Custom Authorize Attribute not working

Question

Custom Authorize Attribute not working

Jai Holloway 60

I have tried the following two methods of custom authorization, but neither attribute is firing when the endpoint is called in a .NET CORE Web API.

using System.Web.Http;
using System.Web.Http.Controllers;

namespace GlobalTouringV2.Helpers
{
	public class AuthoriseWorksheet : AuthorizeAttribute
	{
		
		public override void OnAuthorization(HttpActionContext actionContext)
		{


			//string authHeader = httpContext.Request.Headers["Authorise"];
			var authHeader = actionContext.Request.Headers.First(x => x.Key == "Authorization");


			string token = authHeader.Value.First();

			try 			
			{ 				
				if (token != "SOMEVALUE") 				
				{ 					
					actionContext.Response = 
					new HttpResponseMessage(HttpStatusCode.Unauthorized); 				
				} 			
			} 			
			catch (Exception) 			
			{ 				
				actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized); 			
			}  			
			return;  		
		} 	
	} 
}

using System.Net;
using System.Web.Http.Controllers;
using System.Web.Http.Filters;

namespace GlobalTouringV2.Helpers
{
	public class TokenFilter : AuthorizationFilterAttribute, IAuthorizationFilter
	{
		public override void OnAuthorization(HttpActionContext actionContext)
		{
			var authHeader = actionContext.Request.Headers.First(x => x.Key == "Authorization");


			string token = authHeader.Value.First();

			try 			
			{ 				
				if (token != "SOMEVALUE") 				
				{
 					actionContext.Response = 
						new HttpResponseMessage(HttpStatusCode.Unauthorized); 				
				} 			
			} 			
			catch (Exception) 			
			{ 				
				actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized); 								 
			}  			
			return; 		
		} 	
	} 
}

I do not understand why the attributes do not fire. I have sent a request without an Authorization header and the endpoint still works, the attribute breakpoint never gets hit. I don't know what I am doing wrong. Any help would be appreciated

Dimitri Bstls 0 Reputation points

2024-08-07T12:59:31.71+00:00

Hi,
Could you provide how you use your custom attributes ?
Also, the best practice now is to use policies mostly, instead of custom authorize attributes.
So you remain in the classic authorization pipeline.
Jai Holloway 60 Reputation points

2024-08-07T13:12:47.71+00:00
I need to get the Authorization Header out of the context and using a policy doesn't give me access to the action context. I tried following the example on GitHub, but it did not give me what I needed.

I am decorating my controller action with the attribute, that is how I am using it.

[HttpPost] [Route("/api/WorkSheet/SubmitGross")] [AuthoriseWorksheet] public IActionResult SubmitGross([FromBody]WorkSheetGross ws) {

Accepted answer

0 additional answers

Your answer

Dimitri Bstls 0 Reputation points

2024-08-07T12:59:31.71+00:00

Hi,
Could you provide how you use your custom attributes ?
Also, the best practice now is to use policies mostly, instead of custom authorize attributes.
So you remain in the classic authorization pipeline.
Jai Holloway 60 Reputation points

2024-08-07T13:12:47.71+00:00

I need to get the Authorization Header out of the context and using a policy doesn't give me access to the action context. I tried following the example on GitHub, but it did not give me what I needed.

I am decorating my controller action with the attribute, that is how I am using it.

[HttpPost] [Route("/api/WorkSheet/SubmitGross")] [AuthoriseWorksheet] public IActionResult SubmitGross([FromBody]WorkSheetGross ws) {

Answer 1

Hi Jai Holloway

That is because you use the wrong namespace and wrong implements. You may mix ASP.NET Core and ASP.NET. In ASP.NET Core, You need custom Microsoft.AspNetCore.Authorization.AuthorizeAttribute instead of System.Web.Http.AuthorizeAttribute.

Reference: Custom Authorization attributes

From your code design, I suggest you implement a custom authorize attribute using IAuthorizationFilter in ASP.NET Core:

using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
namespace 
{
    public class AuthoriseWorksheet : Attribute, IAuthorizationFilter
    {
        public void OnAuthorization(AuthorizationFilterContext context)
        {
            if (context.HttpContext.Request.Headers.TryGetValue("Authorization", out var authHeaderValues))
            {
                string token = authHeaderValues.FirstOrDefault();
                if (!string.IsNullOrEmpty(token))
                {
                    try
                    {
                        if (token != "SOMEVALUE")
                        {
                            context.Result = new UnauthorizedResult();
                        }
                    }
                    catch (Exception)
                    {
                        context.Result = new UnauthorizedResult();
                    }
                }
                else
                {
                    context.Result = new UnauthorizedResult();
                }
            }
            else
            {
                context.Result = new UnauthorizedResult();
            }
        }
    }
}

Then you can use it like what you did:

[HttpPost] 
[Route("/api/WorkSheet/SubmitGross")] 
[AuthoriseWorksheet] 
public IActionResult SubmitGross([FromBody]WorkSheetGross ws) 
{}

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,
Rena

Jai Holloway 60 Reputation points

2024-08-08T06:48:15.66+00:00

But I am not using MVC, will this work in a web api?
Anonymous

2024-08-08T08:10:47.5333333+00:00

Hi Jai Holloway, of course it can work in web api project.

Share via

Custom Authorize Attribute not working

0 additional answers

Your answer