnAuthorization directs to the HandleUnauthorizedRequest for a reason. It is mainly a separation of responsibilities thing, but if you ever want to do more than just sending an error message, like log bad request your OnAuthorization method will probably get crowded. You should used the methods given to you for clarity sake if nothing else.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

Yes I agree. You would need to implement custom filter derived from AuthorizeAttribute. 

protected override void HandleUnauthorizedRequest(HttpActionContext actionContext)
{
    base.HandleUnauthorizedRequest(actionContext);
    actionContext.Response = new HttpResponseMessage
    {
        StatusCode = HttpStatusCode.Unauthorized,
        Content = new ObjectContent(typeof(ErrorMessage),
        new ErrorMessage()
        {
            StatusCode = (int)HttpStatusCode.Unauthorized,
            Message = Constants.UnauthorisedErrorMessage,
            ErrorCode = Constants.UnauthorisedErrorCode
        }, new JsonMediaTypeFormatter())
    };
}
Improve this answer

1 Comment

Thanks, I will re-arrange my logic this way.
1

You should override the OnAuthorization method, that use the IsAuthorized and flushs the response, or force a flush at your method. Makes more sense fill the response where the filter manipulates It.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.