tags:

views:

180

answers:

1
Q: 

Need some help/advice with a custom ASP.NET MVC IAuthorizationFilter class.

Hi folks,

i'm trying to make my own IAuthorizationFilter attribute class. Basically, each api call has a query string parameter called 'key'. I was going to then decorate any actions that require this, with the simple authorisation attribute.

I was hoping my OnAuthorization(..) method will then just extract the value of the query parameter, if it was provided. If it was, and it's legit, then the user is Authorised. otherwise, they are not.

I'm not sure how to do this in the OnAuthorization(..) method.

Or should I be using an IActionFilter instead?

EDIT: I've added in some code to show what I'm doing...

public void OnAuthorization(AuthorizationContext filterContext)
{
    if (filterContext == null)
    {
        throw new ArgumentNullException("filterContext");
    }

    ApiKey apiKey = null;
    string queryStringKey = filterContext.HttpContext.Request.QueryString["key"];
    if (!string.IsNullOrEmpty(queryStringKey))
    {
        apiKey = GetApiKey(queryStringKey); // Custom code that checks a dictionary.
    }

    // Do we have a key?
    if (apiKey == null)
    {
        filterContext.Result = new HttpUnauthorizedResult();
    }

    // TODO: Is this key allowed for this domain?

    // All is good, so don't do anything else.
}
A: 

You should be able to inspect the HttpContext.Request.QueryString property of the AuthorizationContext parameter passed to the OnAuthorization method.

To deny access based on the value of the Key querstring value, you can set the Result property of the AuthorizationContext parameter to a non-null value. This can, if you want, be set to an instance of the HttpUnauthorizedResult class.

David Andres  2009-09-12 04:55:20
what do I need to do to say it's not authorised? filterContext.Result = new HttpUnauthorizedResult();otherwise, keep everything as default?
Pure.Krome  2009-09-12 05:07:59
@Pure.Krome: see my edit to this post.
David Andres  2009-09-12 05:27:28
So if the value of the Result property is non-null, then they are denied. Where is this checked/handled?
Pure.Krome  2009-09-12 05:41:39
For a given action that has Authorize filter(s) or has a parent Controller with an OnAuthorization override, the Authorize checks are made first. The MVC engine will then proceed to execute the action if and only if none of the Authorize steps have indicated failure (by checking the AuthoriztionContext.Result field you are setting in your code).
David Andres  2009-09-12 05:59:35

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data