0

I have created a custom authorize attribute on my web api. My goal is to check if the user has permission to access the web api url directly else redirect him to an unauthorized page.This process requires me to add [CustomAuthorize("modulename")] everywhere.Is there any other way I can do this? Probably by interceptors?.Any guidance would be greatly appreciated.

         Customised authorize attribute pseudo code snippet: 

        public override void OnAuthorization(HttpActionContext context){
                var username = HttpContext.Current.Request.LogonUserIdentity.Name;
                 var  accesiblemodulelistforuser = GetPermissions(username );

                if (user != null)
            {
                if (modulename does not exist in list )
                {
                var response = 
                context.Request.CreateResponse(HttpStatusCode.Forbidden);
                    context.Response = response;

                }
           else{
          return;

                }

                  }
              else{
                        //redirect to unauthorized page
                  }
              }
Improve this question

1 Answer 1

Reset to default
1

There is no class definition in your's neither ASP.NET version, so I assume that you inherit the ActionFilterAttribute class . Just noticed, that you're not. See edited version. If so, than you can register your filter globally for all web api actions and controllers in WebApiConfig.cs like this:

public static void Register(HttpConfiguration config)
{
    config.Filters.Add(new CustomAuthorize());
}

Edit

Totally misunderstood your's situation. So there is more info. You can use your own global authorization filters:

public class CustomAuthorize : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            // user not authorized, redirect to login page
            filterContext.Result = new HttpUnauthorizedResult();

            return;
        }

        string roleName = GetModuleName(filterContext);
        var user = filterContext.HttpContext.User;


        // Chaeck user permissions
        if (!user.IsInRole(roleName))
        {
            // Handle not authorized requests and redirect to error page
            filterContext.Result = new RedirectResult("~/Error/NotAuthorized");
            return;
        }

        base.OnAuthorization(filterContext);
    }

    string GetModuleName(AuthorizationContext filterContext)
    {
        var controllerName = filterContext.ActionDescriptor.ControllerDescriptor.ControllerType.FullName;
        var actionName = filterContext.ActionDescriptor.ActionName;

        return controllerName; // or actionName
    }
}

Than you can register your filter globally for all actions and controllers in WebApiConfig.cs like this:

public static void Register(HttpConfiguration config)
{
    filters.Add(new CustomAuthorize());
}

or use only on specific controllers/actions.

Just be careful, this approach doesnt work for web api, only mvc, as web api has it's own AuthorizeAttribute located in System.Web.Http (MVC version is located in System.Web.Mvc). Implementation is slightly different, but you can just looks for examples. So you will need to have who different attributes - one for MVC and one for WEB API. See original answer to know how to register WEB API filter globally, or use it only for specific controllers.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.