I have to develop an authorize filter in asp.net mvc.I have got five categories of users in my site and my site uses custom created authentication system.Now i have a controller action which should be accessible to 3 out of those five type of users.How to
create a filter (basically authorize) and use it which fulfills my requirement?I think i need to create the authorize filter with parameter.I should be able to use something like this in my controller action.
If you're able to use [Authorize(Roles = "Role1, Role2, Role3")] (which will allow any of those three roles to go through), please use that instead of creating a new authorization attribute. The AuthorizeAttribute.OnAuthorization() method contains non-trivial
logic that should normally not be overridden.
Marked as answer by ricka6 on Aug 12, 2010 04:58 PM
1)If i use authorize roles than upon the request by invalid user i will be redirected to default login page of the asp.net mvc.But since i have used my custom login i should be redirected to my login page.
2)Also the
AuthorizeCore() method of
AuthorizeAttribute returns bool value,but upon the request by unauthorized user i want to get redirected to the
some actions stating user as "you are not authorized to view the page" which is not possible i think with this Attribute.So only option i saw is to use ActionFilter attribute instead of the AuthorizeAttribute.
3)Since i have four kind of users i have created the ActionFilter for each kind of user and placed it in top of controller action .How Can i write a single action filter which makes a decision for authorization of all the type of user?In fact is it possible?.I
need to identify the user is making request to which controller and which action and grant the permission to view it appropriately.But i have no idea how to do that.
1. The URL to redirect to is specified in Web.config. Changing it there will make all [Authorize] attributes honor it.
2. If you wanted to distinguish between not logged in and logged in but not authorized, you only need to override HandleUnauthorizedRequest. See sample:
public class CustomAuthorizeAttribute :AuthorizeAttribute {
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) {
if (filterContext.HttpContext.User.Identity.IsAuthenticated) {
// User is logged in (authenticated) but not authorized, so
// show the NotAuthorized view. This assumes a view ~/Views/Shared/NotAuthorized.aspx.
filterContext.Result = new ViewResult() { ViewName = "NotAuthorized" };
// If you wanted to *redirect* the user rather than display a view, use this instead:
// filterContext.Result = new RedirectResult("~/url-to-redirect-to");
}
else {
// Redirect to the standard login page. This is specified in Web.config and defaults
// to ~/Account/LogOn.
base.HandleUnauthorizedRequest(filterContext);
}
}
}
Note that you're not changing any of the authorization logic (which is in OnAuthorization and AuthorizeCore), as the default logic is ok. The only method you care about is handling what to do when authorization fails, which is HandleUnauthorizedRequest.
3. The [Authorize] attribute (and any subclassed type, if you follow the example from #2) can accept multiple roles per my earlier post. Example: [Authorize(Roles = "Role1, Role2, Role3")] will allow any user who is in one of those three roles to go through.
Marked as answer by ricka6 on Aug 12, 2010 04:58 PM
sagngh9
None
0 Points
48 Posts
create the authorize filter with parameter asp.net mvc
Aug 12, 2010 06:39 AM|LINK
Hi Everyone,
I have to develop an authorize filter in asp.net mvc.I have got five categories of users in my site and my site uses custom created authentication system.Now i have a controller action which should be accessible to 3 out of those five type of users.How to create a filter (basically authorize) and use it which fulfills my requirement?I think i need to create the authorize filter with parameter.I should be able to use something like this in my controller action.
Authorize[UsersType="admin,accountant,operator"]
public ActionResult Test()
{
}
technology used : Asp.net MVC
Thanks in Advance
ASP .net mvc
ignatandrei
All-Star
135210 Points
21690 Posts
Moderator
MVP
Re: create the authorize filter with parameter asp.net mvc
Aug 12, 2010 07:34 AM|LINK
derive from AuthorizeAttribute and override OnAuthorization (possibly also HandleUnauthorizedRequest)
Look at http://robertschultz.org/2009/07/29/multiple-roles-with-authorize-attribute-using-enums-in-asp-net-mvc/
But I do not understand difference between "Roles" from AuthorizeAttribute and yours "UsersType"
levib
Star
7702 Points
1099 Posts
Microsoft
Re: create the authorize filter with parameter asp.net mvc
Aug 12, 2010 09:38 AM|LINK
If you're able to use [Authorize(Roles = "Role1, Role2, Role3")] (which will allow any of those three roles to go through), please use that instead of creating a new authorization attribute. The AuthorizeAttribute.OnAuthorization() method contains non-trivial logic that should normally not be overridden.
sagngh9
None
0 Points
48 Posts
Re: create the authorize filter with parameter asp.net mvc
Aug 12, 2010 01:24 PM|LINK
Thanks levib for your prompt response.
Here are some of the issues i faced.
1)If i use authorize roles than upon the request by invalid user i will be redirected to default login page of the asp.net mvc.But since i have used my custom login i should be redirected to my login page.
2)Also the
some actions stating user as "you are not authorized to view the page" which is not possible i think with this Attribute.So only option i saw is to use ActionFilter attribute instead of the AuthorizeAttribute.
3)Since i have four kind of users i have created the ActionFilter for each kind of user and placed it in top of controller action .How Can i write a single action filter which makes a decision for authorization of all the type of user?In fact is it possible?.I need to identify the user is making request to which controller and which action and grant the permission to view it appropriately.But i have no idea how to do that.
Best Regards,
Sagar.
asp .net mvc action filter
levib
Star
7702 Points
1099 Posts
Microsoft
Re: create the authorize filter with parameter asp.net mvc
Aug 12, 2010 04:39 PM|LINK
1. The URL to redirect to is specified in Web.config. Changing it there will make all [Authorize] attributes honor it.
2. If you wanted to distinguish between not logged in and logged in but not authorized, you only need to override HandleUnauthorizedRequest. See sample:
public class CustomAuthorizeAttribute :AuthorizeAttribute { protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) { if (filterContext.HttpContext.User.Identity.IsAuthenticated) { // User is logged in (authenticated) but not authorized, so // show the NotAuthorized view. This assumes a view ~/Views/Shared/NotAuthorized.aspx. filterContext.Result = new ViewResult() { ViewName = "NotAuthorized" }; // If you wanted to *redirect* the user rather than display a view, use this instead: // filterContext.Result = new RedirectResult("~/url-to-redirect-to"); } else { // Redirect to the standard login page. This is specified in Web.config and defaults // to ~/Account/LogOn. base.HandleUnauthorizedRequest(filterContext); } } }Note that you're not changing any of the authorization logic (which is in OnAuthorization and AuthorizeCore), as the default logic is ok. The only method you care about is handling what to do when authorization fails, which is HandleUnauthorizedRequest.
3. The [Authorize] attribute (and any subclassed type, if you follow the example from #2) can accept multiple roles per my earlier post. Example: [Authorize(Roles = "Role1, Role2, Role3")] will allow any user who is in one of those three roles to go through.