tags:

views:

340

answers:

2
+1  Q: 

How does the Authorize tag work? - Asp.net Mvc

Hi

I am wondering how does the Authorize Tag determine if the user is authorized or not?

Like say if a user logs in and they try to go to a view that has an Authorize tag. How does it determine if a user is authorized or not? Does it do a query to database and check?

How about if they go to a view with a role authorization? Does it query the membership role table?

I am just wondering since I have what the asp.net membership tables considers duplicate userNames. I use a serious of fields to determine which user is what, allowing users to have the same duplicate userName but still be unique in my database.

This caused me to have to write custom methods for lots of .net membership stuff since it all used "userName" to do searching instead of using the UserId.

So I am now wondering if this could be the case with the Authorize tag. Since I have no clue how it works and like if I was not using .net membership I would not have a clue how it would determine it.

Thanks

A: 

ControllerActionInvoker parses the attribute and calls OnAuthorization() on it when it's time to check the credentials.

The AuthorizationAttribute.OnAuthorization() method basically checks to see if User.Identity.IsAuthenticated is true or not. This just draws on the functionality of FormsAuthentication or whatever other authentication scheme you may be using.

womp  2009-08-29 05:58:30
+1  A: 

The Authorize tag uses all the built in membership checks from ASP.NET. It's VERY easy to role your own tag. For example:

public class MyAuthorize : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (httpContext == null) throw new ArgumentNullException("httpContext");

        // Make sure the user is authenticated.
        if (httpContext.User.Identity.IsAuthenticated == false) return false;

        // Do you own custom stuff here
        bool allow = CheckIfAllowedToAccessStuff();

        return allow;
    }
}

You then can use the [MyAuthorize] tag which will use your custom checks.

Kelsey  2009-08-29 06:01:34
How does the build in membership check work? Does it use userName or UerId?
chobo2  2009-08-29 06:03:37
I am not 100% sure but I think mainly checks httpContext.User.Identity.IsAuthenticated and return it's value but I know it also has the ability to check roles as well.
Kelsey  2009-08-29 06:08:19
hmm I don't know it seems to not work I still can see the page. It just puts return url in my url and thats about it.
chobo2  2009-09-28 05:33:40

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data