CODEWITHSUNDEEP
jsonasp.net-web-api
wickjon
wickjon

Reputation: 920

ASP.NET Web API always returns 401 unauthorized error

I am using Custom authorization on asp.net web api.I have followed the following link http://www.codeproject.com/Tips/376810/ASP-NET-WEB-API-Custom-Authorize-and-Exception-Han I use the attribute name in my controller like this

[mycustomattribute]

public class userController : apicontroller {

}

but it always shows 401 unauthorized exception inspite of authentication status being authorized. I have followed exactly wat it is in the link for creating custom authorize attribute.

my custom authorize class

 public class tokenAuthorize : AuthorizeAttribute
{
    DBEntity _objScrumDBEntities = new DBEntity ();
    public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
    {
        base.OnAuthorization(actionContext);
        if (actionContext.Request.Headers.GetValues("authenticationToken") != null)
        {
            // get value from header
            string authenticationTokenValue = Convert.ToString(actionContext.Request.Headers.GetValues("authenticationToken").FirstOrDefault());
            ObjectParameter m_tokenParam = new ObjectParameter("status", typeof(string));
            _objScrumDBEntities.validateToken(authenticationTokenValue, m_tokenParam);
           string status = Convert.IsDBNull(m_tokenParam.Value) ? null : (string)m_tokenParam.Value;
            if (status == "false")
            {
                HttpContext.Current.Response.AddHeader("authenticationToken", authenticationTokenValue);
                HttpContext.Current.Response.AddHeader("AuthenticationStatus", "NotAuthorized");
                // actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden);
                 return;
            }

            else
            {
                HttpContext.Current.Response.AddHeader("authenticationToken", authenticationTokenValue);
                HttpContext.Current.Response.AddHeader("AuthenticationStatus", "Authorized");                
                return;

            }
            //return;
        }
        //actionContext.Response =  actionContext.Request.CreateResponse(HttpStatusCode.ExpectationFailed);
        //else
        // actionContext.Response.ReasonPhrase = "Please provide valid inputs";
    }
}

and my controller 

[tokenAuthorize] 
public class myController : ApiController
{

    public IEnumerable<organization> Get()
    {
        return _objOrgRepository.GetAll();
    }

Upvotes: 0

Views: 2369

Answers (1)

Travis G
Travis G

Reputation: 1602

It seems that System.Web.Security.Roles.GetRolesForUser(Username) does not get automatically hooked up when you have a custom AuthorizeAttribute and a custom RoleProvider.

So, in your custom AuthorizeAttribute you need to retrieve the list of roles from your data source and then compare them against the roles passed in as parameters to the AuthorizeAttribute.Try the below code 

public class myController : ApiController

{

     [RequestKeyAuthorizeAttribute(Roles="Admin,Bob,Administrator,Clue")]
     public HttpResponseMessage Get()
     {
         return Request.CreateResponse(HttpStatusCode.OK, "RequestKeyAuthorizeTestController");
  }

Upvotes: 0

Related Questions