Custom Authorization attribute asp.net core

user911 Published at Dev

user911

I am trying to figure out what is the best way to create custom authorization attribute for my asp.net core application. I have seen this post and I am aware of the 2 approaches discussed here. How do you create a custom AuthorizeAttribute in ASP.NET Core?

1) Using IAuthorizationFilter

2) Using Policies

I saw that the official document suggests that we should be using policies and not IAuthorizationFilter but I felt that using policies for my scenario is an overkill. I personally liked IAuthorizationFilter approach more.

I have a very basic requirement. I want to create an authorize attribute for my web api and need to throw 403 if the current user is not whitelisted to use this API. I really don't care about the scopes(canRead, canWrite, can readWrite etc). If I go ahead with policy approach, I may be using the same policy for all my APIs. What is the best way to achieve this?

nlawalker

Using policies for something like this isn't overkill. You need a requirement:

public class WhitelistRequirement: IAuthorizationRequirement
{
}

A handler:

public class WhitelistHandler : AuthorizationHandler<WhitelistRequirement>
{

    // Implement a constructor to inject dependencies, such as your whitelist

    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
                                                   WhitelistRequirement requirement)
    {
        if (isInWhitelist) // Your implementation here
        {
            context.Succeed(requirement);
        }

        return Task.CompletedTask;
    }
}

services.AddAuthorization(options =>
            options.AddPolicy("WhitelistPolicy",
            b => b.AddRequirements(new WhitelistRequirement())));

services.AddSingleton<IAuthorizationHandler, WhitelistHandler>();

Then use your policy:

[Authorize(Policy = "WhitelistPolicy")]

You can apply the policy globally with a global filter:

services.AddMvc(config =>
{
    var policy = new AuthorizationPolicyBuilder()
                     .AddRequirements(new WhitelistRequirement())
                     .Build();
    config.Filters.Add(new AuthorizeFilter(policy));
})

The resulting behavior for unauthenticated or forbidden users depends on the implementation of the "challenge" and "forbid" behaviors in your app's authentication handler.

See here.

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at2021-05-19

Comments

0 comments

TOP Ranking

Article

Custom Authorization attribute asp.net core

Custom Authorization attribute asp.net core

Loopback Error: connect ECONNREFUSED 127.0.0.1:3306 (MAMP)

Can't pre-populate phone number and message body in SMS link on iPhones when SMS app is not running in the background

pump.io port in URL

How to import an asset in swift using Bundle.main.path() in a react-native native module

Failed to listen on localhost:8000 (reason: Cannot assign requested address)

Spring Boot JPA PostgreSQL Web App - Internal Authentication Error

Emulator wrong screen resolution in Android Studio 1.3

3D Touch Peek Swipe Like Mail

Double spacing in rmarkdown pdf

Svchost high CPU from Microsoft.BingWeather app errors

How to how increase/decrease compared to adjacent cell

Using Response.Redirect with Friendly URLS in ASP.NET

java.lang.NullPointerException: Cannot read the array length because "<local3>" is null

BigQuery - concatenate ignoring NULL

How to fix "pickle_module.load(f, **pickle_load_args) _pickle.UnpicklingError: invalid load key, '<'" using YOLOv3?

ngClass error (Can't bind ngClass since it isn't a known property of div) in Angular 11.0.3

Can a 32-bit antivirus program protect you from 64-bit threats

Make a B+ Tree concurrent thread safe

Bootstrap 5 Static Modal Still Closes when I Click Outside

Vector input in shiny R and then use it

Assembly definition can't resolve namespaces from external packages