Reputation: 117
How to disable access - request to standard MVC Controller with Bearer token
I have simple Cookie and Bearer Token authorization in my MVC project with WebApi. I want to disable access by Bearer on my standard MVC controllers.
This is my situation now:
- Standard MVC controllers access: Bearer or Cookie
- Web Api controllers access: only Bearer
I want to have:
- Standard MVC controllers access: only Cookie
- Web Api controllers access: only Bearer
WebApiConfig.cs
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{action}/{id}",
defaults: new { id = RouteParameter.Optional }
);
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter("Bearer"));
}
}
Startup.Auth.cs
public partial class Startup
{
public static OAuthBearerAuthenticationOptions OAuthBearerOptions { get; private set; }
public void ConfigureAuth(IAppBuilder app)
{
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
OAuthBearerOptions = new OAuthBearerAuthenticationOptions();
app.UseOAuthBearerAuthentication(OAuthBearerOptions);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
}
Is it possible to have custom authorization attribute? Like this: [Authorize("OnlyCookie"]
I saw similar solution, but it was for SinglePageAplication, and I dont know how to implement it in my .NET MVC 4 application - I saw it here: https://learn.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme
When I tried add 'AuthenticationScheme = "Cookie"', compilator gives me error: CookieAuthenticationOptions' does not contain a definition for 'AuthenticationScheme
Upvotes: 1
Views: 1088
Answers (1)
Reputation: 23220
You don't that property because you're not using ASP.Net Core. The link you post on your question is ASP.Net Core not ASP.NEt MVC.
You can do the same by creating a custom authorization filter attribute. Let name it CustomAuthorizeAttribute and the implementation will be:
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
public string AuthenticationType { get; private set; }
public CustomAuthorize(string authenticationType)
{
if (string.IsNullOrWhiteSpace(authenticationType))
{
throw new ArgumentNullException(nameof(authenticationType));
}
this.AuthenticationType = authenticationType;
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (!httpContext.User.Identity.AuthenticationType.Equals(this.AuthenticationType, StringComparison.InvariantCultureIgnoreCase))
{
return false;
}
return base.AuthorizeCore(httpContext);
}
}
So you can use it like this on your controller:
[CustomAuthorize(DefaultAuthenticationTypes.ApplicationCookie)]
Upvotes: 2
Related Questions
- How to protect all controllers by default with bearer token in ASP.NET Core?
- Disable request verification token in ASP.NET Core
- Override/Disable Authorization in ASP.NET MVC 3
- How to make JWT token authorization optional in controller methods
- Disable Bearer Token validation for a controller method
- How do I exclude a specific controller action from needing authentication?
- How to skip forms authentication to some controller actions in asp.net MVC
- How to make Bearer token invalid
- How to exclude a controller from being authenticated
- MVC Skip Controller Authentication Use Action