Best IT Recipes

Override AuthorizeAttribute Controller in Just One Action

I have a controller decorated with the AuthorizeAttribute attribute. The controller contains several actions that require authentication separately from one action, which requires some user authentication provided by CustomAuthorizeAttribute.

My question is: once I added [Authorize] at the controller level, can I redefine it (or delete it) with [CustomAuthorize] in just one action? Or do I need to remove [Authorize] from the controller level and add it separately for each other action?

I ask for convenience only, because I am lazy and do not want to decorate every action with AuthorizeAttribute.

[Authorize] public class MyController : Controller { //requires authentication public ViewResult Admin() { return View(); } //... a lot more actions requiring authentication //requires custom authentication [CustomAuthorize] //never invoked as already failed at controller level public ViewResult Home() { return View(); } }
+50
asp.net-mvc
Jan 15 '10 at 11:57
source share
4 answers

You can change the Order in which the attributes are executed (using the Order property), but I believe that in this case they will still work if the results are not obtained with immediate effect. The key should have the smallest bounding attribute applied at the highest level (class) and get more restrictive methods. If you want the Home action to be publicly available, for example, you would need to remove the Authorize attribute from the class and apply it to each of the other methods.

If the action has the same level of permissiveness, but has a different result, a change in order may be sufficient. For example, you usually redirect to the Logon action, but for Home you want to redirect the About action. In this case, specify the class attribute Order=2 and the attribute Home Order=1 .

+21
Jan 15 '10 at 12:03
source share

In MVC 5, you can override authorization for any action using the new OverrideAuthorization attribute. Essentially, you add it to an action whose authorization configuration is different from the configuration defined in the controller.

You do it like this:

 [OverrideAuthorization] [Authorize(Roles = "Employee")] public ActionResult List() { ... }

More information at http://www.c-sharpcorner.com/UploadFile/ff2f08/filter-overrides-in-Asp-Net-mvc-5/

ASP.NET Core 2.1 does not have an OverrideAuthorization attribute, and the only thing you can do is make the action anonymous, even if it is not a controller. Additional information at https://docs.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-2.1.

One option is to do it like this:

 [Authorize(Roles = "Admin,Employee")] // admin or employee public class XController : Controller { [Authorize(Roles = "Admin")] // only admin public ActionResult ActionX() { ... } [AllowAnonymous] // anyone public ActionResult ActionX() { ... } }
+90
Sep 18 '15 at 21:15
source share

After too much time, I found a solution. You need to decorate your controller with the custom attribute AuthorizeAttribute.

 public class OverridableAuthorize : AuthorizeAttribute { public override void OnAuthorization(AuthorizationContext filterContext) { var action = filterContext.ActionDescriptor; if(action.IsDefined(typeof(IgnoreAuthorization), true)) return; var controller = action.ControllerDescriptor; if(controller.IsDefined(typeof(IgnoreAuthorization), true)) return; base.OnAuthorization(filterContext); } }

Which may be associated with AllowAnonymous in action.

 [AllowAnonymous]
+12
Mar 04 '13 at 23:15
source share

All you need to override [Authorize] from the controller, for a specific action is to add

 [AllowAnonymous]

to the action you want to not authorize (then add your custom attribute as needed).

See comments / intellisense:

Represents an attribute that marks controllers and actions to skip System.Web.Mvc.AuthorizeAttribute during authorization.

0
Apr 05 '19 at 6:27
source share


More articles:


All Articles