Geek Answers Handbook

Overriding onAuthorization in ASP.NET MVC in the base controller

In my ASP.NET MVC application, I am trying to find out if a user has access to a specific controller limited by data authorization annotation as follows

[Authorize(Roles = "user")]

I am trying to override OnAuthorization to check: -

  • If the request is authenticated (which works fine)
  • If the user has the right to access the requested view (which does not work)

My user roles are stored in the created SessionManager object - SessionManager.ActiveUser.Roles

This is what I have in the form of pseudo-code, but if anyone can help me, I would really appreciate it.

 public class HomeBaseController : Controller { protected override void OnAuthorization(AuthorizationContext context) { if (context.HttpContext.User.Identity.IsAuthenticated) { // these values combined are our roleName bool isAuthorised = context.HttpContext.User.IsInRole(context.RequestContext.HttpContext.User.Identity.); if (!context.HttpContext.User.IsInRole(---the roles associated with the requested controller action (eg user)---)) { var url = new UrlHelper(context.RequestContext); var logonUrl = url.Action("LogOn", "SSO", new { reason = "youAreAuthorisedButNotAllowedToViewThisPage" }); context.Result = new RedirectResult(logonUrl); return; } } }
+4
source share
1 answer

Regarding the override of OnAuthorization according to the ProASP.NET MVC3 Book, they do not recommend overriding it, since the default implementation of this method safely processes the content cached by the OutputCache filter.

If you are looking for user authentication (using Auth forms) and authorization (using role provider logic, the following describes how I protected my application.

EDIT: The following logic uses integrated forms authentication and role manager. After user authentication and authorization, the user ID can be used for authentication (User.Identity.IsAuthenticated) and User.IsInRole ("admin") roles

In Web.Config:

 <authentication mode="Forms"> <forms loginUrl="~/Account/LogOn" timeout="15" slidingExpiration="true" enableCrossAppRedirects="false" protection="All" /> </authentication> <roleManager enabled="true" defaultProvider="MyRolesProvider" cacheRolesInCookie="true" cookieProtection="All"> <providers> <clear /> <add name="MyRolesProvider" type="MyApp.Library.CustomRolesProvider" /> </providers> </roleManager>

To authorize a role. Extend the RoleProvider methods and override if necessary.

 public class CustomRolesProvider : RoleProvider { public override string[] GetRolesForUser(string username) { // You need to return string of Roles Here which should match your role names which you plan to use. //Some Logic to fetch roles after checking if User is Authenticated... return new string[] { "admin" , "editor" }; } //Rest all of them I have kept not implemented as I did not need them... }

In your controller, you can now use this:

  [Authorize(Roles="Admin")] public class AdminController : Controller { .... }

For authentication, I have implemented my own authentication, but I still use forms authentication:

 //This one calls by Custom Authentication to validate username/password public ActionResult LogOn(LogOnViewModel model, string returnUrl) { if(Authenticate("test","test")) { ....... } } public bool Authenticate(string username, string password) { //Authentication Logic and Set the cookie if correct else false. //..... your logic.... //..... FormsAuthentication.SetAuthCookie(username, false); }
+10
source

More articles:


All Articles