Reputation: 455
AuthorizeAttribute only called once
Hee guys,
I have made my own custom athorizeattribute. It only fires once (directly after the first actionresult that has this attribute). But when I try to go to that same action it works (which can lead to a security breach).
Controller:
[AuthenticationController.IsLoggedInAsHero]
public ActionResult Hero()
{
return View();
}
AuthenticationController:
public class IsLoggedInAsHero : AuthorizeAttribute
{
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (!isAuthenticatedAsHero())
{
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary(new { controller = "Account", action = "Login" })
);
}
}
}
isAuthenticatedAsHero():
public static bool isAuthenticatedAsHero()
{
User user = new User();
user = udc.GetUserByCookie();
if (user.Hero== 1 && System.Web.HttpContext.Current.User.Identity.IsAuthenticated)
{ return true; }
else return false;
}
Help is appreciated!
Upvotes: 0
Views: 619
Answers (3)
Reputation: 1067
In most of my systems I have a segragated area for users usually dubbed the "Dashboard". Here is my example for authorization for that:
public class DashBoardAuthorizeAttribute : AuthorizeAttribute
{
/// <summary>
/// Handles the unauthorized request.
/// </summary>
/// <param name="context">The context.</param>
protected override void HandleUnauthorizedRequest(AuthorizationContext context)
{
var newName = "UserContext" + HttpContext.Current.User.Identity.Name;
var cache = MemoryCache.Default;
var userContext = cache.Get(newName) as IUserModel;
if (userContext != null && !userContext.DashBoardAccess)
{
var urlHelper = new UrlHelper(context.RequestContext);
var address = urlHelper.Action("Index", "Home");
context.Result = new RedirectResult(address ?? "login");
}
else
{
base.HandleUnauthorizedRequest(context);
}
}
}
And on my controller or at the indiviual action:
[DashBoardAuthorizeAttribute]
public async Task<ActionResult> GetUsers(){
return View();
}
This will execute before any action is executed every single time. You should re-evaluate your naming convention in future projects. If I were an other developer hired to help you on this project, I would have no idea what "IsLoggedInAsHero" is or supposed to do unless I opened the code and looked at it. The naming convention should convey at a basic what it is and supposed to do for ease of development. With "DashBoardAuthorizeAttribute" another developer can assume that its an Authorization Attribute pertaining to a "Dashboard".
Upvotes: 0
Reputation: 207
It is better to let the base class to handle the unauthorized requests which then it would return a 401 status code if user is unauthorized. Then ASP.Net framework checks if your website has forms authentication enabled and in turn it will automatically redirect to the login page.
Therefore your IsLoggedInAsHero class should look like this
public class IsLoggedInAsHero : AuthorizeAttribute
{
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (!isAuthenticatedAsHero())
{
base.HandleUnauthorizedRequest(filterContext);
}
}
}
And you need to enable form authentication in your web.config file.
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" />
</authentication>
Upvotes: 1
Reputation: 1493
I am not sure if this is your solution, but as far as I think, you should override this method:
protected override bool AuthorizeCore(HttpContextBase httpContext){
return isAuthenticatedAsHero();
}
and
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary(new { controller = "Account", action = "Login" })
);
}
Upvotes: 1
Related Questions
- How do you create a custom AuthorizeAttribute in ASP.NET Core?
- Catch multiple exceptions at once?
- Random number generator only generating one random number
- How can I find the method that called the current method?
- How to verify that method was NOT called in Moq?
- How to use render partial with webgrid?
- Redirect users with suspended accounts without creating redirect loop